Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TsWpfWrp.exe

Overview

General Information

Sample name:TsWpfWrp.exe
Analysis ID:1579842
MD5:ffe0f3673552c76510434386fcf7d5a1
SHA1:7f5a1179a2a2ff3e4672ce8b15fbbe3229c047aa
SHA256:e9e6d195fcc51fb2cbd47dc75c41daf9d94f64396aec40fdea90eee36eeaa1bb
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

ValleyRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected ValleyRAT
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Deletes itself after installation
Found evasive API chain checking for user administrative privileges
Modifies the context of a thread in another process (thread injection)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Tries to disable installed Antivirus / HIPS / PFW
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • TsWpfWrp.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\TsWpfWrp.exe" MD5: FFE0F3673552C76510434386FCF7D5A1)
    • svchost.exe (PID: 1068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • ParphaCrashReport64.exe (PID: 2828 cmdline: "C:\Program Files\Windows Mail\ParphaCrashReport64.exe" MD5: 8B5D51DF7BBD67AEB51E9B9DEE6BC84A)
      • svchost.exe (PID: 2860 cmdline: C:\Windows\system32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • dllhost.exe (PID: 5948 cmdline: C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
TsWpfWrp.exeINDICATOR_EXE_Packed_EnigmaDetects executables packed with EnigmaditekSHen
  • 0x278:$s2: .enigma1
  • 0x151e75c:$s2: .enigma1
  • 0x2a0:$s3: .enigma2
  • 0x151e770:$s3: .enigma2
SourceRuleDescriptionAuthorStrings
00000000.00000002.2102369827.00007FF6E0C00000.00000002.00000001.01000000.00000003.sdmpINDICATOR_EXE_Packed_EnigmaDetects executables packed with EnigmaditekSHen
  • 0x278:$s2: .enigma1
  • 0x2a0:$s3: .enigma2
00000000.00000000.2072292358.00007FF6E0C00000.00000002.00000001.01000000.00000003.sdmpINDICATOR_EXE_Packed_EnigmaDetects executables packed with EnigmaditekSHen
  • 0x278:$s2: .enigma1
  • 0x2a0:$s3: .enigma2
Process Memory Space: svchost.exe PID: 1068JoeSecurity_ValleyRATYara detected ValleyRATJoe Security
    SourceRuleDescriptionAuthorStrings
    0.0.TsWpfWrp.exe.7ff6e0c00000.0.raw.unpackINDICATOR_EXE_Packed_EnigmaDetects executables packed with EnigmaditekSHen
    • 0x278:$s2: .enigma1
    • 0x2a0:$s3: .enigma2
    0.2.TsWpfWrp.exe.7ff6e0c00000.9.raw.unpackINDICATOR_EXE_Packed_EnigmaDetects executables packed with EnigmaditekSHen
    • 0x278:$s2: .enigma1
    • 0x2a0:$s3: .enigma2

    System Summary

    barindex
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TsWpfWrp.exe", ParentImage: C:\Users\user\Desktop\TsWpfWrp.exe, ParentProcessId: 6388, ParentProcessName: TsWpfWrp.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1068, ProcessName: svchost.exe
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TsWpfWrp.exe", ParentImage: C:\Users\user\Desktop\TsWpfWrp.exe, ParentProcessId: 6388, ParentProcessName: TsWpfWrp.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule, ProcessId: 1068, ProcessName: svchost.exe
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: TsWpfWrp.exeReversingLabs: Detection: 26%
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.dllJump to behavior
    Source: TsWpfWrp.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: TsWpfWrp.exe, TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: TsWpfWrp.exe, TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe.3.dr
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,5_2_0000000180026810
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180026810 NetUserEnum,lstrlenW,NetApiBufferFree,malloc,VirtualFree,VirtualFree,free,VirtualFree,VirtualFree,6_2_0000000180026810
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C08F78 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,4_2_00007FF671C08F78
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,5_2_000000018001E210
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,5_2_000000018001DDD0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,6_2_000000018001E210
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,6_2_000000018001C850
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,6_2_000000018001CCF0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,6_2_000000018001DDD0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_0000000180029300
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: unknownTCP traffic detected without corresponding DNS query: 52.74.204.186
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180032C50 VirtualAlloc,CreateEventW,WSARecv,WSAGetLastError,WaitForMultipleObjects,WSAGetOverlappedResult,WSAGetLastError,CloseHandle,VirtualFree,5_2_0000000180032C50
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: ParphaCrashReport64.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://ejemplo.com
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe.3.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?u
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=afCtrl$1
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GBCtrl$1
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es-419Ctrl$1
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=esCtrl$1
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=etCtrl$1
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?u
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fiCtrl$1
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=filCtrl$1
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=frCtrl$1
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://ejemplo.com.Se
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://myactivity.google.com/
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.com
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comContrase
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comGestoorde
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comMga
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comMots
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSaved
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSe
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comSelle
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://passwords.google.comT
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://policies.google.com/
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869?hl=es
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chrome/answer/96817
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.google.com/chromebook?p=app_intent
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&AideG
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministrado
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionado
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlBestuur
    Source: TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlO&hjeOrganisaatiosi
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaan
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_000000018002F1B0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_000000018002F1B0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,5_2_0000000180026200
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00000001800197D0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,5_2_00000001800199F0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018002F1B0 OpenClipboard,Sleep,GetLastError,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,6_2_000000018002F1B0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180026200 VirtualFree,VirtualFree,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,6_2_0000000180026200
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800197D0 EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,lstrlenW,memcmp,lstrlenW,lstrlenW,lstrlenW,memcpy,OpenClipboard,CloseClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,6_2_00000001800197D0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800199F0 lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,lstrlenW,WideCharToMultiByte,VirtualAlloc,lstrlenW,WideCharToMultiByte,WideCharToMultiByte,lstrlenA,memcpy,OpenClipboard,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrlenA,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,VirtualFree,VirtualFree,6_2_00000001800199F0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001AC60 DefWindowProcW,SendMessageW,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,lstrlenW,lstrlenW,GlobalUnlock,CloseClipboard,VirtualFree,VirtualFree,CloseClipboard,SendMessageW,PostQuitMessage,5_2_000000018001AC60
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001A410 GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,5_2_000000018001A410
    Source: TsWpfWrp.exe, 00000000.00000002.2100282045.00000150F22BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_273e00b1-2

    System Summary

    barindex
    Source: TsWpfWrp.exe, type: SAMPLEMatched rule: Detects executables packed with Enigma Author: ditekSHen
    Source: 0.0.TsWpfWrp.exe.7ff6e0c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Enigma Author: ditekSHen
    Source: 0.2.TsWpfWrp.exe.7ff6e0c00000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Enigma Author: ditekSHen
    Source: 00000000.00000002.2102369827.00007FF6E0C00000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables packed with Enigma Author: ditekSHen
    Source: 00000000.00000000.2072292358.00007FF6E0C00000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables packed with Enigma Author: ditekSHen
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180005824 realloc,NtQuerySystemInformation,0_2_0000000180005824
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800080F2 VirtualAllocEx,WriteProcessMemory,memset,memcpy,NtAlpcConnectPort,0_2_00000001800080F2
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001801192F0 NtQuerySystemInformation,0_2_00000001801192F0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,5_2_0000000180011AE0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,5_2_0000000180011C70
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,5_2_0000000180012830
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180012830 NtQuerySystemInformation,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,VirtualProtect,VirtualProtect,6_2_0000000180012830
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180011AE0 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,6_2_0000000180011AE0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180011C70 CreateEventW,VirtualAlloc,WaitForSingleObject,NtQuerySystemInformation,VirtualFree,VirtualAlloc,memset,NtQuerySystemInformation,lstrcmpiW,WaitForSingleObject,CloseHandle,6_2_0000000180011C70
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800205A0: CreateFileW,memset,lstrlenA,DeviceIoControl,CloseHandle,5_2_00000001800205A0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180030180 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,Sleep,5_2_0000000180030180
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800201A0 GetCurrentProcess,OpenProcessToken,GetLastError,DuplicateTokenEx,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserW,CreateProcessAsUserW,5_2_00000001800201A0
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTaskJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800080F20_2_00000001800080F2
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180009BC00_2_0000000180009BC0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800054D50_2_00000001800054D5
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800015B00_2_00000001800015B0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800010100_2_0000000180001010
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800038330_2_0000000180003833
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800280380_2_0000000180028038
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800148480_2_0000000180014848
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000284D0_2_000000018000284D
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018002C0800_2_000000018002C080
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800038800_2_0000000180003880
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800180EE0_2_00000001800180EE
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000290C0_2_000000018000290C
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800041530_2_0000000180004153
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800021700_2_0000000180002170
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000B1AC0_2_000000018000B1AC
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800069E00_2_00000001800069E0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800151E80_2_00000001800151E8
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180002A060_2_0000000180002A06
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180001A100_2_0000000180001A10
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180002A190_2_0000000180002A19
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800032200_2_0000000180003220
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000225E0_2_000000018000225E
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018001AA6C0_2_000000018001AA6C
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000B2800_2_000000018000B280
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180006AB00_2_0000000180006AB0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000C2D00_2_000000018000C2D0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180003AE00_2_0000000180003AE0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800032200_2_0000000180003220
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000435B0_2_000000018000435B
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000C3700_2_000000018000C370
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180023B980_2_0000000180023B98
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800033B80_2_00000001800033B8
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018001FC0C0_2_000000018001FC0C
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800284640_2_0000000180028464
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800034640_2_0000000180003464
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000947B0_2_000000018000947B
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180002C8A0_2_0000000180002C8A
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180004CB00_2_0000000180004CB0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800044C10_2_00000001800044C1
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180003CF20_2_0000000180003CF2
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800025260_2_0000000180002526
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800035300_2_0000000180003530
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800075500_2_0000000180007550
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180001D600_2_0000000180001D60
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180016D880_2_0000000180016D88
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800045A90_2_00000001800045A9
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180003DBC0_2_0000000180003DBC
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000360B0_2_000000018000360B
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000B6200_2_000000018000B620
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180002E240_2_0000000180002E24
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180005E580_2_0000000180005E58
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800026660_2_0000000180002666
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180029E8C0_2_0000000180029E8C
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000469C0_2_000000018000469C
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180024EB00_2_0000000180024EB0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000BEB00_2_000000018000BEB0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000B6C00_2_000000018000B6C0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180008EC00_2_0000000180008EC0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018001FED80_2_000000018001FED8
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800096E00_2_00000001800096E0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000DEE80_2_000000018000DEE8
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018000C6F00_2_000000018000C6F0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800037170_2_0000000180003717
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180010F180_2_0000000180010F18
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180021F440_2_0000000180021F44
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180006F700_2_0000000180006F70
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_00000001800027770_2_0000000180002777
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800010103_2_0000000180001010
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180001A103_2_0000000180001A10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180001D603_2_0000000180001D60
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800038333_2_0000000180003833
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800280383_2_0000000180028038
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800148483_2_0000000180014848
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000284D3_2_000000018000284D
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018002C0803_2_000000018002C080
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800038803_2_0000000180003880
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800180EE3_2_00000001800180EE
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800080F23_2_00000001800080F2
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000290C3_2_000000018000290C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800041533_2_0000000180004153
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800021703_2_0000000180002170
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000B1AC3_2_000000018000B1AC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800069E03_2_00000001800069E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800151E83_2_00000001800151E8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180002A063_2_0000000180002A06
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180002A193_2_0000000180002A19
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800032203_2_0000000180003220
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000225E3_2_000000018000225E
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001AA6C3_2_000000018001AA6C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000B2803_2_000000018000B280
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006AB03_2_0000000180006AB0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000C2D03_2_000000018000C2D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180003AE03_2_0000000180003AE0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800032203_2_0000000180003220
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000435B3_2_000000018000435B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000C3703_2_000000018000C370
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180023B983_2_0000000180023B98
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800033B83_2_00000001800033B8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180009BC03_2_0000000180009BC0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001FC0C3_2_000000018001FC0C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800284643_2_0000000180028464
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800034643_2_0000000180003464
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000947B3_2_000000018000947B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180002C8A3_2_0000000180002C8A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180004CB03_2_0000000180004CB0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800044C13_2_00000001800044C1
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800054D53_2_00000001800054D5
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180003CF23_2_0000000180003CF2
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800025263_2_0000000180002526
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800035303_2_0000000180003530
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800075503_2_0000000180007550
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180016D883_2_0000000180016D88
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800045A93_2_00000001800045A9
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800015B03_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180003DBC3_2_0000000180003DBC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000360B3_2_000000018000360B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000B6203_2_000000018000B620
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180002E243_2_0000000180002E24
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180005E583_2_0000000180005E58
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800026663_2_0000000180002666
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180029E8C3_2_0000000180029E8C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000469C3_2_000000018000469C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180024EB03_2_0000000180024EB0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000BEB03_2_000000018000BEB0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000B6C03_2_000000018000B6C0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180008EC03_2_0000000180008EC0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018001FED83_2_000000018001FED8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800096E03_2_00000001800096E0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000DEE83_2_000000018000DEE8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_000000018000C6F03_2_000000018000C6F0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800037173_2_0000000180003717
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180010F183_2_0000000180010F18
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180021F443_2_0000000180021F44
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_0000000180006F703_2_0000000180006F70
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001800027773_2_0000000180002777
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333D2E83_2_00000254A333D2E8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333BAF03_2_00000254A333BAF0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A334F2D83_2_00000254A334F2D8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3338AE03_2_00000254A3338AE0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33513443_2_00000254A3351344
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3332B173_2_00000254A3332B17
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33403183_2_00000254A3340318
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3331B773_2_00000254A3331B77
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33363703_2_00000254A3336370
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3332A0B3_2_00000254A3332A0B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33322243_2_00000254A3332224
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333AA203_2_00000254A333AA20
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A335928C3_2_00000254A335928C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3331A663_2_00000254A3331A66
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33352583_2_00000254A3335258
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33382C03_2_00000254A33382C0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333AAC03_2_00000254A333AAC0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33542B03_2_00000254A33542B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333B2B03_2_00000254A333B2B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3333A9C3_2_00000254A3333A9C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33330F23_2_00000254A33330F2
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33348D53_2_00000254A33348D5
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33369503_2_00000254A3336950
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33319263_2_00000254A3331926
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33329303_2_00000254A3332930
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33461883_2_00000254A3346188
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33311603_2_00000254A3331160
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33331BC3_2_00000254A33331BC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33339A93_2_00000254A33339A9
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33309B03_2_00000254A33309B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A334F00C3_2_00000254A334F00C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333208A3_2_00000254A333208A
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333887B3_2_00000254A333887B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33328643_2_00000254A3332864
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33578643_2_00000254A3357864
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33338C13_2_00000254A33338C1
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33340B03_2_00000254A33340B0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3332EE03_2_00000254A3332EE0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33326203_2_00000254A3332620
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333B7703_2_00000254A333B770
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333375B3_2_00000254A333375B
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33327B83_2_00000254A33327B8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3338FC03_2_00000254A3338FC0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3352F983_2_00000254A3352F98
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3331E063_2_00000254A3331E06
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3330E103_2_00000254A3330E10
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33445E83_2_00000254A33445E8
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3335DE03_2_00000254A3335DE0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3331E193_2_00000254A3331E19
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33326203_2_00000254A3332620
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333A6803_2_00000254A333A680
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3349E6C3_2_00000254A3349E6C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333165E3_2_00000254A333165E
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333B6D03_2_00000254A333B6D0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3335EB03_2_00000254A3335EB0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3331D0C3_2_00000254A3331D0C
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33374F23_2_00000254A33374F2
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33474EE3_2_00000254A33474EE
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33335533_2_00000254A3333553
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33315703_2_00000254A3331570
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A333A5AC3_2_00000254A333A5AC
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33304103_2_00000254A3330410
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3343C483_2_00000254A3343C48
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3331C4D3_2_00000254A3331C4D
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A33574383_2_00000254A3357438
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3332C333_2_00000254A3332C33
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A335B4803_2_00000254A335B480
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A3332C803_2_00000254A3332C80
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BFEB344_2_00007FF671BFEB34
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BF92B04_2_00007FF671BF92B0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BFC1C04_2_00007FF671BFC1C0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C101484_2_00007FF671C10148
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C0C52C4_2_00007FF671C0C52C
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C03CD44_2_00007FF671C03CD4
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C07C604_2_00007FF671C07C60
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BFAE504_2_00007FF671BFAE50
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BF89104_2_00007FF671BF8910
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C0C1004_2_00007FF671C0C100
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C0600C4_2_00007FF671C0600C
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BF4FE04_2_00007FF671BF4FE0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C08F784_2_00007FF671C08F78
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C03FA04_2_00007FF671C03FA0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BF1FB04_2_00007FF671BF1FB0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C0DF544_2_00007FF671C0DF54
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800121405_2_0000000180012140
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800151505_2_0000000180015150
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800224E05_2_00000001800224E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800206805_2_0000000180020680
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800176E05_2_00000001800176E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001F9E05_2_000000018001F9E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001AAD05_2_000000018001AAD0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180013E105_2_0000000180013E10
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180006FF75_2_0000000180006FF7
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002E0105_2_000000018002E010
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800060575_2_0000000180006057
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800010705_2_0000000180001070
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800020C75_2_00000001800020C7
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000A1105_2_000000018000A110
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800071135_2_0000000180007113
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000612D5_2_000000018000612D
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800441405_2_0000000180044140
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800071605_2_0000000180007160
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000517A5_2_000000018000517A
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000517C5_2_000000018000517C
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800111805_2_0000000180011180
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001A1905_2_000000018001A190
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800191905_2_0000000180019190
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000219F5_2_000000018000219F
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000A1E05_2_000000018000A1E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800061EC5_2_00000001800061EC
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800182305_2_0000000180018230
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800012645_2_0000000180001264
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800312705_2_0000000180031270
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000227C5_2_000000018000227C
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800272905_2_0000000180027290
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002B2D05_2_000000018002B2D0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800642E05_2_00000001800642E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800062E65_2_00000001800062E6
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000D2F05_2_000000018000D2F0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800062F95_2_00000001800062F9
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800293005_2_0000000180029300
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800033005_2_0000000180003300
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800623275_2_0000000180062327
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800253405_2_0000000180025340
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018005B3805_2_000000018005B380
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800073C05_2_00000001800073C0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800173D05_2_00000001800173D0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800083E05_2_00000001800083E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800013F75_2_00000001800013F7
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018004C4105_2_000000018004C410
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800144105_2_0000000180014410
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001D4205_2_000000018001D420
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800234645_2_0000000180023464
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800034705_2_0000000180003470
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800244B05_2_00000001800244B0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800054E05_2_00000001800054E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800334F05_2_00000001800334F0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800265305_2_0000000180026530
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001E5505_2_000000018001E550
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000656A5_2_000000018000656A
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800095885_2_0000000180009588
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800255905_2_0000000180025590
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001B5A05_2_000000018001B5A0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800075D25_2_00000001800075D2
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000F5E05_2_000000018000F5E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000C5F05_2_000000018000C5F0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800166305_2_0000000180016630
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800016305_2_0000000180001630
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018003664B5_2_000000018003664B
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800326605_2_0000000180032660
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800566705_2_0000000180056670
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000769C5_2_000000018000769C
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000A6A05_2_000000018000A6A0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800486E05_2_00000001800486E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800247005_2_0000000180024700
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800067045_2_0000000180006704
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001F7105_2_000000018001F710
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000271A5_2_000000018000271A
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800337605_2_0000000180033760
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800637705_2_0000000180063770
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000176F5_2_000000018000176F
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800187805_2_0000000180018780
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800527905_2_0000000180052790
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800367B85_2_00000001800367B8
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800257C05_2_00000001800257C0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002A7F05_2_000000018002A7F0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800308105_2_0000000180030810
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000B8225_2_000000018000B822
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001C8505_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800278705_2_0000000180027870
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800288805_2_0000000180028880
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002F8905_2_000000018002F890
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018003A8BC5_2_000000018003A8BC
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800138D05_2_00000001800138D0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000E8DC5_2_000000018000E8DC
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800249305_2_0000000180024930
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800029715_2_0000000180002971
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000E9B05_2_000000018000E9B0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800199F05_2_00000001800199F0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180053A005_2_0000000180053A00
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000FA005_2_000000018000FA00
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180021A105_2_0000000180021A10
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180025A105_2_0000000180025A10
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002AA305_2_000000018002AA30
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180003A325_2_0000000180003A32
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180007A335_2_0000000180007A33
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001EA405_2_000000018001EA40
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180005A505_2_0000000180005A50
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180004A985_2_0000000180004A98
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000FAA05_2_000000018000FAA0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180035AD05_2_0000000180035AD0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180006B005_2_0000000180006B00
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180005B3E5_2_0000000180005B3E
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180012B505_2_0000000180012B50
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180024B605_2_0000000180024B60
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000CBAB5_2_000000018000CBAB
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180023BC05_2_0000000180023BC0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180002BD65_2_0000000180002BD6
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180008C055_2_0000000180008C05
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180030C205_2_0000000180030C20
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180006B005_2_0000000180006B00
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002FC275_2_000000018002FC27
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002FC305_2_000000018002FC30
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002FC395_2_000000018002FC39
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180007C3B5_2_0000000180007C3B
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002FC425_2_000000018002FC42
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002FC4B5_2_000000018002FC4B
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002FC545_2_000000018002FC54
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180065C605_2_0000000180065C60
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002FC5D5_2_000000018002FC5D
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000AC805_2_000000018000AC80
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180035C905_2_0000000180035C90
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180025C905_2_0000000180025C90
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180006C985_2_0000000180006C98
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180036C9E5_2_0000000180036C9E
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180061CA75_2_0000000180061CA7
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180003CA65_2_0000000180003CA6
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180019CB05_2_0000000180019CB0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180002CD25_2_0000000180002CD2
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001CCF05_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180038D245_2_0000000180038D24
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002AD305_2_000000018002AD30
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180006D445_2_0000000180006D44
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000ED505_2_000000018000ED50
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180062D705_2_0000000180062D70
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180001D805_2_0000000180001D80
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180002D8A5_2_0000000180002D8A
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180024D905_2_0000000180024D90
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180018DA05_2_0000000180018DA0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180007DA15_2_0000000180007DA1
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002BDC05_2_000000018002BDC0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000EDF05_2_000000018000EDF0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018003DE005_2_000000018003DE00
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180005E065_2_0000000180005E06
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180029E105_2_0000000180029E10
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180006E105_2_0000000180006E10
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000CE105_2_000000018000CE10
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018000FE205_2_000000018000FE20
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001AE405_2_000000018001AE40
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180007E895_2_0000000180007E89
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180059E905_2_0000000180059E90
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180019EC05_2_0000000180019EC0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180003EC75_2_0000000180003EC7
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180006EEB5_2_0000000180006EEB
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180005F465_2_0000000180005F46
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180036F5F5_2_0000000180036F5F
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180016F605_2_0000000180016F60
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018005CF705_2_000000018005CF70
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180007F7C5_2_0000000180007F7C
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180021F805_2_0000000180021F80
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180001F885_2_0000000180001F88
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180044F905_2_0000000180044F90
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180034FA05_2_0000000180034FA0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180017FA05_2_0000000180017FA0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180015FB05_2_0000000180015FB0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180004FB55_2_0000000180004FB5
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180024FC05_2_0000000180024FC0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001EFC05_2_000000018001EFC0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800121406_2_0000000180012140
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800187806_2_0000000180018780
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180023BC06_2_0000000180023BC0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180019CB06_2_0000000180019CB0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001AE406_2_000000018001AE40
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180006FF76_2_0000000180006FF7
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018002E0106_2_000000018002E010
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800060576_2_0000000180006057
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800010706_2_0000000180001070
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800020C76_2_00000001800020C7
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000A1106_2_000000018000A110
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800071136_2_0000000180007113
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000612D6_2_000000018000612D
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800441406_2_0000000180044140
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800151506_2_0000000180015150
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800071606_2_0000000180007160
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000517A6_2_000000018000517A
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000517C6_2_000000018000517C
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800111806_2_0000000180011180
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001A1906_2_000000018001A190
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800191906_2_0000000180019190
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000219F6_2_000000018000219F
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000A1E06_2_000000018000A1E0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800061EC6_2_00000001800061EC
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800182306_2_0000000180018230
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800012646_2_0000000180001264
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800312706_2_0000000180031270
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000227C6_2_000000018000227C
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800272906_2_0000000180027290
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018002B2D06_2_000000018002B2D0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800642E06_2_00000001800642E0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800062E66_2_00000001800062E6
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000D2F06_2_000000018000D2F0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800062F96_2_00000001800062F9
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800293006_2_0000000180029300
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800033006_2_0000000180003300
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800623276_2_0000000180062327
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800253406_2_0000000180025340
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018005B3806_2_000000018005B380
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800073C06_2_00000001800073C0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800173D06_2_00000001800173D0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800083E06_2_00000001800083E0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800013F76_2_00000001800013F7
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018004C4106_2_000000018004C410
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800144106_2_0000000180014410
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001D4206_2_000000018001D420
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800234646_2_0000000180023464
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800034706_2_0000000180003470
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800244B06_2_00000001800244B0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800224E06_2_00000001800224E0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800054E06_2_00000001800054E0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800334F06_2_00000001800334F0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800265306_2_0000000180026530
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001E5506_2_000000018001E550
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000656A6_2_000000018000656A
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800095886_2_0000000180009588
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800255906_2_0000000180025590
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001B5A06_2_000000018001B5A0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800075D26_2_00000001800075D2
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000F5E06_2_000000018000F5E0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000C5F06_2_000000018000C5F0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800166306_2_0000000180016630
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800016306_2_0000000180001630
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018003664B6_2_000000018003664B
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800326606_2_0000000180032660
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800566706_2_0000000180056670
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800206806_2_0000000180020680
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000769C6_2_000000018000769C
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000A6A06_2_000000018000A6A0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800486E06_2_00000001800486E0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800176E06_2_00000001800176E0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800247006_2_0000000180024700
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800067046_2_0000000180006704
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001F7106_2_000000018001F710
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000271A6_2_000000018000271A
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800337606_2_0000000180033760
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800637706_2_0000000180063770
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000176F6_2_000000018000176F
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800527906_2_0000000180052790
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800367B86_2_00000001800367B8
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800257C06_2_00000001800257C0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018002A7F06_2_000000018002A7F0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800308106_2_0000000180030810
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000B8226_2_000000018000B822
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001C8506_2_000000018001C850
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800278706_2_0000000180027870
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800288806_2_0000000180028880
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018002F8906_2_000000018002F890
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018003A8BC6_2_000000018003A8BC
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800138D06_2_00000001800138D0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000E8DC6_2_000000018000E8DC
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800249306_2_0000000180024930
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800029716_2_0000000180002971
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000E9B06_2_000000018000E9B0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001F9E06_2_000000018001F9E0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800199F06_2_00000001800199F0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180053A006_2_0000000180053A00
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018000FA006_2_000000018000FA00
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180021A106_2_0000000180021A10
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180025A106_2_0000000180025A10
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018002AA306_2_000000018002AA30
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180003A326_2_0000000180003A32
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180007A336_2_0000000180007A33
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001EA406_2_000000018001EA40
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180005A506_2_0000000180005A50
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180004A986_2_0000000180004A98
    Source: C:\Windows\System32\svchost.exeCode function: String function: 0000000180044F40 appears 61 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 0000000180041800 appears 91 times
    Source: C:\Windows\System32\dllhost.exeCode function: String function: 0000000180044F40 appears 61 times
    Source: C:\Windows\System32\dllhost.exeCode function: String function: 0000000180041800 appears 91 times
    Source: TsWpfWrp.exeStatic PE information: invalid certificate
    Source: TsWpfWrp.exeStatic PE information: Number of sections : 18 > 10
    Source: TsWpfWrp.exeBinary or memory string: OriginalFilename vs TsWpfWrp.exe
    Source: TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearphaCrashReport.exe2 vs TsWpfWrp.exe
    Source: TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearphaCrashReport.exe2 vs TsWpfWrp.exe
    Source: TsWpfWrp.exe, type: SAMPLEMatched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
    Source: 0.0.TsWpfWrp.exe.7ff6e0c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
    Source: 0.2.TsWpfWrp.exe.7ff6e0c00000.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
    Source: 00000000.00000002.2102369827.00007FF6E0C00000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
    Source: 00000000.00000000.2072292358.00007FF6E0C00000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
    Source: TsWpfWrp.exeStatic PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
    Source: TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E1E50000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: ndre-land.nonet.slnet.soin-brb.de123website.lutrentino-stirol.it
    Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@0/1
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,5_2_0000000180020680
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_0000000180027290
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_0000000180029300
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,5_2_0000000180020480
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_0000000180027870
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,5_2_0000000180029A70
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,5_2_000000018001FD10
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,5_2_000000018002CE70
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180027290 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedTcpTable,VirtualAlloc,GetExtendedTcpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,6_2_0000000180027290
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,6_2_0000000180029300
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180020480 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,GetLastError,memcpy,6_2_0000000180020480
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180020680 VirtualAlloc,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualAlloc,InitializeCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,6_2_0000000180020680
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180027870 memset,lstrlenW,lstrlenW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetExtendedUdpTable,VirtualAlloc,GetExtendedUdpTable,VirtualFree,memset,lstrlenW,memset,inet_ntoa,lstrcpyA,lstrlenA,htons,lstrlenA,memset,lstrlenW,VirtualFree,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,6_2_0000000180027870
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180029A70 memset,memset,VirtualFree,VirtualFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,TerminateProcess,Sleep,DeleteFileW,lstrcpyW,lstrcatW,TerminateProcess,CloseHandle,Sleep,6_2_0000000180029A70
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001FD10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,OpenProcess,GetLastError,6_2_000000018001FD10
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018002CE70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,memset,OpenProcess,K32EnumProcessModules,K32GetProcessImageFileNameW,lstrcpyW,CloseHandle,6_2_000000018002CE70
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001C4E0 memset,memset,memset,QueryDosDeviceW,GetDriveTypeW,lstrlenW,GetVolumeInformationW,lstrlenW,GetDiskFreeSpaceExW,5_2_000000018001C4E0
    Source: C:\Windows\System32\svchost.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,5_2_00000001800263C0
    Source: C:\Windows\System32\dllhost.exeCode function: memset,lstrcatW,memset,GetWindowsDirectoryW,GetLastError,lstrcatW,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,GetLastError,StartServiceW,CloseServiceHandle,CloseServiceHandle,6_2_00000001800263C0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800223B0 CreateToolhelp32Snapshot,malloc,Process32FirstW,lstrlenW,lstrlenW,Process32NextW,lstrlenW,Process32NextW,free,CloseHandle,5_2_00000001800223B0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180001A10 CoInitialize,CLSIDFromString,IIDFromString,CoCreateInstance,0_2_0000000180001A10
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BF64E0 LoadResource,LockResource,SizeofResource,4_2_00007FF671BF64E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180012140 WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess,5_2_0000000180012140
    Source: C:\Windows\System32\svchost.exeFile created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: TsWpfWrp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSystem information queried: HandleInformationJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: TsWpfWrp.exeReversingLabs: Detection: 26%
    Source: svchost.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: svchost.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: dllhost.exeString found in binary or memory: /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: dllhost.exeString found in binary or memory: \\.\{F8284233-48F4-4680-ADDD-F8284233}
    Source: unknownProcess created: C:\Users\user\Desktop\TsWpfWrp.exe "C:\Users\user\Desktop\TsWpfWrp.exe"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeDirectory created: C:\Program Files\Windows Mail\arphaDump64.dllJump to behavior
    Source: TsWpfWrp.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: TsWpfWrp.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: TsWpfWrp.exeStatic file information: File size 23300152 > 1048576
    Source: TsWpfWrp.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x9be800
    Source: TsWpfWrp.exeStatic PE information: Raw size of .vmp2 is bigger than: 0x100000 < 0xbf1e00
    Source: TsWpfWrp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: TsWpfWrp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: TsWpfWrp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: TsWpfWrp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: TsWpfWrp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: TsWpfWrp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: TsWpfWrp.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: TsWpfWrp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\Build\PX\A\PoisonX\nvsphelperplugin64\x64\Release\arphaDump64.pdb source: TsWpfWrp.exe, TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp
    Source: Binary string: D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release_X64\arphaCrashReport64.exe.pdb source: TsWpfWrp.exe, TsWpfWrp.exe, 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, TsWpfWrp.exe, 00000000.00000002.2101728471.00000150F3B30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, ParphaCrashReport64.exe, 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmp, ParphaCrashReport64.exe.3.dr
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A27D0508 LoadLibraryA,GetProcAddressForCaller,3_2_00000254A27D0508
    Source: TsWpfWrp.exeStatic PE information: section name: .enigma1
    Source: TsWpfWrp.exeStatic PE information: section name: .enigma2
    Source: TsWpfWrp.exeStatic PE information: section name: .vmp1
    Source: TsWpfWrp.exeStatic PE information: section name: .vmp2
    Source: TsWpfWrp.exeStatic PE information: section name: .arch
    Source: TsWpfWrp.exeStatic PE information: section name: .srdata
    Source: TsWpfWrp.exeStatic PE information: section name: .xdata
    Source: TsWpfWrp.exeStatic PE information: section name: .xpdata
    Source: TsWpfWrp.exeStatic PE information: section name: .xtls
    Source: TsWpfWrp.exeStatic PE information: section name: .themida
    Source: TsWpfWrp.exeStatic PE information: section name: .dsstext
    Source: TsWpfWrp.exeStatic PE information: section name: .qtmetad
    Source: TsWpfWrp.exeStatic PE information: section name: .qtmimed
    Source: TsWpfWrp.exeStatic PE information: section name: _RDATA
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001C3E0 push rcx; ret 5_2_000000018001C3E1
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800619F7 push FF491775h; ret 5_2_00000001800619FC
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001C3E0 push rcx; ret 6_2_000000018001C3E1
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001800619F7 push FF491775h; ret 6_2_00000001800619FC
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800230FE VirtualFree,VirtualFree,malloc,malloc,VirtualFree,VirtualFree,NetUserAdd,Sleep,NetLocalGroupAddMembers,free,free,5_2_00000001800230FE
    Source: C:\Windows\System32\svchost.exeFile created: C:\Program Files\Windows Mail\ParphaCrashReport64.exeJump to dropped file
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTaskJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002D060 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_000000018002D060

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: C:\Windows\System32\svchost.exeFile deleted: c:\users\user\desktop\tswpfwrp.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001BFC0 OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,OpenEventLogW,ClearEventLogW,CloseEventLog,5_2_000000018001BFC0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNode
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_0-13627
    Source: C:\Windows\System32\svchost.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_3-27926
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180016F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_0000000180016F60
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,0_2_00000001800015B0
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: EnumServicesStatusExW,0_2_0000000180119010
    Source: C:\Windows\System32\svchost.exeCode function: malloc,memcpy,malloc,memset,memcpy,memset,GetModuleFileNameW,malloc,memset,memcpy,OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,3_2_00000001800015B0
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,5_2_000000018002D140
    Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_000000018002F890
    Source: C:\Windows\System32\dllhost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,malloc,memset,EnumServicesStatusExW,CloseServiceHandle,free,CloseServiceHandle,lstrcmpiW,free,6_2_000000018002D140
    Source: C:\Windows\System32\dllhost.exeCode function: OpenSCManagerW,EnumServicesStatusW,LocalAlloc,EnumServicesStatusW,memset,OpenServiceW,lstrlenW,memcpy,lstrlenW,memcpy,VirtualAlloc,QueryServiceConfig2W,lstrlenW,memcpy,lstrcpyW,VirtualAlloc,QueryServiceConfigW,lstrcpyW,lstrlenW,memcpy,lstrlenW,memcpy,lstrlenW,memcpy,CloseServiceHandle,VirtualFree,VirtualFree,CloseServiceHandle,LocalFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,6_2_000000018002F890
    Source: C:\Windows\System32\svchost.exeAPI coverage: 7.5 %
    Source: C:\Windows\System32\dllhost.exeAPI coverage: 3.2 %
    Source: C:\Windows\System32\svchost.exe TID: 4796Thread sleep count: 33 > 30Jump to behavior
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C08F78 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,4_2_00007FF671C08F78
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,5_2_000000018001E210
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_000000018001C850
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_000000018001CCF0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,5_2_000000018001DDD0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001E210 __chkstk,memset,memset,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,memset,lstrcatW,lstrcatW,lstrcatW,Sleep,lstrlenW,wcsstr,GetCurrentThread,IsBadReadPtr,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,LeaveCriticalSection,WaitForSingleObject,VirtualFree,VirtualFree,6_2_000000018001E210
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001C850 memset,lstrcatW,lstrcatW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,6_2_000000018001C850
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001CCF0 memset,memset,memset,memset,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,memset,memset,wsprintfW,wsprintfW,FindFirstFileW,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,memset,memset,wsprintfW,FindFirstFileW,FindNextFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,memset,memset,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,lstrlenW,FindClose,VirtualFree,VirtualFree,VirtualFree,VirtualFree,6_2_000000018001CCF0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001DDD0 malloc,memset,FindFirstFileW,free,6_2_000000018001DDD0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180029300 __chkstk,memset,memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,memset,lstrcpyW,GetPriorityClass,memset,memset,OpenProcessToken,GetTokenInformation,GlobalAlloc,GetTokenInformation,LookupAccountSidW,LookupAccountSidW,lstrcpyW,GlobalFree,CloseHandle,ProcessIdToSessionId,K32GetProcessMemoryInfo,K32EnumProcessModules,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,wcsncmp,lstrcpyW,CreateFileW,GetFileSize,CloseHandle,lstrcpyW,lstrcatW,CloseHandle,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_0000000180029300
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800224E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_00000001800224E0
    Source: svchost.exe, 00000003.00000002.3337470582.00000254A2FDA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
    Source: TsWpfWrp.exeBinary or memory string: .?AVQEmulationPaintEngine@@
    Source: svchost.exe, 00000003.00000002.3335411502.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.2080264468.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3334322906.000001F95C813000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000006.00000002.3334276117.00000290D6B5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\TsWpfWrp.exeAPI call chain: ExitProcess graph end nodegraph_0-13634
    Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end nodegraph_3-27933
    Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002E010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,5_2_000000018002E010
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C021D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF671C021D8
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BFD1E8 GetLastError,IsDebuggerPresent,OutputDebugStringW,4_2_00007FF671BFD1E8
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180016F60 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,GetProcessHeap,HeapAlloc,CloseHandle,WTSGetActiveConsoleSessionId,Process32FirstW,lstrcmpiW,Process32NextW,GetProcessHeap,HeapFree,CloseHandle,ProcessIdToSessionId,CreateThread,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_0000000180016F60
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180034DA0 VirtualAlloc ?,?,00000000,0000000180035130,?,?,00000000,0000000180014AAC5_2_0000000180034DA0
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000254A27D0508 LoadLibraryA,GetProcAddressForCaller,3_2_00000254A27D0508
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BFD964 InterlockedPushEntrySList,GetProcessHeap,HeapFree,4_2_00007FF671BFD964
    Source: C:\Users\user\Desktop\TsWpfWrp.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 3_2_00000001801129E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00000001801129E0
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671C021D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF671C021D8
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BFED0C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF671BFED0C
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BFE440 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF671BFE440
    Source: C:\Program Files\Windows Mail\ParphaCrashReport64.exeCode function: 4_2_00007FF671BFEEF4 SetUnhandledExceptionFilter,4_2_00007FF671BFEEF4
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0000000180060030
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0000000180064130
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0000000180060770
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180060030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0000000180060030
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180064130 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0000000180064130
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180060770 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0000000180060770

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Windows\System32\svchost.exeFile created: ParphaCrashReport64.exe.3.drJump to dropped file
    Source: C:\Users\user\Desktop\TsWpfWrp.exeMemory allocated: C:\Windows\System32\svchost.exe base: 254A27A0000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeMemory allocated: C:\Windows\System32\svchost.exe base: 254A3200000 protect: page read and writeJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeMemory allocated: C:\Windows\System32\svchost.exe base: 254A27B0000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeMemory allocated: C:\Windows\System32\svchost.exe base: 254A27C0000 protect: page read and writeJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001F9E0 VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,GetLastError,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,memset,GetThreadContext,SetThreadContext,memset,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,GetLastError,5_2_000000018001F9E0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,5_2_000000018002E4D0
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,5_2_000000018001F710
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,5_2_0000000180029E10
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018002E4D0 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,lstrcmpiW,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,Process32NextW,6_2_000000018002E4D0
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018001F710 VirtualAllocEx,GetLastError,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,GetModuleHandleW,GetProcAddress,CreateRemoteThread,6_2_000000018001F710
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180029E10 VirtualAlloc,GetLastError,VirtualFree,VirtualFree,GetLastError,memset,lstrcatW,lstrcatW,lstrcatW,memset,memset,memcpy,VirtualFree,VirtualFree,VirtualFree,VirtualFree,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,VirtualFree,GetLastError,VirtualFree,VirtualFree,6_2_0000000180029E10
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 2860Jump to behavior
    Source: C:\Windows\System32\svchost.exeThread register set: target process: 5948Jump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27A0000Jump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeMemory written: C:\Windows\System32\svchost.exe base: 254A3200000Jump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27B0000Jump to behavior
    Source: C:\Users\user\Desktop\TsWpfWrp.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27C0000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 290D6990000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 290D6A20000Jump to behavior
    Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\System32\dllhost.exe base: 290D6980000Jump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe5_2_0000000180012140
    Source: C:\Windows\System32\dllhost.exeCode function: WSAStartup,GetCommandLineW,CommandLineToArgvW,VirtualAlloc,InitializeCriticalSection,VirtualAlloc,InitializeCriticalSection,memset,GetCurrentProcessId,lstrcmpiW,lstrcmpiW,ExitThread,lstrcmpiW,GetCurrentProcess,TerminateProcess,lstrcmpiW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,WaitForSingleObject,GetExitCodeProcess,Sleep,CreateThread,WaitForSingleObject,CloseHandle,memset,GetModuleFileNameW,wcsstr,GetNativeSystemInfo,ExitProcess,memset,GetModuleFileNameW,IsUserAnAdmin,memset,wsprintfW,OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,CloseServiceHandle,lstrcmpiW,lstrcmpiW,GetNativeSystemInfo,ExitProcess,GetCurrentProcess,TerminateProcess, svchost.exe6_2_0000000180012140
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002E010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,5_2_000000018002E010
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018002E010 BlockInput,BlockInput,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,BlockInput,5_2_000000018002E010
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Mail\ParphaCrashReport64.exe "C:\Program Files\Windows Mail\ParphaCrashReport64.exe"Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcsJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}Jump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: svchost.exe, 00000005.00000003.2741123342.000001F95DE30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2741145992.000001F95DE50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000006.00000003.2722198921.00000290D90A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: svchost.exe, 00000005.00000003.2741349171.000001F95DEF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2741165058.000001F95DF70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TCPProgram Manager
    Source: svchost.exe, 00000005.00000003.3331152471.000001F95DF70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.3331307620.000001F95DEF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TCPProgram Manager|
    Source: svchost.exe, 00000005.00000003.3331112531.000001F95DE50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3335384133.000001F95DE50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.3331135085.000001F95DE30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager|
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_000000018002BBA8 cpuid 0_2_000000018002BBA8
    Source: C:\Users\user\Desktop\TsWpfWrp.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTask VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\MicrosoftMailUpdateTask VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180027E20 CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,5_2_0000000180027E20
    Source: C:\Users\user\Desktop\TsWpfWrp.exeCode function: 0_2_0000000180112B5C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0000000180112B5C
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_00000001800224E0 memset,memset,memset,memset,gethostname,gethostbyname,inet_ntoa,wsprintfW,lstrcatW,GetForegroundWindow,GetWindowTextW,VirtualAlloc,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,VirtualFree,GetComputerNameW,GetCurrentProcess,IsWow64Process,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,GetSystemInfo,wsprintfW,GlobalMemoryStatusEx,wsprintfW,VirtualAlloc,VirtualAlloc,GetUserNameW,GetCurrentProcessId,wsprintfW,VirtualFree,VirtualFree,memset,GetWindowsDirectoryW,GetLastError,GetVolumeInformationW,wsprintfA,wsprintfA,wsprintfW,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,GetCurrentProcess,IsWow64Process,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,5_2_00000001800224E0

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1068, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1068, type: MEMORYSTR
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,5_2_0000000180021520
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,5_2_0000000180047630
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_000000018004A830 socket,socket,htonl,bind,getsockname,5_2_000000018004A830
    Source: C:\Windows\System32\svchost.exeCode function: 5_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,5_2_0000000180056B30
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180021520 memset,VirtualFree,VirtualFree,socket,setsockopt,htons,inet_addr,htonl,bind,WSAGetLastError,listen,CreateThread,IsBadReadPtr,EnterCriticalSection,VirtualAlloc,LeaveCriticalSection,6_2_0000000180021520
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180047630 socket,setsockopt,setsockopt,setsockopt,WSAGetLastError,listen,closesocket,WSAGetLastError,closesocket,closesocket,6_2_0000000180047630
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_000000018004A830 socket,socket,htonl,bind,getsockname,6_2_000000018004A830
    Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000180056B30 htons,_unlink,bind,WSAGetLastError,getsockname,htons,6_2_0000000180056B30
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Valid Accounts
    11
    Native API
    1
    DLL Side-Loading
    1
    DLL Side-Loading
    3
    Disable or Modify Tools
    21
    Input Capture
    1
    System Time Discovery
    Remote Services1
    Archive Collected Data
    1
    Ingress Tool Transfer
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Exploitation for Client Execution
    1
    Create Account
    1
    Valid Accounts
    1
    Deobfuscate/Decode Files or Information
    LSASS Memory11
    Account Discovery
    Remote Desktop Protocol21
    Input Capture
    1
    Encrypted Channel
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts2
    Command and Scripting Interpreter
    1
    Valid Accounts
    11
    Access Token Manipulation
    2
    Obfuscated Files or Information
    Security Account Manager1
    System Service Discovery
    SMB/Windows Admin Shares3
    Clipboard Data
    SteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    Scheduled Task/Job
    12
    Windows Service
    12
    Windows Service
    1
    Software Packing
    NTDS2
    File and Directory Discovery
    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud Accounts12
    Service Execution
    1
    Scheduled Task/Job
    523
    Process Injection
    1
    DLL Side-Loading
    LSA Secrets25
    System Information Discovery
    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
    Scheduled Task/Job
    1
    File Deletion
    Cached Domain Credentials1
    Network Share Discovery
    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
    Masquerading
    DCSync41
    Security Software Discovery
    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    Valid Accounts
    Proc Filesystem1
    Virtualization/Sandbox Evasion
    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
    Virtualization/Sandbox Evasion
    /etc/passwd and /etc/shadow4
    Process Discovery
    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
    Access Token Manipulation
    Network Sniffing1
    System Owner/User Discovery
    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd523
    Process Injection
    Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
    Indicator Removal
    KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    TsWpfWrp.exe26%ReversingLabsWin64.Trojan.Generic
    SourceDetectionScannerLabelLink
    C:\Program Files\Windows Mail\ParphaCrashReport64.exe4%ReversingLabs
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    https://support.google.com/chrome/answer/6098869?hl=esTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
      high
      https://support.google.com/chrome/answer/6098869TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
        high
        https://www.google.com/chrome/privacy/eula_text.htmlTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
          high
          https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionadoTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
            high
            https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivityTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
              high
              https://chrome.google.com/webstore?hl=es-419Ctrl$1TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                high
                https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?uTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                  high
                  https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?uTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                    high
                    https://chrome.google.com/webstore?hl=etCtrl$1TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                      high
                      https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?uTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                        high
                        https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?uTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                          high
                          https://passwords.google.comSavedTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                            unknown
                            https://chrome.google.com/webstore?hl=zh-TWCtrl$1TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                              high
                              https://myactivity.google.com/TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                high
                                https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?uTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                  high
                                  https://www.google.com/chrome/privacy/eula_text.htmlH&elpManagedTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                    high
                                    https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                      high
                                      https://passwords.google.comSelleTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                        unknown
                                        https://passwords.google.comGestoordeTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                          unknown
                                          https://chromeenterprise.google/policies/#BrowserSwitcherUrlListTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                            high
                                            https://passwords.google.comTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                              high
                                              https://policies.google.com/TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                high
                                                https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                  high
                                                  https://chrome.google.com/webstore?hl=esCtrl$1TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                    high
                                                    https://ejemplo.com.SeTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                      unknown
                                                      https://chrome.google.com/webstore?hl=afCtrl$1TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                        high
                                                        https://passwords.google.comSeTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                          unknown
                                                          https://www.google.com/chrome/privacy/eula_text.html&AideGTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                            high
                                                            https://chromeenterprise.google/policies/#BrowserSwitcherEnabledTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                              high
                                                              https://passwords.google.comMotsTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                unknown
                                                                https://chrome.google.com/webstore/category/extensionsTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                  high
                                                                  https://support.google.com/chromebook?p=app_intentTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                    high
                                                                    https://chrome.google.com/webstore?hl=frCtrl$1TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                      high
                                                                      https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivitTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                        high
                                                                        https://passwords.google.comTTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                          unknown
                                                                          https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?uTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                            high
                                                                            https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivityTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                              high
                                                                              https://support.google.com/chrome/answer/96817TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                high
                                                                                https://support.google.com/chrome/a/?p=browser_profile_detailsTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                  high
                                                                                  https://chrome.google.com/webstore?hl=filCtrl$1TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                    high
                                                                                    https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldabTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                      high
                                                                                      https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                        high
                                                                                        https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaanTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                          high
                                                                                          https://passwords.google.comMgaTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                            unknown
                                                                                            https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelistTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                              high
                                                                                              https://support.google.com/chrome/a/answer/9122284TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                high
                                                                                                https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                  high
                                                                                                  https://chrome.google.com/webstore?hl=enCtrl$1TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                    high
                                                                                                    https://passwords.google.comContraseTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                      unknown
                                                                                                      https://chrome.google.com/webstore?hl=fiCtrl$1TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                        high
                                                                                                        https://www.google.com/chrome/privacy/eula_text.htmlBestuurTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                          high
                                                                                                          https://www.google.com/chrome/privacy/eula_text.htmlO&hjeOrganisaatiosiTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                            high
                                                                                                            http://ejemplo.comTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                              unknown
                                                                                                              https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylistTsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                                high
                                                                                                                https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministradoTsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                                  high
                                                                                                                  https://chrome.google.com/webstore?hl=en-GBCtrl$1TsWpfWrp.exe, 00000000.00000000.2073146456.00007FF6E15C8000.00000008.00000001.01000000.00000003.sdmp, TsWpfWrp.exe, 00000000.00000002.2107227206.00007FF6E17BD000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                                    high
                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs
                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    52.74.204.186
                                                                                                                    unknownUnited States
                                                                                                                    16509AMAZON-02USfalse
                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1579842
                                                                                                                    Start date and time:2024-12-23 11:22:10 +01:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 7m 11s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:8
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:1
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Sample name:TsWpfWrp.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.evad.winEXE@7/4@0/1
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 80%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 99%
                                                                                                                    • Number of executed functions: 56
                                                                                                                    • Number of non-executed functions: 287
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                    • Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.63, 172.202.163.200, 20.109.210.53
                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                    • Execution Graph export aborted for target ParphaCrashReport64.exe, PID 2828 because there are no executed function
                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                    • VT rate limit hit for: TsWpfWrp.exe
                                                                                                                    TimeTypeDescription
                                                                                                                    11:23:06Task SchedulerRun new task: MicrosoftMailUpdateTask path: C:\Program Files\Windows Mail\ParphaCrashReport64.exe
                                                                                                                    No context
                                                                                                                    No context
                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    AMAZON-02USArchivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                                                                    • 3.5.232.230
                                                                                                                    Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                                                                    • 3.5.232.130
                                                                                                                    Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                                                                    • 3.5.234.55
                                                                                                                    FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 185.166.143.50
                                                                                                                    armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 108.159.159.70
                                                                                                                    BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 185.166.143.48
                                                                                                                    jSFUzuYPG9.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 52.216.152.124
                                                                                                                    mG83m82qhF.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 185.166.143.49
                                                                                                                    LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 185.166.143.49
                                                                                                                    zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 52.217.67.100
                                                                                                                    No context
                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    C:\Program Files\Windows Mail\ParphaCrashReport64.exehvix64.exeGet hashmaliciousValleyRATBrowse
                                                                                                                      2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                                        2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                                          png131.exeGet hashmaliciousValleyRATBrowse
                                                                                                                            install.exeGet hashmaliciousValleyRATBrowse
                                                                                                                              Telegrm2.69.exeGet hashmaliciousUnknownBrowse
                                                                                                                                Telegrm2.69.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zipGet hashmaliciousUnknownBrowse
                                                                                                                                    SvpnLong2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      SvpnLong2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):238384
                                                                                                                                        Entropy (8bit):6.278635939854228
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3072:fN9rZ5vuFomptSepjTxUPjfOgwXCtRLDya09M9EvoHmkQ/2Y8L6vVefD:rZ5qomPSeCx7tRNQjSfD
                                                                                                                                        MD5:8B5D51DF7BBD67AEB51E9B9DEE6BC84A
                                                                                                                                        SHA1:DD63C3D4ACF0CE27F71CCE44B8950180E48E36FA
                                                                                                                                        SHA-256:E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271
                                                                                                                                        SHA-512:1B4350D51C2107D0AA22EB01D64E1F1AB73C28114045C388BAF9547CC39A902C8A274A24479C7C2599F94C96F8772E438F21A2849316B5BD7F5D47C26A1E483B
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                        Joe Sandbox View:
                                                                                                                                        • Filename: hvix64.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 2024-12-10#U67e5#U9605_uninst.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 2024-12-10#U67e5#U9605_uninst.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: png131.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: install.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Telegrm2.69.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Telegrm2.69.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip, Detection: malicious, Browse
                                                                                                                                        • Filename: SvpnLong2.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: SvpnLong2.exe, Detection: malicious, Browse
                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...:...:...:...;...:...;)..:...;...:...;...:...;...:...;...:...;...:3..;...:...:...:3..;...:3.4:...:..\:...:3..;...:Rich...:........................PE..d......`.........."..........t......$..........@....................................j.....`..........................................................p...-...P.......h..0;......l...P...8.......................(.................... ..@............................text............................... ..`.rdata..F.... ......................@..@.data...L&... ......................@....pdata.......P......................@..@.rsrc....-...p.......2..............@..@.reloc..l............`..............@..B........................................................................................................................................................................................................................
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):546252
                                                                                                                                        Entropy (8bit):6.5440917892906185
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:awnKbeNO/thmmWIK3z9rG3U9szzrHUPRxG0+UfYlrYS2:flXDp9HPYlr52
                                                                                                                                        MD5:996111D8F68CA68F51879BC144DBA8E1
                                                                                                                                        SHA1:8BA16B58A4FBDB3A9DB895E5970DD2DADF10BE1B
                                                                                                                                        SHA-256:BFDE37CB1F88166A842E7FA330A74504DA91FEAD4A229D898C0A05A315E12AD7
                                                                                                                                        SHA-512:FB624BC4D30A6CC9F81C8890FEDCD042E28374EEFC6211BCA1A99A8E5454E0A53005779F626A752B2AD80426F5ED132BD64966E64303C8C865DAC08D1507E498
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:low
                                                                                                                                        Preview:4...H..(H...D$8run.H.L$8.O...H..(...eH..%`......D..3.L..E..t"A........A..a.J..L.I....A..D....u..H.A.....H.\$.H.l$.H.t$.WAVAWH.. D......H.P.H.j L..I.......M..L.P0M..tLIcB<B.........t<I.<..O.I...j....w 3.I..D..9_.v...I...P...A..D;.t+..H...;_.r.L;.u.3.H.\$@H.l$HH.t$PH.. A_A^_.O$I..D...Y.O.I..B...I.......@SH.. H.......%...H..H.. [H....H.\$.WH.. H..H...........H..H..H.\$0H.. _H.....H.\$.UVWATAUAVAWH.. L..M..3.Z.H........2=..L.......-A..H.D$x....M..M.f.H.D$p3...A..y.H..(fA;A.s|I..9.u29E8~ZHc]8A......O.H..I..A.....A..L..G.3.H...T$p.-.O.A.......I..A.....A..W.H..D..I..H...T$x._.I....H..(..H......;.|.H.\$`H.. A_A^A]A\_^].H.\$.H.l$.H.t$ WATAUAVAWH..@L..-A........ ...H.L$ D..H..3...D.g.E..H.L$ A....E..W.H.L$$..E..W.H.L$(..E..W.H.L$,..E..W.H.L$0..E..W`H.L$4..E..H.L$8....E..W H.L$<....O.B....../.H...5...M..E3.L..A..H.........A..Y.I.q0H..(H#.fE;i.......I..D.C.A.....A.....E..A#.A...A#.A....s..K.A..@....H.....OH..B..I..RD.T. A....A....D.CT. ..u.A..@t.A.A ..E..y.A.A$..t..K.L.L$pH...E.
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):3198
                                                                                                                                        Entropy (8bit):3.559796516107948
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:yei1q9tNTyOXZj9c9V9Lbra+iaiudupRCRvA9ufAuRa7T5XhPsV8ic4dTKp+++:tX4diaigVA9ll7dhFF7+
                                                                                                                                        MD5:79C8530188472FA4159DE398A9CA797F
                                                                                                                                        SHA1:0B8743354489D4460DA39E8E4EF2230E9925F638
                                                                                                                                        SHA-256:46722563913B24900DFD02AFD809AE2BBABB5CE420AA81ECBF008F7ACE247F34
                                                                                                                                        SHA-512:2079F7EA505FC410028A0D36A408AFE97E0BDED14548EE6448F692FEEF2D55D52CE6EC9DF5A016C6737595275FF6BD5F4D5397F0C128445ED262B75BF4DD7EE5
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:low
                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.A.u.t.h.o.r.>.S.Y.S.T.E.M.<./.A.u.t.h.o.r.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.M.i.c.r.o.s.o.f.t. .M.a.i.l. .U.p.d.a.t.e. .T.a.s.k. .M.a.c.h.i.n.e.C.o.r.e.<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t.M.a.i.l.U.p.d.a.t.e.T.a.s.k.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.B.o.o.t.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.B.o.o.t.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.S.-.1.-.5.-.1.8.<./.U.s.
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):4680
                                                                                                                                        Entropy (8bit):3.7110470335740087
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:96:pYMguQII4iL6h4aGdinipV9ll7UY5HAmzQ+:9A4z/xne7HO+
                                                                                                                                        MD5:0B14A5A9AB641E4AA2C8EBCD74433059
                                                                                                                                        SHA1:07E746D03BE6CA350E624C4759354075F94EC80D
                                                                                                                                        SHA-256:A7BE6E47DA92D5D3A67ACED567DE28D261C062B5ACB0AE02FB05970F624FCF5F
                                                                                                                                        SHA-512:533E3553B6FE46FF9702CA01C688A13662303526399E20640FFC251530ABA498AE11A08E5BE892862F430B1D651C686F946E07B958633189656AF1D9A8B4DDC2
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).
                                                                                                                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                        Entropy (8bit):7.020544505708879
                                                                                                                                        TrID:
                                                                                                                                        • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                        File name:TsWpfWrp.exe
                                                                                                                                        File size:23'300'152 bytes
                                                                                                                                        MD5:ffe0f3673552c76510434386fcf7d5a1
                                                                                                                                        SHA1:7f5a1179a2a2ff3e4672ce8b15fbbe3229c047aa
                                                                                                                                        SHA256:e9e6d195fcc51fb2cbd47dc75c41daf9d94f64396aec40fdea90eee36eeaa1bb
                                                                                                                                        SHA512:3691bb29462a80067fa58761cf53f94a4123005ac260ced246b9deb571682c857ac4a8d86674f3c258304327d90109ab092add04f81e1d6faa78b7f06a869ae0
                                                                                                                                        SSDEEP:393216:mg5vqpkNNXcmQwTLPKC1mc2k+bq2MJsv6tWKFdu9C+:7fswViq2X
                                                                                                                                        TLSH:8937CF07B29016A8E472E078DA53C117FB71F409A77097DB25A892D92F73BF0A93B351
                                                                                                                                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................................|.....3.............................................r...................]...r.......s.......s......
                                                                                                                                        Icon Hash:0b5bf1b4b4b0f35f
                                                                                                                                        Entrypoint:0x1408afbf0
                                                                                                                                        Entrypoint Section:.text
                                                                                                                                        Digitally signed:true
                                                                                                                                        Imagebase:0x140000000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                        Time Stamp:0x67510954 [Thu Dec 5 02:00:52 2024 UTC]
                                                                                                                                        TLS Callbacks:
                                                                                                                                        CLR (.Net) Version:
                                                                                                                                        OS Version Major:6
                                                                                                                                        OS Version Minor:0
                                                                                                                                        File Version Major:6
                                                                                                                                        File Version Minor:0
                                                                                                                                        Subsystem Version Major:6
                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                        Import Hash:e1b38713ae08284f2d5e8f7451cd353a
                                                                                                                                        Signature Valid:false
                                                                                                                                        Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                        Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                        Error Number:-2146869232
                                                                                                                                        Not Before, Not After
                                                                                                                                        • 16/11/2023 20:20:08 14/11/2024 20:20:08
                                                                                                                                        Subject Chain
                                                                                                                                        • CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                        Version:3
                                                                                                                                        Thumbprint MD5:1E2354965A83BD0EB745A2611567E5DF
                                                                                                                                        Thumbprint SHA-1:71F53A26BB1625E466727183409A30D03D7923DF
                                                                                                                                        Thumbprint SHA-256:CE08760345BD5A18AA9091E6F083522AD593BD42F587699E025AFD55BE589334
                                                                                                                                        Serial:330000045FF3C96C1A7FF7DA1D00000000045F
                                                                                                                                        Instruction
                                                                                                                                        dec eax
                                                                                                                                        sub esp, 28h
                                                                                                                                        call 00007F7038B9E8CCh
                                                                                                                                        dec eax
                                                                                                                                        add esp, 28h
                                                                                                                                        jmp 00007F7038B9DC2Fh
                                                                                                                                        int3
                                                                                                                                        int3
                                                                                                                                        dec eax
                                                                                                                                        mov dword ptr [esp+08h], ebx
                                                                                                                                        push edi
                                                                                                                                        dec eax
                                                                                                                                        sub esp, 20h
                                                                                                                                        mov edx, 00000FA0h
                                                                                                                                        dec eax
                                                                                                                                        lea ecx, dword ptr [00D1C5B6h]
                                                                                                                                        call dword ptr [00110A70h]
                                                                                                                                        dec eax
                                                                                                                                        lea ecx, dword ptr [00BDE3C9h]
                                                                                                                                        call dword ptr [001106C3h]
                                                                                                                                        dec eax
                                                                                                                                        mov ebx, eax
                                                                                                                                        dec eax
                                                                                                                                        test eax, eax
                                                                                                                                        jne 00007F7038B9DDC7h
                                                                                                                                        dec eax
                                                                                                                                        lea ecx, dword ptr [00BDE3FCh]
                                                                                                                                        call dword ptr [001106AEh]
                                                                                                                                        dec eax
                                                                                                                                        mov ebx, eax
                                                                                                                                        dec eax
                                                                                                                                        test eax, eax
                                                                                                                                        je 00007F7038B9DE31h
                                                                                                                                        dec eax
                                                                                                                                        lea edx, dword ptr [00BDE407h]
                                                                                                                                        dec eax
                                                                                                                                        mov ecx, ebx
                                                                                                                                        call dword ptr [0011069Eh]
                                                                                                                                        dec eax
                                                                                                                                        lea edx, dword ptr [00BDE417h]
                                                                                                                                        dec eax
                                                                                                                                        mov ecx, ebx
                                                                                                                                        dec eax
                                                                                                                                        mov edi, eax
                                                                                                                                        call dword ptr [0011068Bh]
                                                                                                                                        dec eax
                                                                                                                                        test edi, edi
                                                                                                                                        je 00007F7038B9DDC7h
                                                                                                                                        dec eax
                                                                                                                                        test eax, eax
                                                                                                                                        je 00007F7038B9DDC2h
                                                                                                                                        dec eax
                                                                                                                                        mov dword ptr [00D1C57Ah], edi
                                                                                                                                        dec eax
                                                                                                                                        mov dword ptr [00D1C57Bh], eax
                                                                                                                                        jmp 00007F7038B9DDD0h
                                                                                                                                        inc ebp
                                                                                                                                        xor ecx, ecx
                                                                                                                                        inc ebp
                                                                                                                                        xor eax, eax
                                                                                                                                        xor ecx, ecx
                                                                                                                                        inc ecx
                                                                                                                                        lea edx, dword ptr [ecx+01h]
                                                                                                                                        call dword ptr [001109AFh]
                                                                                                                                        dec eax
                                                                                                                                        mov dword ptr [00D1C528h], eax
                                                                                                                                        dec eax
                                                                                                                                        test eax, eax
                                                                                                                                        je 00007F7038B9DDD6h
                                                                                                                                        xor ecx, ecx
                                                                                                                                        call 00007F7038B9D8D9h
                                                                                                                                        test al, al
                                                                                                                                        je 00007F7038B9DDCBh
                                                                                                                                        dec eax
                                                                                                                                        lea ecx, dword ptr [0000001Dh]
                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9c0f400x154.idata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x16260000x21f18.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0xa252080x75f0c.vmp2
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x16362b80x2580.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x16480000xc260.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x14d5a980x1c.vmp2
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x14d5c000x28.vmp2
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x14d5ac00x138.vmp2
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x9c00000xf18.idata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x10000x9be6c00x9be8009816e1ace3ae4932e5f1f926128a9e83unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                        .idata0x9c00000x42700x4400959be3ccfc6621bfa4518b00914d8f58False0.31359145220588236OpenPGP Public Key4.785762588269584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .enigma10x9c50000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .enigma20x9c60000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .vmp10x9c70000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .vmp20x9c80000xc05f9c0xbf1e00fdd5a5b90a17d96f1f46d8649fe0303aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .arch0x15ce0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .srdata0x15cf0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .xdata0x15d00000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .xpdata0x15d10000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .xtls0x15d20000x100x2004b6b4a2dc8aebd85a41ae78e2d5d0a60False0.05078125data0.19977565608732903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .themida0x15d30000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .dsstext0x15d40000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .qtmetad0x15d50000x5360x600bfd0a37e057f358d80d1716d9a9abd7eFalse0.24609375data5.0500249701877475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                        .qtmimed0x15d60000x4ece50x4ee002d32d357ab751ffbbb513570c6ee6986False0.997458770800317gzip compressed data, original size modulo 2^32 07.998000978505572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                        _RDATA0x16250000x1300x20050963dc31dd5296ef59fd1f5410f542eFalse0.322265625Applesoft BASIC program data, first line number 1392.683411946039657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .rsrc0x16260000x21f180x22000c3f350f8ae2b6f90ad309be24d9d9fb1False0.15611356847426472data5.358918491165411IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .reloc0x16480000xc2600xc400ce4a05399665352f604dd060a3c88295False0.16198979591836735data5.474939711825512IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                        RT_ICON0x16261f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.08754288418313025
                                                                                                                                        RT_ICON0x1636a200x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 368640.16465209165440403
                                                                                                                                        RT_ICON0x163fec80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.23783656117146906
                                                                                                                                        RT_ICON0x16440f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.2872406639004149
                                                                                                                                        RT_ICON0x16466980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.4226078799249531
                                                                                                                                        RT_ICON0x16477400x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.6773049645390071
                                                                                                                                        RT_GROUP_ICON0x1647ba80x5adata0.7777777777777778
                                                                                                                                        RT_VERSION0x1647c040x310dataEnglishUnited States0.49107142857142855
                                                                                                                                        DLLImport
                                                                                                                                        WTSAPI32.dllWTSFreeMemory, WTSQuerySessionInformationW
                                                                                                                                        UxTheme.dllGetThemeColor, GetThemeInt, GetThemePartSize, OpenThemeData, GetThemeEnumValue, GetThemeMargins, GetCurrentThemeName, IsAppThemed, IsThemeActive, SetWindowTheme, GetThemeBool, IsThemeBackgroundPartiallyTransparent, GetThemeBackgroundRegion, CloseThemeData, GetThemeTransitionDuration, GetThemePropertyOrigin
                                                                                                                                        dwmapi.dllDwmGetWindowAttribute, DwmIsCompositionEnabled, DwmSetWindowAttribute, DwmEnableBlurBehindWindow
                                                                                                                                        GDI32.dllCreateRectRgn, DeleteDC, DeleteObject, GetRegionData, SelectClipRgn, SelectObject, CreateDIBSection, GdiFlush, BitBlt, CreateCompatibleDC, SetLayout, GetDeviceCaps, CreateCompatibleBitmap, CreateDCW, CreateBitmap, ChoosePixelFormat, SetPixelFormat, DescribePixelFormat, GetPixelFormat, SwapBuffers, GetBitmapBits, GetObjectW, CreateFontIndirectW, EnumFontFamiliesExW, GetFontData, GetStockObject, AddFontResourceExW, RemoveFontResourceExW, AddFontMemResourceEx, RemoveFontMemResourceEx, GetTextMetricsW, GetTextFaceW, GetCharABCWidthsW, GetCharABCWidthsFloatW, GetGlyphOutlineW, GetOutlineTextMetricsW, GetTextExtentPoint32W, GetCharABCWidthsI, SetBkMode, SetGraphicsMode, SetTextColor, SetTextAlign, SetWorldTransform, ExtTextOutW, CombineRgn, OffsetRgn, GetDIBits
                                                                                                                                        OLEAUT32.dllSafeArrayPutElement, SysAllocString, SafeArrayCreateVector, SysFreeString
                                                                                                                                        IMM32.dllImmGetVirtualKey, ImmSetCandidateWindow, ImmGetDefaultIMEWnd, ImmGetContext, ImmReleaseContext, ImmAssociateContext, ImmAssociateContextEx, ImmGetCompositionStringW, ImmGetOpenStatus, ImmNotifyIME, ImmSetCompositionWindow
                                                                                                                                        KERNEL32.dllEnterCriticalSection, RaiseException, VirtualProtect, lstrcmpW, GetLastError, GetCurrentThreadId, GetModuleHandleW, GetProcAddress, LocalFree, FormatMessageW, WTSGetActiveConsoleSessionId, ExpandEnvironmentStringsW, CloseHandle, CreateProcessW, CheckRemoteDebuggerPresent, OpenProcess, GlobalAlloc, GlobalUnlock, GlobalLock, GetLocaleInfoW, LoadLibraryW, LoadLibraryA, GlobalSize, GetCurrentProcessId, GetUserDefaultLangID, CreateFileW, GetFileSizeEx, ReadFile, WriteFile, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, WideCharToMultiByte, RtlPcToFileHeader, GetExitCodeProcess, GetUserGeoID, InitializeCriticalSectionEx, GetTimeZoneInformation, GetModuleHandleExW, FreeLibrary, FindNextFileW, VirtualFree, VirtualAlloc, CreateMutexW, ReleaseMutex, InitializeCriticalSection, WriteConsoleW, HeapSize, GetProcessHeap, FreeEnvironmentStringsW, FindFirstFileExW, FindNextChangeNotification, FindFirstChangeNotificationW, FindCloseChangeNotification, MultiByteToWideChar, LCMapStringW, CompareStringW, RegisterWaitForSingleObject, UnregisterWaitEx, SetFilePointerEx, SetEndOfFile, GetFileType, FlushFileBuffers, GetFileInformationByHandleEx, SystemTimeToFileTime, FileTimeToSystemTime, TzSpecificLocalTimeToSystemTime, MoveFileExW, MoveFileW, CopyFileW, DeviceIoControl, SetErrorMode, GetVolumePathNamesForVolumeNameW, GetTempPathW, SetFileTime, RemoveDirectoryW, GetLogicalDrives, GetFullPathNameW, GetFileInformationByHandle, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CreateDirectoryW, GetCurrentDirectoryW, GetModuleFileNameW, GetStartupInfoW, GetTickCount64, QueryPerformanceFrequency, QueryPerformanceCounter, GetFileAttributesExW, GetUserPreferredUILanguages, GetUserDefaultLCID, GetCurrencyFormatW, GetTimeFormatW, GetDateFormatW, ResetEvent, GetSystemInfo, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, ResumeThread, TerminateThread, GetThreadPriority, SetThreadPriority, GetCurrentThread, CreateThread, WaitForMultipleObjects, Sleep, WaitForSingleObject, DuplicateHandle, GetSystemDirectoryW, CreateEventW, WaitForSingleObjectEx, SetEvent, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, OutputDebugStringW, GetLocalTime, GetSystemTime, InitializeCriticalSectionAndSpinCount, GetCommandLineW, CompareStringEx, GetConsoleWindow, GetDriveTypeW, GetVolumeInformationW, GetLongPathNameW, DeleteCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, SetLastError, RtlUnwind, LoadLibraryExW, ExitProcess, GetCommandLineA, ExitThread, FreeLibraryAndExitThread, SetFileAttributesW, SetStdHandle, GetConsoleMode, ReadConsoleW, GetConsoleCP, GetStdHandle, HeapFree, HeapAlloc, RtlUnwindEx, HeapReAlloc, GetCPInfo, IsValidLocale, GetGeoInfoW, SetEnvironmentVariableW, IsValidCodePage, GetACP, GetOEMCP, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnumSystemLocalesW, GetEnvironmentStringsW, GetSystemTimeAsFileTime, InitializeSListHead
                                                                                                                                        ole32.dllOleFlushClipboard, OleGetClipboard, OleSetClipboard, CoCreateGuid, CoInitialize, CoCreateInstance, CoUninitialize, OleUninitialize, OleInitialize, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal, OleIsCurrentClipboard, DoDragDrop, CoTaskMemFree, ReleaseStgMedium, CoInitializeEx, CoGetMalloc, StringFromGUID2
                                                                                                                                        SHELL32.dllSHGetKnownFolderPath, CommandLineToArgvW, SHGetFileInfoW, SHGetStockIconInfo, ShellExecuteW, SHCreateItemFromIDList, SHCreateItemFromParsingName, SHGetMalloc, SHGetPathFromIDListW, SHGetKnownFolderIDList, SHBrowseForFolderW, Shell_NotifyIconW, Shell_NotifyIconGetRect
                                                                                                                                        USER32.dllIsZoomed, PeekMessageW, FindWindowA, SetCaretPos, GetIconInfo, CreateIconIndirect, CreateCursor, ShowCaret, HideCaret, DestroyCaret, CreateCaret, IsWindowEnabled, RegisterWindowMessageW, GetKeyboardLayout, RegisterClipboardFormatW, ChangeClipboardChain, IsHungAppWindow, LoadIconW, EnumDisplayMonitors, GetMonitorInfoW, MonitorFromWindow, SetMenuItemInfoW, GetMenuItemInfoW, TrackPopupMenu, RemoveMenu, ModifyMenuW, AppendMenuW, InsertMenuW, DestroyMenu, CreatePopupMenu, CreateMenu, DrawMenuBar, SetMenu, LoadImageW, GetSysColorBrush, ChildWindowFromPointEx, WindowFromPoint, GetCursorPos, GetFocus, RegisterClassExW, GetClassInfoW, UnregisterClassW, UnregisterPowerSettingNotification, RegisterPowerSettingNotification, GetKeyboardLayoutList, GetAncestor, DestroyIcon, DestroyCursor, GetWindow, GetWindowThreadProcessId, SetParent, GetParent, SetWindowLongPtrW, GetKeyboardState, LoadCursorW, GetWindowLongW, ScreenToClient, ClientToScreen, SetCursor, AdjustWindowRectEx, GetWindowRect, GetClientRect, SetWindowTextW, InvalidateRect, SetWindowRgn, GetUpdateRect, EndPaint, BeginPaint, SetForegroundWindow, GetForegroundWindow, EnableMenuItem, GetSystemMenu, GetMenu, ReleaseCapture, SetCapture, GetCapture, IsTouchWindow, UnregisterTouchWindow, RegisterTouchWindow, SetFocus, IsIconic, IsWindowVisible, SetWindowPlacement, GetWindowPlacement, SetWindowPos, MoveWindow, FlashWindowEx, SetLayeredWindowAttributes, UpdateLayeredWindow, ShowWindow, IsChild, CreateWindowExW, AttachThreadInput, PostMessageW, SendMessageW, UpdateLayeredWindowIndirect, GetCaretBlinkTime, MessageBeep, IsWindow, GetDoubleClickTime, GetDesktopWindow, GetSysColor, ReleaseDC, GetDC, DestroyWindow, DefWindowProcW, SystemParametersInfoW, GetSystemMetrics, GetKeyState, ToAscii, ToUnicode, MapVirtualKeyW, TrackPopupMenuEx, ChangeWindowMessageFilterEx, RealGetWindowClassW, EnumWindows, GetWindowTextW, CloseTouchInputHandle, GetTouchInputInfo, GetAsyncKeyState, GetMessageExtraInfo, TrackMouseEvent, GetClipboardFormatNameW, GetWindowLongPtrW, MessageBoxW, DrawIconEx, TranslateMessage, DispatchMessageW, GetQueueStatus, GetCursor, GetCursorInfo, SetCursorPos, EnumDisplayDevicesW, SetWindowLongW, RegisterClassW, MsgWaitForMultipleObjectsEx, SetTimer, KillTimer, CharNextExA, RegisterDeviceNotificationW, UnregisterDeviceNotification, MonitorFromPoint, SetClipboardViewer
                                                                                                                                        WINMM.dlltimeSetEvent, PlaySoundW, timeKillEvent
                                                                                                                                        USERENV.dllGetUserProfileDirectoryW
                                                                                                                                        VERSION.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                                                                                        NETAPI32.dllNetApiBufferFree, NetShareEnum
                                                                                                                                        WS2_32.dllWSAAsyncSelect
                                                                                                                                        ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegQueryValueExW, SystemFunction036, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegQueryInfoKeyW, RegSetValueExW, OpenProcessToken, AccessCheck, AllocateAndInitializeSid, CopySid, DuplicateToken, FreeSid, GetLengthSid, MapGenericMask, LookupAccountSidW, GetEffectiveRightsFromAclW, GetNamedSecurityInfoW, BuildTrusteeWithSidW
                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                        EnglishUnited States
                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Dec 23, 2024 11:23:08.328557014 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:23:08.448304892 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:23:08.450627089 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:23:08.459929943 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:23:08.579655886 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:23:10.033875942 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:23:10.076890945 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:23:10.210330963 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:23:10.329994917 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:23:20.342545033 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:23:20.462130070 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:23:30.467586994 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:23:30.588200092 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:23:40.592705011 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:23:40.712676048 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:23:50.717705011 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:23:50.837395906 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:24:00.842575073 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:24:00.962362051 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:24:10.967794895 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:24:11.087519884 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:24:11.923651934 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:24:12.043648958 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:24:22.045717955 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:24:22.165504932 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:24:32.170773983 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:24:32.290678978 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:24:42.295732021 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:24:42.415388107 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:24:52.421084881 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:24:52.541208982 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:25:02.545936108 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:25:02.665679932 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Dec 23, 2024 11:25:10.920376062 CET4970780192.168.2.552.74.204.186
                                                                                                                                        Dec 23, 2024 11:25:11.040065050 CET804970752.74.204.186192.168.2.5
                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        0192.168.2.54970752.74.204.186802860C:\Windows\System32\svchost.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Dec 23, 2024 11:23:08.459929943 CET56OUTData Raw: 2c 19 05 22 1b 0f 0a 17 15 01 0a 0d 17 07 1e 07 1f 24 0e 09 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38
                                                                                                                                        Data Ascii: ,"$::::::::::::::::::::::::::::::::=8
                                                                                                                                        Dec 23, 2024 11:23:10.033875942 CET85INData Raw: 27 11 15 1d 1c 08 1a 14 04 08 12 15 19 08 0e 08 13 1a 2b 26 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 5e 3a 3a 3a 27 3a 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c 63 b2 12 b1 e2 b3 e2 01 92 dc 56 1c 56 9c 60 9a c9 8a d9 8a 9a 00 00 b5
                                                                                                                                        Data Ascii: '+&::::::::::::::::;:::^:::':::::::=8xcVV`Iu
                                                                                                                                        Dec 23, 2024 11:23:10.210330963 CET790OUTData Raw: 27 11 15 1d 1c 08 1a 14 04 08 12 15 19 08 0e 08 13 1a 2b 26 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3b 3a 3a 3a 56 1f 3a 3a e4 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 df 6b 1a 41 10 2e b6 0f 56 6d 9a 07 1f 82 84 52 42 09 a5 94 3e f5
                                                                                                                                        Data Ascii: '+&::::::::::::::::;:::V::8::::::=8xXkA.VmRB>{*;1'QOBRP(_7sF+{33EYe7on)+oOZ?L0mX\Tc(i)VsVKF?45L$39\3
                                                                                                                                        Dec 23, 2024 11:23:20.342545033 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 23, 2024 11:23:30.467586994 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 23, 2024 11:23:40.592705011 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 23, 2024 11:23:50.717705011 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 23, 2024 11:24:00.842575073 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 23, 2024 11:24:10.967794895 CET6OUTData Raw: 00
                                                                                                                                        Data Ascii:
                                                                                                                                        Dec 23, 2024 11:24:11.923651934 CET638OUTData Raw: 1d 17 10 27 0c 2e 16 11 2f 1c 1c 10 1f 08 14 19 1f 26 08 24 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 3a 32 1a 3a 3a fe 27 3a 3a 7c 38 3a 3a 3a 3a 3a 3a 1e 1a 3d 38 78 9c ed 58 41 4b 1b 51 10 86 9e 4a bd f4 e0 41 82 48 2b a5 88 88 f4 e0 e9 a3
                                                                                                                                        Data Ascii: './&$::::::::::::::::2::'::|8::::::=8xXAKQJAH++J9TJ~3/HVd6{31r!F-0AG]!c-w/"vH`gHS.)FImr;uwoL(,mkVVkq#l


                                                                                                                                        Click to jump to process

                                                                                                                                        Click to jump to process

                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                        Click to jump to process

                                                                                                                                        Target ID:0
                                                                                                                                        Start time:05:23:04
                                                                                                                                        Start date:23/12/2024
                                                                                                                                        Path:C:\Users\user\Desktop\TsWpfWrp.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Users\user\Desktop\TsWpfWrp.exe"
                                                                                                                                        Imagebase:0x7ff6e0c00000
                                                                                                                                        File size:23'300'152 bytes
                                                                                                                                        MD5 hash:FFE0F3673552C76510434386FCF7D5A1
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: INDICATOR_EXE_Packed_Enigma, Description: Detects executables packed with Enigma, Source: 00000000.00000002.2102369827.00007FF6E0C00000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                        • Rule: INDICATOR_EXE_Packed_Enigma, Description: Detects executables packed with Enigma, Source: 00000000.00000000.2072292358.00007FF6E0C00000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:3
                                                                                                                                        Start time:05:23:04
                                                                                                                                        Start date:23/12/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                                        Imagebase:0x7ff7e52b0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        Target ID:4
                                                                                                                                        Start time:05:23:06
                                                                                                                                        Start date:23/12/2024
                                                                                                                                        Path:C:\Program Files\Windows Mail\ParphaCrashReport64.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Program Files\Windows Mail\ParphaCrashReport64.exe"
                                                                                                                                        Imagebase:0x7ff671bf0000
                                                                                                                                        File size:238'384 bytes
                                                                                                                                        MD5 hash:8B5D51DF7BBD67AEB51E9B9DEE6BC84A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 4%, ReversingLabs
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:true

                                                                                                                                        Target ID:5
                                                                                                                                        Start time:05:23:06
                                                                                                                                        Start date:23/12/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs
                                                                                                                                        Imagebase:0x7ff7e52b0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        Target ID:6
                                                                                                                                        Start time:05:23:07
                                                                                                                                        Start date:23/12/2024
                                                                                                                                        Path:C:\Windows\System32\dllhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
                                                                                                                                        Imagebase:0x7ff669820000
                                                                                                                                        File size:21'312 bytes
                                                                                                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:false

                                                                                                                                        Reset < >

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:1.5%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:76.4%
                                                                                                                                          Total number of Nodes:110
                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                          execution_graph 13592 1800080f2 VirtualAllocEx WriteProcessMemory 13593 180008273 memset memcpy NtAlpcConnectPort 13592->13593 13595 18000a8b2 WriteProcessMemory 13596 18000a939 13595->13596 13597 180005824 realloc NtQuerySystemInformation 13598 1800054d5 13599 180005524 DuplicateHandle 13598->13599 13600 1800055a7 13599->13600 13601 180005a0d GetProcessId 13602 180005a8c 13601->13602 13607 180008e30 RtlAdjustPrivilege 13608 180008eb4 13607->13608 13609 180008eaf 13607->13609 13612 180112660 13608->13612 13611 180008eb9 13613 180112669 13612->13613 13614 180112674 13613->13614 13615 180112a14 IsProcessorFeaturePresent 13613->13615 13614->13611 13616 180112a2c 13615->13616 13619 180112ae8 RtlCaptureContext 13616->13619 13618 180112a3f 13618->13611 13620 180112b02 RtlLookupFunctionEntry 13619->13620 13621 180112b51 13620->13621 13622 180112b18 RtlVirtualUnwind 13620->13622 13621->13618 13622->13620 13622->13621 13623 180009bc0 VirtualAllocEx 13624 180009da0 13623->13624 13625 180001920 memset GetModuleFileNameW wcsstr 13626 1800019a8 13625->13626 13627 18000197a IsUserAnAdmin 13625->13627 13658 180001010 malloc 13626->13658 13628 180001984 13627->13628 13629 180001995 13627->13629 13637 1800015b0 13628->13637 13634 18000199f ExitProcess 13629->13634 13634->13626 13635 180112660 4 API calls 13636 1800019c0 13635->13636 13638 1800015db malloc 13637->13638 13639 180001893 13637->13639 13638->13639 13641 1800015f7 memcpy malloc 13638->13641 13640 180112660 4 API calls 13639->13640 13642 18000190e ExitProcess 13640->13642 13641->13639 13643 180001625 memset 13641->13643 13642->13629 13644 180001656 13643->13644 13645 18000165b 13643->13645 13646 18000169b memset GetModuleFileNameW malloc 13644->13646 13645->13644 13647 180001682 memcpy 13645->13647 13646->13639 13648 1800016df memset memcpy 13646->13648 13647->13646 13649 180001720 13648->13649 13649->13649 13650 180001773 OpenSCManagerW 13649->13650 13650->13639 13651 18000179b EnumServicesStatusExW malloc 13650->13651 13651->13639 13652 1800017f4 memset EnumServicesStatusExW 13651->13652 13653 180001845 CloseServiceHandle free 13652->13653 13654 180001856 CloseServiceHandle 13652->13654 13653->13639 13654->13639 13657 180001865 13654->13657 13655 180001870 lstrcmpiW 13656 180001895 free 13655->13656 13655->13657 13656->13639 13657->13639 13657->13655 13659 180001568 13658->13659 13664 18000104e 13658->13664 13660 180112660 4 API calls 13659->13660 13661 18000159f 13660->13661 13661->13635 13662 1800010c4 malloc 13662->13659 13663 1800010db memcpy memcpy 13662->13663 13665 180001120 13663->13665 13664->13662 13665->13659 13666 180001195 memset wsprintfW CreateFileW 13665->13666 13667 180001212 GetLastError 13666->13667 13668 18000121a WriteFile 13666->13668 13669 18000124c Sleep memset wsprintfW CreateFileW 13667->13669 13670 180001243 CloseHandle 13668->13670 13671 18000123d GetLastError 13668->13671 13672 1800012c4 GetLastError 13669->13672 13673 1800012cc WriteFile 13669->13673 13670->13669 13671->13670 13674 1800012fe Sleep memset wsprintfW CreateFileW 13672->13674 13675 1800012f5 CloseHandle 13673->13675 13676 1800012ef GetLastError 13673->13676 13677 180001376 GetLastError 13674->13677 13678 18000137e WriteFile 13674->13678 13675->13674 13676->13675 13679 1800013ac Sleep 13677->13679 13680 1800013a3 CloseHandle 13678->13680 13681 18000139d GetLastError 13678->13681 13679->13659 13682 1800013c1 VirtualAlloc 13679->13682 13680->13679 13681->13680 13682->13659 13683 1800013e6 memcpy CreateThread 13682->13683 13695 180001a10 CoInitialize 13683->13695 13686 180001523 memset memcpy CreateThread 13686->13659 13687 180001430 VariantInit 13688 180001498 13687->13688 13689 18000149c SysAllocString 13688->13689 13690 1800014be GetLastError 13688->13690 13692 1800014ba 13689->13692 13691 1800014c4 13690->13691 13691->13686 13693 1800014ca memset wsprintfW 13691->13693 13692->13690 13692->13691 13703 180001d60 13693->13703 13696 180001b50 13695->13696 13696->13696 13697 180001cae CLSIDFromString 13696->13697 13698 180001d04 IIDFromString 13697->13698 13699 180001d3b 13697->13699 13698->13699 13701 180001d17 CoCreateInstance 13698->13701 13700 180112660 4 API calls 13699->13700 13702 180001423 13700->13702 13701->13699 13702->13686 13702->13687 13704 180001da5 SysAllocString 13703->13704 13715 18000206a 13703->13715 13705 180001dbb 13704->13705 13708 180001dd9 SysAllocString SysAllocString 13705->13708 13705->13715 13706 180112660 4 API calls 13707 180002086 13706->13707 13707->13686 13709 180001e08 13708->13709 13710 180001f1f IIDFromString 13709->13710 13709->13715 13711 180001f4c 13710->13711 13712 180001f5e SysAllocString SysAllocString 13711->13712 13711->13715 13713 180001f88 13712->13713 13714 180001fd9 VariantInit SysAllocString 13713->13714 13713->13715 13714->13715 13715->13706

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
                                                                                                                                          • String ID: Schedule
                                                                                                                                          • API String ID: 3636854120-2739827629
                                                                                                                                          • Opcode ID: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                          • Instruction ID: 6ee3f7f16e62e9fbbf62cb728b63543f6f6100922e48a7ada6915e3d38cfd098
                                                                                                                                          • Opcode Fuzzy Hash: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                          • Instruction Fuzzy Hash: 84A1AE36705B8886EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          • Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!, xrefs: 0000000180008315
                                                                                                                                          • 0, xrefs: 000000018000828B
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocAlpcConnectMemoryPortProcessVirtualWritememcpymemset
                                                                                                                                          • String ID: 0$Dive right in and make a splash,We're throwing a pool party in a flash!Bring your swimsuits and sunscreen galore,We'll turn up the heat and let the good times pour!
                                                                                                                                          • API String ID: 2322259470-3460289035
                                                                                                                                          • Opcode ID: c43cf6f9343ddec1ca79c7315b89c45580cd43461ba35576a3c26a51ac169fb6
                                                                                                                                          • Instruction ID: a438414d86da3f9fa76c6e2917a93b97ec5bb287934b9f4f7f73d30ebcaf7dce
                                                                                                                                          • Opcode Fuzzy Hash: c43cf6f9343ddec1ca79c7315b89c45580cd43461ba35576a3c26a51ac169fb6
                                                                                                                                          • Instruction Fuzzy Hash: 6D713DB5324EC891EBA5CF65E8587DA6362F788798F80A216DE4D07668DF3CC249C700

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 47 180009bc0-180009d4a VirtualAllocEx 48 180009da0-180009da9 47->48 49 180009db1-180009e16 48->49 50 180009dab 48->50 50->49
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                          • String ID: @
                                                                                                                                          • API String ID: 4275171209-2766056989
                                                                                                                                          • Opcode ID: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
                                                                                                                                          • Instruction ID: 13e2f726a9112c9c31c995d983c9da114070f7450b087ebba6d3042457f4b947
                                                                                                                                          • Opcode Fuzzy Hash: 08567cc30074b475b331b46d2cc87d554941ba0be2af3992f720d6e759045faf
                                                                                                                                          • Instruction Fuzzy Hash: 8F41CF32318B9881EB65CF62F854BD67764F788784F519116EE8D43B14DF38C61AC700

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 54 180005824-1800058d4 realloc NtQuerySystemInformation
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InformationQuerySystemrealloc
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4089764311-0
                                                                                                                                          • Opcode ID: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
                                                                                                                                          • Instruction ID: b0525076bbbf58c043072cd616ac76dc382e5d39b6996fcf6a95a9be821e6ce1
                                                                                                                                          • Opcode Fuzzy Hash: aa0bfc6469bc17d5eeda48fd87731ce22d6874c3ca3fc959c4416cf641374c4d
                                                                                                                                          • Instruction Fuzzy Hash: 27015EB632498485FB55CBA6E86839BB362E38CBD4F44E0269E0D47758CE28C1098700

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 55 1800054d5-1800055a1 DuplicateHandle 57 1800055a7 55->57 58 1800069ad 55->58 57->58
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                          • Opcode ID: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
                                                                                                                                          • Instruction ID: 9c50cbf5d08d3b6d4a605893f6b359a3682b26f1feaf6ace4ca51b493498b96a
                                                                                                                                          • Opcode Fuzzy Hash: de33ea6b4f9ce6d4b4402c8e18623ba837b56d9b22b6662e0c33dbf5e61d8208
                                                                                                                                          • Instruction Fuzzy Hash: 9211BFB1614B8885FB61CFA5E8187C773A0E38D794F45A116DE4E17B64CF38C209C704

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
                                                                                                                                          • String ID: svchost.exe
                                                                                                                                          • API String ID: 2075570005-3106260013
                                                                                                                                          • Opcode ID: 79fe10d2032a91db138303a6d4bba14be8b863467a7872a6f2e5965e82f79385
                                                                                                                                          • Instruction ID: bee279387a080e4ef1cf93fe2260fe9373c10eb3ce040ed65f2ee5617e8a23f3
                                                                                                                                          • Opcode Fuzzy Hash: 79fe10d2032a91db138303a6d4bba14be8b863467a7872a6f2e5965e82f79385
                                                                                                                                          • Instruction Fuzzy Hash: 87019631310A4C81FBAADB21E4A93DA6360BB8C795F449025A95E46695DF3CC34CC740

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 51 18000ad3e-18000adcc VirtualAllocEx 52 18000add5 51->52 53 18000adce 51->53 53->52
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                          • String ID: @
                                                                                                                                          • API String ID: 4275171209-2766056989
                                                                                                                                          • Opcode ID: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
                                                                                                                                          • Instruction ID: 6b845daad974ccd9c6abd76d61111d535f536517db2d34ef27256cbb8d76cfd7
                                                                                                                                          • Opcode Fuzzy Hash: 25e8e2e1e41b46ff06f862ad0091e17087f53469a818b64f494525446fc89b42
                                                                                                                                          • Instruction Fuzzy Hash: 7B016DB5729A8C41FBA9CBA1F465BD62360A78DBD4F40A21A9D0E17B55DE2CC2068304

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 59 18000a9be-18000aa4b VirtualAllocEx 60 18000aa51 59->60 61 18000b194 59->61 60->61
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                          • Opcode ID: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
                                                                                                                                          • Instruction ID: 251b8e02f3a2b925dc00676b0f08ae0c6924386de3889a0ff5d432a66f8cfcc3
                                                                                                                                          • Opcode Fuzzy Hash: e550c5f1444e37c0b1477e103827308c662109d29a65ec8f8fad6b41b1961b1e
                                                                                                                                          • Instruction Fuzzy Hash: 75012CB5619E8C41FBA9CBA1F464BDA6774E78DB94F40A11ADE0E17B51DF28C20AC304

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AdjustPrivilege
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3260937286-0
                                                                                                                                          • Opcode ID: 0831086ae50f2ba65709bcbf1c33f12cfd0f3053b93a604bdcfa268e10cb0fbc
                                                                                                                                          • Instruction ID: 04bb496a426d1b43e6b52f20395e61ae4e41d159ec3593a713d9b4970c529e46
                                                                                                                                          • Opcode Fuzzy Hash: 0831086ae50f2ba65709bcbf1c33f12cfd0f3053b93a604bdcfa268e10cb0fbc
                                                                                                                                          • Instruction Fuzzy Hash: A5F04F3A334F8C81EBE9DB21E85979667A0B74CB98F41A406ED4D43764CE3DC2158B00

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 67 180005a0d-180005a86 GetProcessId 68 1800069ba 67->68 69 180005a8c 67->69 69->68
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1235230986-0
                                                                                                                                          • Opcode ID: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
                                                                                                                                          • Instruction ID: d652ffa87c38ed1c04ac93e0a0d2335ef1528c7a1f19fbd04ef7ff50280f2555
                                                                                                                                          • Opcode Fuzzy Hash: d16e56ca8ceffb6996a770eebb8859cff0112ba79151dc499dea6e218c25d2af
                                                                                                                                          • Instruction Fuzzy Hash: 0C018BB271490485EB54CB59E4503AB7371F78DBD8F50A122EF4E87764DF29C256C704

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 70 18000af22-18000afa4 WriteProcessMemory 71 18000afaa 70->71 72 18000b1a0 70->72 71->72
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                          • Opcode ID: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
                                                                                                                                          • Instruction ID: 56856a108c934b35fd8b12db096080665d1aff2e22ecb35535ebb708edeb7d18
                                                                                                                                          • Opcode Fuzzy Hash: 4492a0bf8fcf8f33afd06441f64975728a7ffe302e5029ee3f64efdc84710f0c
                                                                                                                                          • Instruction Fuzzy Hash: 9101E8B5319E8891FBA9CB52E898386A362A78DBD0F51D1169D0D47768CE2DC109C304

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 73 18000a8b2-18000a937 WriteProcessMemory 74 18000a939 73->74 75 18000a940 73->75 74->75
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                          • Opcode ID: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
                                                                                                                                          • Instruction ID: 440d9c2e63d84a318507e4d3145013176a8cc7cafd38941c5fd7eab054e276a3
                                                                                                                                          • Opcode Fuzzy Hash: a9c6a2df7492c35cbc3cd719515342c8cda296547e204cd9f67484ff88ad8695
                                                                                                                                          • Instruction Fuzzy Hash: 4A013CF5319E8881FBA5CB56E898786A762E78EBD4F41D1168D4D0B768CF3DC109C304

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 76 18000b100-18000b183 WriteProcessMemory 77 18000b185 76->77 78 18000b18c 76->78 77->78
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                          • Opcode ID: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
                                                                                                                                          • Instruction ID: 24c97e1a4b5bf787aa031fe235fe3c6da918f95ea593df74073bd4adbefb4954
                                                                                                                                          • Opcode Fuzzy Hash: 35ffae5299d4c335a8ff36bc6453c7f7216bb7ebbfbf3e1d59d74c353a4e1218
                                                                                                                                          • Instruction Fuzzy Hash: 73F03CF5329E9981FBA5CB12EC58786A322F789BD4F41E1168D0D4B768CE2DC2098384

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 79 180001010-180001048 malloc 80 18000104e-18000107d call 180113300 79->80 81 180001590-1800015a9 call 180112660 79->81 86 180001084-18000108c 80->86 87 18000107f-180001082 80->87 89 180001093-1800010a4 86->89 90 18000108e-180001091 86->90 88 1800010c4-1800010d5 malloc 87->88 93 180001578-180001588 88->93 94 1800010db-180001116 memcpy * 2 88->94 91 1800010a6-1800010a9 89->91 92 1800010ab-1800010be call 180113336 89->92 90->88 91->88 92->88 93->81 96 180001120-18000116c 94->96 96->96 98 18000116e-18000117a 96->98 99 180001180-18000118b 98->99 99->99 100 18000118d-18000118f 99->100 100->93 101 180001195-180001210 memset wsprintfW CreateFileW 100->101 102 180001212-180001218 GetLastError 101->102 103 18000121a-18000123b WriteFile 101->103 104 18000124c-1800012c2 Sleep memset wsprintfW CreateFileW 102->104 105 180001243-180001246 CloseHandle 103->105 106 18000123d GetLastError 103->106 107 1800012c4-1800012ca GetLastError 104->107 108 1800012cc-1800012ed WriteFile 104->108 105->104 106->105 109 1800012fe-180001374 Sleep memset wsprintfW CreateFileW 107->109 110 1800012f5-1800012f8 CloseHandle 108->110 111 1800012ef GetLastError 108->111 112 180001376-18000137c GetLastError 109->112 113 18000137e-18000139b WriteFile 109->113 110->109 111->110 114 1800013ac-1800013bb Sleep 112->114 115 1800013a3-1800013a6 CloseHandle 113->115 116 18000139d GetLastError 113->116 117 1800013c1-1800013e0 VirtualAlloc 114->117 118 180001568-180001570 114->118 115->114 116->115 117->118 119 1800013e6-18000142a memcpy CreateThread call 180001a10 117->119 118->93 122 180001523-180001562 memset memcpy CreateThread 119->122 123 180001430-18000149a VariantInit 119->123 122->118 125 18000149c-1800014bc SysAllocString 123->125 126 1800014be GetLastError 123->126 125->126 127 1800014c4-1800014c8 125->127 126->127 127->122 129 1800014ca-18000151e memset wsprintfW call 180001d60 127->129 129->122
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
                                                                                                                                          • String ID: %s\%s$\Microsoft\Windows
                                                                                                                                          • API String ID: 1085075972-4137575348
                                                                                                                                          • Opcode ID: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                          • Instruction ID: ca852493329d7e8b29278f03f5207e3e8a0b6c409a20f5d7edd43a4be3d27a44
                                                                                                                                          • Opcode Fuzzy Hash: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                          • Instruction Fuzzy Hash: 4DF18A32610F8985F7A6CF24E8087DD33A0F78DBA8F449215EE9A17694EF38C249C700

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 131 180001a10-180001b4f CoInitialize 132 180001b50-180001b5c 131->132 132->132 133 180001b5e-180001c9b 132->133 134 180001ca0-180001cac 133->134 134->134 135 180001cae-180001d02 CLSIDFromString 134->135 136 180001d04-180001d15 IIDFromString 135->136 137 180001d3b-180001d5a call 180112660 135->137 136->137 139 180001d17-180001d39 CoCreateInstance 136->139 139->137
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FromString$CreateInitializeInstance
                                                                                                                                          • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                                          • API String ID: 511945936-2205580742
                                                                                                                                          • Opcode ID: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                          • Instruction ID: 28b9f900473ef5d70d4cda544e42fab565c9dc4f26e78512e927f69b0d8a042f
                                                                                                                                          • Opcode Fuzzy Hash: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                          • Instruction Fuzzy Hash: 0291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: String$Alloc$FromInitVariant
                                                                                                                                          • String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
                                                                                                                                          • API String ID: 929278495-107290059
                                                                                                                                          • Opcode ID: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                          • Instruction ID: 371f9a688604c33e3b5ae190077701ce0554801126743d20ac49bde758192535
                                                                                                                                          • Opcode Fuzzy Hash: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                          • Instruction Fuzzy Hash: E5B1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 808467561-0
                                                                                                                                          • Opcode ID: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
                                                                                                                                          • Instruction ID: 4599084cfb13f8c747939fbc3aba35a6bd4e8a08bbcc0f0b71949d4f47730483
                                                                                                                                          • Opcode Fuzzy Hash: e6e2a47d0b7aca8797bf2f78af511f090b7de726a253ea606c4e540f123b5b7a
                                                                                                                                          • Instruction Fuzzy Hash: 5FB2E0766022998BE7A7CE69D544BED37A5F78C3C8F509125EA0657B88DF34CB48CB00
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ?Vse4"$NtAlpcConnectPort$NtAlpcCreatePort$NtAlpcSetInformation$TpAllocAlpcCompletion$\RPC Control\$ntdll.dll
                                                                                                                                          • API String ID: 0-3440571002
                                                                                                                                          • Opcode ID: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
                                                                                                                                          • Instruction ID: 8c3100648684ed6cf3a6acba9f1e9974d33f54458c7afc613a7cd7d66638faa8
                                                                                                                                          • Opcode Fuzzy Hash: 3e7f587f86fd0b2bf1a8a0d1d2c8b2dcce1149cee181315916f08b714af195f2
                                                                                                                                          • Instruction Fuzzy Hash: 53124DF5720E9891EF94CBB9E8687C66362F78D798F81A117DE0D57624DE38C20AC700
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionThrow
                                                                                                                                          • String ID: __restrict$__swift_1$__swift_2$__unaligned$call
                                                                                                                                          • API String ID: 432778473-3141380587
                                                                                                                                          • Opcode ID: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
                                                                                                                                          • Instruction ID: 673e966dcc0d85f334313fac89718d38bf41ed5ef13417959e8c730922fdb805
                                                                                                                                          • Opcode Fuzzy Hash: 6a396b12831feff5c6f80a323355d14ea9fae3a8da964f50d645d654625ebbdc
                                                                                                                                          • Instruction Fuzzy Hash: 5C627E72701E8882EB86EB25D4583DD27A1FB8EBD4F408125FA5E577A6DF38C649C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfffffff
                                                                                                                                          • API String ID: 3215553584-1523873471
                                                                                                                                          • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
                                                                                                                                          • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$taskmgr.exe
                                                                                                                                          • API String ID: 0-638001070
                                                                                                                                          • Opcode ID: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
                                                                                                                                          • Instruction ID: 1bf4e9e1e70513e3816d114cab4aa84c7a719184b3830627372934e1f9606700
                                                                                                                                          • Opcode Fuzzy Hash: 3c7d1f0fb87f662b2079bad57b09a5afaa48cb8c83d5525282594a227a335d39
                                                                                                                                          • Instruction Fuzzy Hash: 0C8127F5324E9982EF95CBA8F8697D66322F7897D8F80A112CD1E57624DE38D209C704
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: C:\windows\$C:\windows\system32\$WinSta0\Default$winver.exe
                                                                                                                                          • API String ID: 0-1160837885
                                                                                                                                          • Opcode ID: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
                                                                                                                                          • Instruction ID: 55855d67a1f766f1614c6ad6b77d44964cb4204ffe99e224a87b86ff19b563fd
                                                                                                                                          • Opcode Fuzzy Hash: 1308d712bd6591429a8d37c48bbd1829232a434116c75b441977ccfa919fa798
                                                                                                                                          • Instruction Fuzzy Hash: C841A4B5324E9882FF55CB69F8687966322F789BD8F40A116CD5E4B764DE3CC20AC704
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy_s
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1502251526-0
                                                                                                                                          • Opcode ID: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                                                                                                                          • Instruction ID: 57088630f82899a46a4f04304140a90d468cb093ad556e4d18a7d8c59b71a2f9
                                                                                                                                          • Opcode Fuzzy Hash: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                                                                                                                          • Instruction Fuzzy Hash: 5EC1387671628987EB66CF19E044B9EB791F7987C4F44C125EB4A43B84DB38EA09DB00
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: 0$ko-KR
                                                                                                                                          • API String ID: 3215553584-2196303776
                                                                                                                                          • Opcode ID: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
                                                                                                                                          • Instruction ID: 454ebc8193fa5ca865f8f1965dd2a4e4b4682b0a5584ee5ea9980d899769f2f6
                                                                                                                                          • Opcode Fuzzy Hash: f96d09346a2f6e77d59369c2194a8b950e6b78dbaa0c336e0d12ce098f52cc8c
                                                                                                                                          • Instruction Fuzzy Hash: 3A71D33521070D82FBFB9A1990807E963A1E74D7C4FA4D126BE49437ABCF35CA4B9705
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 0$p
                                                                                                                                          • API String ID: 0-2059906072
                                                                                                                                          • Opcode ID: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
                                                                                                                                          • Instruction ID: 3ee67f828506e40d833cc10e170725f94807106ad1cab914bfb00022e22d59fe
                                                                                                                                          • Opcode Fuzzy Hash: e7e5a160b0dc7bf11acf6e058a7a07693b04e0544c402e7120b811fb21f28438
                                                                                                                                          • Instruction Fuzzy Hash: A731F075605E9D81EB55DF56E894BD62321F388BD8F42A212ED4E0BB24EE3CC15AC700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3215553584-0
                                                                                                                                          • Opcode ID: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
                                                                                                                                          • Instruction ID: 1f61cd1c6d9a0cc47e5c3170d1c15f4e9de5b8ae94a737795fa3a990e1df4aaf
                                                                                                                                          • Opcode Fuzzy Hash: 9a675805437782ecf3217d5187c311e375e8358acccf04f95891004c6cc889dd
                                                                                                                                          • Instruction Fuzzy Hash: 0BA1E67231069881EBA3DB66A8047DAA3A0F78DBD4F549526FE9D07BC4DF78C64D8304
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _clrfp
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3618594692-0
                                                                                                                                          • Opcode ID: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
                                                                                                                                          • Instruction ID: 0593f73a9b31075b8e6bf2cb9e383320a294c5aeb291d1da762f6cdddc12ea76
                                                                                                                                          • Opcode Fuzzy Hash: 0e21b991dae342f80746e460734db2b0327f033799438967f91080e093b168d9
                                                                                                                                          • Instruction Fuzzy Hash: 10B12B73600B88CBEB56CF29C88679C77A0F349B88F19C916EB59877A8CB35C955C701
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionThrow
                                                                                                                                          • String ID: l section in CAtlBaseModule
                                                                                                                                          • API String ID: 432778473-2709337986
                                                                                                                                          • Opcode ID: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
                                                                                                                                          • Instruction ID: 3133a5dfd5f79aac6ce2c53f471fbcfe22b2aa6c2a7d5a5a984ae032cb248d46
                                                                                                                                          • Opcode Fuzzy Hash: a127ccbb264a5a4aec1e8b8c97d9fa5e153886bac66a3a6cc8a19aedac249b0e
                                                                                                                                          • Instruction Fuzzy Hash: 23027C36600E8886EB96DF25E8443DD73A1FB8DBD5F448526EA4E43BA4DF38C648C700
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: __restrict
                                                                                                                                          • API String ID: 0-803856930
                                                                                                                                          • Opcode ID: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
                                                                                                                                          • Instruction ID: 2a1f3f8c5416bf1435224dd1e95b651f0a407b08188742a7ac323c2b5a68232f
                                                                                                                                          • Opcode Fuzzy Hash: 5745e3cfed15ffb7b3e2fa7717aad80a57a6249b3a0910dbd319ea413861beba
                                                                                                                                          • Instruction Fuzzy Hash: DAF15936601F4886EB928F65D8543DC73A5EB8DBC8F548526FE0E47BA4DE78CB498340
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: 0
                                                                                                                                          • API String ID: 3215553584-4108050209
                                                                                                                                          • Opcode ID: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
                                                                                                                                          • Instruction ID: 71f2418fc044250fc616a08c0bb954c8cfb89a1255eab9d4a98bc77a135e3a3b
                                                                                                                                          • Opcode Fuzzy Hash: 5f4ddedfd77a8f2be46d5b27c9f7dfb0d5136d7c17e53cee70af679ad4ba4177
                                                                                                                                          • Instruction Fuzzy Hash: 5871E235210A0D82FBFB9A29A0407F92392E7487C4F94D016BE46577EACF35CA4B9745
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 201ef99a-7fa0-444c-9399-19ba84f12a1a
                                                                                                                                          • API String ID: 0-3963691810
                                                                                                                                          • Opcode ID: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
                                                                                                                                          • Instruction ID: f859e3b1c76c282179c02603d62779a177e542a7d14e57d8a75f66858979eba8
                                                                                                                                          • Opcode Fuzzy Hash: 305143c906e545cbbdba88b15ed8d96aa5c5b1023b370279aab489ed2de4cf70
                                                                                                                                          • Instruction Fuzzy Hash: A54153B1715B9D46EF89CB78D9653A62322FB8C7ACF40A516C90E47765DE38C209C300
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ncalrpc
                                                                                                                                          • API String ID: 0-2983622238
                                                                                                                                          • Opcode ID: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
                                                                                                                                          • Instruction ID: 72ca54434e2e545ad87ad6f85711ca4f80c48705b1af1cf0b8a8e1738ac29a0d
                                                                                                                                          • Opcode Fuzzy Hash: 8e139b6873f62461d47cfb06735ed223aa3699eae5bf13dfab6a051279dd2f2d
                                                                                                                                          • Instruction Fuzzy Hash: 99312FB1721A6952EF49CF78E8687966762F79C794F91E522CE0E4B624DE3CC209C700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
                                                                                                                                          • Instruction ID: 6d80879f2b6ca484a565809d41c0eb2dabc8ae21e66747f9efe079bfb1bd8c10
                                                                                                                                          • Opcode Fuzzy Hash: 3e631ec45a2daf68f48d52614a6345ed429c570a616f22469c908a5fe8b28b5b
                                                                                                                                          • Instruction Fuzzy Hash: DA22D177310AA882EB46DB65C0547AC33B6FB48B84F028116FB599B7B1DF38D668C354
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
                                                                                                                                          • Instruction ID: 946e0dd2bba7b3100fd246393857d7d015b19ff97fe3a12f1d34a5a40530aed8
                                                                                                                                          • Opcode Fuzzy Hash: 1622125fadd830d72695094e7b85cc31ec002336933b0e724cad098e10e2d7b0
                                                                                                                                          • Instruction Fuzzy Hash: E4E181722046C986EBB2CB15E8943E977A1F78E7D4F84C121EA8A936D5DF78C64DC700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
                                                                                                                                          • Instruction ID: c02e86e1f92cc5576d6cd232989999bceb531278b49536794b781076c4770d9c
                                                                                                                                          • Opcode Fuzzy Hash: cfe71d8e7cd50308ca462f153a194306955503b02d46b76410196ab8a6e65239
                                                                                                                                          • Instruction Fuzzy Hash: BFE1D032708A848AE793CF68E5803DD77B1F74A7D8F548116EA4E57B99DE38C25AC700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
                                                                                                                                          • Instruction ID: 207e761d23252ea67ff1337872d1fa257f2b4668b6d9f4a23401ae9418e5b291
                                                                                                                                          • Opcode Fuzzy Hash: 16ae51d95b1815005dd45d5e3ab8a349bfdaaf9539e2a3891bf7a9a4281af68b
                                                                                                                                          • Instruction Fuzzy Hash: AFB1AB72A10B8886E352CF39D8457DC37A4F389B88F519216EE4D17B66DF35D689CB00
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a86f20f7f5deea267c01afef8e7a4c05c31875faa151d310fea3b18ea46ae3c1
                                                                                                                                          • Instruction ID: 30b487c4dbfd5edb157edb9dd0446cf9089909246d75a709a71c41256c183c41
                                                                                                                                          • Opcode Fuzzy Hash: a86f20f7f5deea267c01afef8e7a4c05c31875faa151d310fea3b18ea46ae3c1
                                                                                                                                          • Instruction Fuzzy Hash: 4F410672B10A5886EB14CF64F815B9AB3A8F788794F505025DF8E47B68EF3CC156C700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
                                                                                                                                          • Instruction ID: 6a73b4ca67aa358b5cca9cf8f50e7addbf38a80432c4fb2377473208703d20e7
                                                                                                                                          • Opcode Fuzzy Hash: bfda2f7c180109932206dffacf20a53aef2a56dc1179a3e9a6f89e125c1a26ad
                                                                                                                                          • Instruction Fuzzy Hash: 645126E9654B9982EF94DBA9F8693D62322FB497D8F80F112CE1E57724DD38D209C304
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
                                                                                                                                          • Instruction ID: b6fa69fb7e3d6089a58b1dc0a55349c666dd73e1d328c0310e1d9ae523244059
                                                                                                                                          • Opcode Fuzzy Hash: 073128fd360148c17e41ec35af6a18c2df5ced6b4e463a8a16fec66cb74d860e
                                                                                                                                          • Instruction Fuzzy Hash: A351CF32715F8896EB64CB65F94478A73A5F7887C4F54412AEA8E83B28EF3CD119C700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
                                                                                                                                          • Instruction ID: 9937fe3f73516922539d469a7d9b5dbd200fa43091dfd9594953e81ca0841af9
                                                                                                                                          • Opcode Fuzzy Hash: de1111058f7c16aa1c110f3b5979ca66c856bb8bda45b3eaebbbd55d773fd606
                                                                                                                                          • Instruction Fuzzy Hash: 7F51C2B5760E9982EB64CF65E8687D66321FB89BD4F44E126DE0E57B24DE3CC11AC300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
                                                                                                                                          • Instruction ID: 211af31c44281ca6c3f3932d9a28d26ed70725301ca9e5a4bb4aa04c7d8998f6
                                                                                                                                          • Opcode Fuzzy Hash: a53c239ed1f9684605d2ef346be0b8bf89de5d156fdc40e0d799da5887b65061
                                                                                                                                          • Instruction Fuzzy Hash: 25419232310A5886EB85CF6AE954399A391E34CFD4F49D427EE4D97B58DE3CC649C300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 68527aba035480757e2393879a0d4de352a47f6bf703ed5fa56455fc597868c2
                                                                                                                                          • Instruction ID: 9b73b6c5183f860324fa61cee2baeb0ca0f8f8b507aed4a99a4e0eda6c344d24
                                                                                                                                          • Opcode Fuzzy Hash: 68527aba035480757e2393879a0d4de352a47f6bf703ed5fa56455fc597868c2
                                                                                                                                          • Instruction Fuzzy Hash: 984103B3714E4995EB25CF61E86478AB3A5F3887D8F44E126EE4D07A58DF38C246C300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
                                                                                                                                          • Instruction ID: 048e6db2ecfd184872977d7eb727c5e493510e05d032e6f18c4ab6865a9947bf
                                                                                                                                          • Opcode Fuzzy Hash: eaae997217fc1b3336f25de6e62d34e0746f7d3c2a6a256d0b5f71472e0a0425
                                                                                                                                          • Instruction Fuzzy Hash: B341B37261C6888AF7EB8F15B4847967B91E34E3D0F11C429F94A87691DF79C6888F00
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
                                                                                                                                          • Instruction ID: ea9816badbe891c07a2aded6d1ec92d5857af46983f2473552b7590bc608b90a
                                                                                                                                          • Opcode Fuzzy Hash: 59276b993bbd5f607d6d3a9a9acf607f8ad274a0d99c33aa421d3a75b3b8979b
                                                                                                                                          • Instruction Fuzzy Hash: 24419D76B20A8886EB14CB65F45479AB365F38CBC4F40912ADE4E53B68DE3CC216C740
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
                                                                                                                                          • Instruction ID: ff810da637aa1fd401c95da2c6d69315e604f84d2d111450c1a2a7c20e68e2a5
                                                                                                                                          • Opcode Fuzzy Hash: f3a4f3e3c3f40ea96cedb268f2507c4aa92d7cf089ba266e7691892548829ecb
                                                                                                                                          • Instruction Fuzzy Hash: B941FFB2318F89D6DB54CFA5E4A579A7B61F388788F84901ADE4E47A14DF38C12AC340
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
                                                                                                                                          • Instruction ID: 1f6bebfb10a220892d2831274fb9d9e41c253fa787b11ea253d3ff134c5c468f
                                                                                                                                          • Opcode Fuzzy Hash: a7caa211d1805da3631b5417297298fbd746491c9ff13b9b06d3acbe089dc0ae
                                                                                                                                          • Instruction Fuzzy Hash: FF419FB2214F88D2EB54CF55E88478AB7A6F3447C4F94D126EE8D5BA18CF78C15AC740
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
                                                                                                                                          • Instruction ID: d558cfae5a731fffe16df58c07b62597b32ae423ecf54f032ed4b289fbb168ab
                                                                                                                                          • Opcode Fuzzy Hash: 9dc054b22e393740934c6599b1190f187be60ae239c821f3ddf288e380813183
                                                                                                                                          • Instruction Fuzzy Hash: 4041D3B2324E4DD2DF48CB15E454B9A7365F748BC8F658216DA4E87768EF39C21AC700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
                                                                                                                                          • Instruction ID: c4b80034388e89da8ffe7b427c8155ba048d36e5b74cf413b7ce4096cc0294b9
                                                                                                                                          • Opcode Fuzzy Hash: 711a5f6cc3d39d5f0aef55b7034a878137727931ce5006779a437fec81a29920
                                                                                                                                          • Instruction Fuzzy Hash: AC4126B2728E48A2DB14CF25E69878E7762F3443C4F45A206EE4E57328DF39C225C700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
                                                                                                                                          • Instruction ID: 30f2c0aa2bc627d33595a3753288768bcaf23473739ac437f1ff85fbf168e941
                                                                                                                                          • Opcode Fuzzy Hash: c02ea177d7df7be9d47921f817159e6b389a93a74e3aee8d1a395a9d44e4e98a
                                                                                                                                          • Instruction Fuzzy Hash: FA31CFB2764E8987EB94CFA4E4657EA3B21F384398F84911BDE4F47A14DE68C01AC341
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
                                                                                                                                          • Instruction ID: 42c4d16a0e0d136c5a94160c46d85d5892129638e54f14ca30ac4ff8e229c4e5
                                                                                                                                          • Opcode Fuzzy Hash: c43f2c2cbd10ab131c97a87bfb9a8d77e076664a556218998fa3f3ff93ba8f25
                                                                                                                                          • Instruction Fuzzy Hash: 65310DF9654B9892EB55DBB8F8697C62322F74D7D8F81B502CE0E27624DE38D209C740
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
                                                                                                                                          • Instruction ID: 91db3ca7ca736f51b2b9f4a1fdda40ff6b442f2c49d3b76bc6f7bd54feb42801
                                                                                                                                          • Opcode Fuzzy Hash: 2bce6376752d693395b932a5d9318ffbe6d4c9bed5557d96fc3b5228a6ed1993
                                                                                                                                          • Instruction Fuzzy Hash: 2531FBB5314E8481EF99CF66ECA93A66362FB88BE4F54E1168E0F57B64CE3DC1458304
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
                                                                                                                                          • Instruction ID: b9540b73c02fa2fd8fd9ed4b04a7558bae6bb2522907684b3f8178f982c6447f
                                                                                                                                          • Opcode Fuzzy Hash: 11c12f5db1e7ae7d88fc0262756b9d0bf6622ca984ac394aaf837a3336d7d9a4
                                                                                                                                          • Instruction Fuzzy Hash: 3F215EF53159A882EB95CF65E8787972322FB49BD8F81E112CD1E57764DE38C209C304
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
                                                                                                                                          • Instruction ID: 34ebe62695f2a6a6ea2397927167a92a4784dc70ec7df40509b9419055f8788e
                                                                                                                                          • Opcode Fuzzy Hash: e74b49f80d6d3cffa9bfb68b489edd80f871d1e69f348bd9d5bedd62bb40d514
                                                                                                                                          • Instruction Fuzzy Hash: 7D31C1F6715A499AEB14CF60E46478AB3A5F3447C8F48E226EA4E47A1CDF78C219C304
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
                                                                                                                                          • Instruction ID: ea228047f8abccb8f34d8cb69d0855da280cee6fe6b78123f25de321abaee775
                                                                                                                                          • Opcode Fuzzy Hash: 29ed0da8da41128ee95df92606b628508953cd21a2e597ae56ff743980468b27
                                                                                                                                          • Instruction Fuzzy Hash: BD2101B2724E8885EB95CF62E828B9A7361F38CBD4F419126DE4E47B54CE3CC10AC700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
                                                                                                                                          • Instruction ID: 6d7058e35041f85eefca8006119c3596d2fa62747ef7dd2be534be946fff4e46
                                                                                                                                          • Opcode Fuzzy Hash: 659e1158283c071cac0272366369d00d1cfa562a966f2f5affa459bf10e8deba
                                                                                                                                          • Instruction Fuzzy Hash: BB21D5B2764E5892DB59CFB6E864BC63761E759BD4F40A116EE0D57324EE38CA06C300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
                                                                                                                                          • Instruction ID: 64e956f36281cdf23b4cab459502cafc9c3b83219f603c2a53f066b43bdf7739
                                                                                                                                          • Opcode Fuzzy Hash: 879b8cc6a287b552be2b8c7838c9cf5361018535551b3c5eae2337da7c2a05c9
                                                                                                                                          • Instruction Fuzzy Hash: 9931A2B2724A49A6DB15CF64D25878E7B62F3443D8F49A206DB0E57628EF39C16AC700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
                                                                                                                                          • Instruction ID: 8007ea01a93bf6de8c95f9a16faa5e8d6c04bd6e38d315922757046993a1328b
                                                                                                                                          • Opcode Fuzzy Hash: 7643b34bb1144c09516ca8224fed32c138a04b2f755b136cd71388444af2efbb
                                                                                                                                          • Instruction Fuzzy Hash: 5F2148F5761EA982EB89CFB5E86979A2321E749BD8F41A112CD0E17724DE2CD6098300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
                                                                                                                                          • Instruction ID: baf3eb62263214422a0973d769ae56c08939dd68f110effc1bb9cb03c9f86de4
                                                                                                                                          • Opcode Fuzzy Hash: c104ebe3e0084b9c2d6c68d3b1b1809b1ba36be3a0ef8b7a361271054a232770
                                                                                                                                          • Instruction Fuzzy Hash: CE2159F5720AA892EB85CFB4E468BD627A1F74C3A4F81A413DE0D47620EE39C209C300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5d83384389e1bc3f5c40116a0a1417798e316c1697b6e029db620e488cbd2b1f
                                                                                                                                          • Instruction ID: 7d1135aa24797edbf35de8feb47ffd13e3235087d5b84f893e072cfd3e31e24b
                                                                                                                                          • Opcode Fuzzy Hash: 5d83384389e1bc3f5c40116a0a1417798e316c1697b6e029db620e488cbd2b1f
                                                                                                                                          • Instruction Fuzzy Hash: D1118EA271498C46FB96DBB4F969BD76322EB4C3A9F80A012DD0D07A55DD3CC24AC700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
                                                                                                                                          • Instruction ID: 95480194bb9f6c9ad9d964584a4fad66eb43ce3f3ee230db89eb3e49904c33dd
                                                                                                                                          • Opcode Fuzzy Hash: 0213aaa7a16af12e76c05f13803a6cb1816da3aa76317169f32ff85a43e83aea
                                                                                                                                          • Instruction Fuzzy Hash: 56210BF2711A5D92EB49DF75D868BD667A2E78CBD4F41E512CD0E5B624DE3CC2098300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
                                                                                                                                          • Instruction ID: 02ba138fbc53fc0a7e206b6c0fccc1f4cb11f22df8a79a790e142c2087e4c986
                                                                                                                                          • Opcode Fuzzy Hash: 3f85260008f1cca6d719552e34a0840437b2decd6b2aec5b8999dc0ce01bbffe
                                                                                                                                          • Instruction Fuzzy Hash: 48213BB6761A5DC5EF49DF65E868B8A6721F788BD8F41A122CD0E47728DE3CD209C700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
                                                                                                                                          • Instruction ID: 4519c20df033b0754d584584f46a47e9c3f61284702b1b178af72c485ed47193
                                                                                                                                          • Opcode Fuzzy Hash: 803c451430e3029bb009500dace81e7bc3217c3b4584f2ef31f91a53a698693d
                                                                                                                                          • Instruction Fuzzy Hash: E02160F5714F8482EB45CBB5E8593CA63B1FB897A4F40A506DA4E57A24EE3CD20AC700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
                                                                                                                                          • Instruction ID: bc53908923a101081ac78a2ff91d1596a8a62396a49556bd27b6b69a29ae519e
                                                                                                                                          • Opcode Fuzzy Hash: 566796d93a591df3f5db1c38c43d6e1f2c58bb1bf9c844d883f4a478785d6911
                                                                                                                                          • Instruction Fuzzy Hash: 6511E3E262096C82FB59DFA6A869F862332E349BD8F01E123DD5E5B714DD39C10BC300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
                                                                                                                                          • Instruction ID: 8fbfe2caa4e00eb4ae2a73ae29cd16ebba4a4082f14f5113274d96e794981e6d
                                                                                                                                          • Opcode Fuzzy Hash: 3a56065663d7f32470598edd8e4c56aa3322786b1e37be48fd2162c7dda414fd
                                                                                                                                          • Instruction Fuzzy Hash: 0721A4B2709A9882EB55CF64E4687977761FB8C798F41A116DE4E47A14EF3DC109C700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
                                                                                                                                          • Instruction ID: 9e59c1c7de84271de07ddad5238888e61d5fae15b8e3d2a62c0818bf1ca1a5d9
                                                                                                                                          • Opcode Fuzzy Hash: 4de039b8aeb4dd7a341e305cb49e7d4a566f2f03f9a363aa92138b342856feec
                                                                                                                                          • Instruction Fuzzy Hash: 2F1151B5714E9882EB54CB74E46839A6361F7887B8F80A316C92E576E4DF39C10AC744
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
                                                                                                                                          • Instruction ID: 453c13d840d8ab8480c25eabad8a5a4e6cf22c2320a7064174f112572a8564ab
                                                                                                                                          • Opcode Fuzzy Hash: b00286fc56aac180519fed44c3472dbbed5625b745e2bf1041001a8241787df3
                                                                                                                                          • Instruction Fuzzy Hash: 8E113CE171196846FF89CF65D9697665393EB8C7E4F81E426CE0E8B768ED3CC1098304
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
                                                                                                                                          • Instruction ID: dcb26d1462b17352493136ca1a284502f5bdb4a1f8be4333a819d013a470b478
                                                                                                                                          • Opcode Fuzzy Hash: 3e6f47147aee9d0c5d2e3a57a73bf876d140cefaec2fbc1aba1964aca6a06b7c
                                                                                                                                          • Instruction Fuzzy Hash: 3311C2B6624A9E42E709DFF4B424FCA3771E389750F00B517DE4A53510DE38C21AC300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
                                                                                                                                          • Instruction ID: 1bcc190078e11d5e3502c0fb8cfdf52a8957de65a2b1b8071e9e04ba3849ecfd
                                                                                                                                          • Opcode Fuzzy Hash: 0e8879920a56ce6d951eaa2299e71384d51284fb55c40a98b48f618b07d76cb7
                                                                                                                                          • Instruction Fuzzy Hash: 9D1100F5721E9841FB49CB75D4683D66362E788794F80A917CA0F57664DD39C2498340
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
                                                                                                                                          • Instruction ID: 81b86e7094c320bcc5e7f926c263843823ab5f04b050e6f3beb40bfc522f2c83
                                                                                                                                          • Opcode Fuzzy Hash: 62fa84bd9608fd1e2ded7a46ac84a71bf4807f0703b11cbbff9e650931e748d0
                                                                                                                                          • Instruction Fuzzy Hash: 4F114FB5614E9882EB54CB78F4687DA6321F78C798F80B113CD0E57625EE39C21AC340
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
                                                                                                                                          • Instruction ID: 58ab01e0f729e006e025e3cd5db47f1a357a7dbbf023e6ea43b04656e7f2b6d0
                                                                                                                                          • Opcode Fuzzy Hash: 169374a88c9bc48999de202173db2c687a39263e6fb74efa0de97639e935559a
                                                                                                                                          • Instruction Fuzzy Hash: 6A113DB1715E6881EB59CF65E9587866362F74C798F82E122CC4E47728EE39C248C700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
                                                                                                                                          • Instruction ID: 246bc5305b8913a4d01db227893256f8bf5d597bde7be6eae501e461eb4fa0bc
                                                                                                                                          • Opcode Fuzzy Hash: 6214b3987fdb11ae9af8bb44ed0752c7393761a47505b246c2a752352195c6b7
                                                                                                                                          • Instruction Fuzzy Hash: A4113CB2711E5C91EB49CF25E868B9A67A1F78CB94F41E526DE0E47768DE3CC209C300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
                                                                                                                                          • Instruction ID: 91f1bf17694832eb7885352137df2ae2a0c82d5e88c9f87b3bad460dc89f63f9
                                                                                                                                          • Opcode Fuzzy Hash: 7a304966c8f6e6c63f3b4d1dc84eaa042215815f68f4f7ed99f7cad32e1286f1
                                                                                                                                          • Instruction Fuzzy Hash: 451169F531286D82EB89CF65E929B865322E7487D8F82F112CC0E4B718ED39D109C700
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
                                                                                                                                          • Instruction ID: 39990edd012c80a11a8c246ade81e0b00b1fb03419df7482220b1a2638345046
                                                                                                                                          • Opcode Fuzzy Hash: 214099cfcd0ee3826ed9ef66e5b675abfeddc10177d1ca11de6341e968b0d06b
                                                                                                                                          • Instruction Fuzzy Hash: 7E11A5F1330A8886FB95CBB5E8683DA6361E78D7D4F84B012CE0E47765CE28C20AC304
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
                                                                                                                                          • Instruction ID: 15f0b12e67b83b815c9156cfa897ef3110cdd404d207d48cd89176b21f2d8fa0
                                                                                                                                          • Opcode Fuzzy Hash: dcce50d7d365edf9bc1dcf0723df82f9ff79db8457ccb87dc38c7b0742b08610
                                                                                                                                          • Instruction Fuzzy Hash: 06015EB5751E6D82EB89DF75E4697DA2320EB48B94F82B512CC0E57320ED3CDA0AC300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
                                                                                                                                          • Instruction ID: 22dcafcaff4b78d83aaf35a6f31f5da21172cbe544e4bfae6083fdcba81ddec3
                                                                                                                                          • Opcode Fuzzy Hash: 6f73bb3cb6f5cf5abec075b9014cb563e06a4567c89c5d20f7171c5a4b410b69
                                                                                                                                          • Instruction Fuzzy Hash: 080152F5611E9D82EB45CBB9E8A83D76325E78D7E8F40E1128E0E67625DE38C2098300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
                                                                                                                                          • Instruction ID: c05fe9916e29f3615726ac8ab40efd06a7f832fe150a5180127c36e0d361f74a
                                                                                                                                          • Opcode Fuzzy Hash: 797ab2e302fecb4ee9151d5ec147357b9b6b8374a5a73c2aa17e4c7710b83c27
                                                                                                                                          • Instruction Fuzzy Hash: 130125F1652E5E82FB59CBA4E569BC66362EB487D8F40F1179D0D07618EE3CD219C304
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7d3ddfbc868f6065ffe767d851de8c921da867ab70b60f36a16818b6ae2783e2
                                                                                                                                          • Instruction ID: 25fa32b9592b03976deda56ce68f7006c0e09b50e392c9a4b74df2dc8d512546
                                                                                                                                          • Opcode Fuzzy Hash: 7d3ddfbc868f6065ffe767d851de8c921da867ab70b60f36a16818b6ae2783e2
                                                                                                                                          • Instruction Fuzzy Hash: 7CF0127785EBC45FD39B4E3418692D82F60E3A6F10F999097D2B1872C3DA0D490A8755
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
                                                                                                                                          • Instruction ID: c5723c18dcfd40d5e26eb64c6513ed8ad7c8279d3e69258c72aec0d621b19a73
                                                                                                                                          • Opcode Fuzzy Hash: c92cc2c6b8134dcd1d90e81fd4ee0dc0e69cf849aebd7e5d77ccca44f26df776
                                                                                                                                          • Instruction Fuzzy Hash: 15F06871714A548AEBD5CF2CA44276A77D0F30C3C4FA0C519E68983B04D63D8165CF04
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4d5f7c9d0704411a4b56306bd58b46b9c1021f1cb262293bba8d931b5fd5afcd
                                                                                                                                          • Instruction ID: 1bf6acf3fe077d02731fcfa794fd65e31f8237ceadce551fdfbbfb6cfb4d3e63
                                                                                                                                          • Opcode Fuzzy Hash: 4d5f7c9d0704411a4b56306bd58b46b9c1021f1cb262293bba8d931b5fd5afcd
                                                                                                                                          • Instruction Fuzzy Hash: D2E04F57D0AEC846F3DB001849193C90B899B1A7B4F99D36E5E74472D35F0A8A056345
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1326835672-0
                                                                                                                                          • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
                                                                                                                                          • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                                          • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                                          • API String ID: 2273495996-2419032777
                                                                                                                                          • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
                                                                                                                                          • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _set_statfp
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1156100317-0
                                                                                                                                          • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
                                                                                                                                          • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: *$ko-KR
                                                                                                                                          • API String ID: 3215553584-1095117856
                                                                                                                                          • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
                                                                                                                                          • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: __swift_1$__swift_2
                                                                                                                                          • API String ID: 0-2914474356
                                                                                                                                          • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
                                                                                                                                          • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfff$o-l1-2-1
                                                                                                                                          • API String ID: 3215553584-1082851355
                                                                                                                                          • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
                                                                                                                                          • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                                          • API String ID: 3215553584-688204690
                                                                                                                                          • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
                                                                                                                                          • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                                          • String ID: csm
                                                                                                                                          • API String ID: 3780691363-1018135373
                                                                                                                                          • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
                                                                                                                                          • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __std_exception_copy
                                                                                                                                          • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                                          • API String ID: 592178966-1611991873
                                                                                                                                          • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
                                                                                                                                          • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.2095718567.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.2095679077.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096028035.0000000180119000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096091822.000000018011D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.2096392662.0000000180121000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_180000000_TsWpfWrp.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                          • String ID: File
                                                                                                                                          • API String ID: 932687459-749574446
                                                                                                                                          • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
                                                                                                                                          • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:1.8%
                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                          Signature Coverage:5.6%
                                                                                                                                          Total number of Nodes:107
                                                                                                                                          Total number of Limit Nodes:17
                                                                                                                                          execution_graph 27876 254a27d0000 27879 254a27d0a68 27876->27879 27878 254a27d0019 27881 254a27d0a84 27879->27881 27880 254a27d0b0e 27880->27878 27881->27880 27883 254a27d0768 27881->27883 27886 254a27d0778 27883->27886 27885 254a27d0771 27885->27880 27887 254a27d07a8 27886->27887 27889 254a27d088a 27887->27889 27890 254a27d0508 27887->27890 27889->27885 27893 254a27d052c 27890->27893 27891 254a27d06fa 27891->27889 27892 254a27d061d LoadLibraryA 27892->27891 27892->27893 27893->27891 27893->27892 27894 254a27d06c1 GetProcAddressForCaller 27893->27894 27894->27891 27894->27893 27895 254a27a0000 27898 254a27a0a68 27895->27898 27897 254a27a0019 27899 254a27a0a84 27898->27899 27901 254a27a0b0e 27899->27901 27902 254a27a0768 27899->27902 27901->27897 27905 254a27a0778 27902->27905 27904 254a27a0771 27904->27901 27906 254a27a07a8 27905->27906 27908 254a27a088a 27906->27908 27909 254a27a0508 27906->27909 27908->27904 27912 254a27a052c 27909->27912 27910 254a27a06fa 27910->27908 27911 254a27a061d LoadLibraryA 27911->27910 27911->27912 27912->27910 27912->27911 27913 254a27a0345 27914 254a27a03ff 27913->27914 27916 254a27a0360 27913->27916 27915 254a27a0387 VirtualFree 27915->27916 27916->27914 27916->27915 27921 1800019d0 DeleteFileW 27922 1800019e3 SleepEx DeleteFileW 27921->27922 27923 1800019fb 27921->27923 27922->27922 27922->27923 27924 180001920 memset GetModuleFileNameW wcsstr 27925 1800019a8 27924->27925 27926 18000197a IsUserAnAdmin 27924->27926 27936 180001010 malloc 27925->27936 27927 180001984 27926->27927 27928 180001995 27926->27928 27973 1800015b0 28 API calls 27927->27973 27933 18000199f ExitProcess 27928->27933 27932 18000198c ExitProcess 27937 180001568 27936->27937 27943 18000104e 27936->27943 27938 180112660 8 API calls 27937->27938 27939 18000159f 27938->27939 27974 180112660 27939->27974 27940 1800010c4 malloc 27940->27937 27941 1800010db memcpy memcpy 27940->27941 27942 180001120 27941->27942 27942->27937 27942->27942 27944 180001195 memset wsprintfW CreateFileW 27942->27944 27943->27940 27945 180001212 GetLastError 27944->27945 27946 18000121a WriteFile 27944->27946 27947 18000124c SleepEx memset wsprintfW CreateFileW 27945->27947 27948 180001243 CloseHandle 27946->27948 27949 18000123d GetLastError 27946->27949 27950 1800012c4 GetLastError 27947->27950 27951 1800012cc WriteFile 27947->27951 27948->27947 27949->27948 27952 1800012fe SleepEx memset wsprintfW CreateFileW 27950->27952 27953 1800012f5 CloseHandle 27951->27953 27954 1800012ef GetLastError 27951->27954 27955 180001376 GetLastError 27952->27955 27956 18000137e WriteFile 27952->27956 27953->27952 27954->27953 27957 1800013ac Sleep 27955->27957 27958 1800013a3 CloseHandle 27956->27958 27959 18000139d GetLastError 27956->27959 27957->27937 27960 1800013c1 VirtualAlloc 27957->27960 27958->27957 27959->27958 27960->27937 27961 1800013e6 memcpy CreateThread 27960->27961 27983 180001a10 CoInitializeEx 27961->27983 27964 180001523 memset memcpy CreateThread 27964->27937 27965 180001430 VariantInit 27966 180001498 27965->27966 27967 18000149c SysAllocString 27966->27967 27968 1800014be GetLastError 27966->27968 27970 1800014ba 27967->27970 27969 1800014c4 27968->27969 27969->27964 27971 1800014ca memset wsprintfW 27969->27971 27970->27968 27970->27969 27991 180001d60 27971->27991 27973->27932 27975 180112669 27974->27975 27976 1800019c0 27975->27976 27977 180112a14 IsProcessorFeaturePresent 27975->27977 27978 180112a2c 27977->27978 28004 180112ae8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 27978->28004 27980 180112a3f 28005 1801129e0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 27980->28005 27984 180001b50 27983->27984 27984->27984 27985 180001cae CLSIDFromString 27984->27985 27986 180001d04 IIDFromString 27985->27986 27987 180001d3b 27985->27987 27986->27987 27988 180001d17 CoCreateInstance 27986->27988 27989 180112660 8 API calls 27987->27989 27988->27987 27990 180001423 27989->27990 27990->27964 27990->27965 27992 180001da5 SysAllocString 27991->27992 28003 18000206a 27991->28003 27993 180001dbb 27992->27993 27996 180001dd9 SysAllocString SysAllocString 27993->27996 27993->28003 27994 180112660 8 API calls 27995 180002086 27994->27995 27995->27964 27997 180001e08 27996->27997 27998 180001f1f IIDFromString 27997->27998 27997->28003 27999 180001f4c 27998->27999 28000 180001f5e SysAllocString SysAllocString 27999->28000 27999->28003 28001 180001f88 28000->28001 28002 180001fd9 VariantInit SysAllocString 28001->28002 28001->28003 28002->28003 28003->27994 28004->27980

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 0 180001010-180001048 malloc 1 18000104e-18000107d call 180113300 0->1 2 180001590-1800015a9 call 180112660 0->2 7 180001084-18000108c 1->7 8 18000107f-180001082 1->8 10 180001093-1800010a4 7->10 11 18000108e-180001091 7->11 9 1800010c4-1800010d5 malloc 8->9 12 180001578-180001588 9->12 13 1800010db-180001116 memcpy * 2 9->13 14 1800010a6-1800010a9 10->14 15 1800010ab-1800010be call 180113336 10->15 11->9 12->2 16 180001120-18000116c 13->16 14->9 15->9 16->16 19 18000116e-18000117a 16->19 20 180001180-18000118b 19->20 20->20 21 18000118d-18000118f 20->21 21->12 22 180001195-180001210 memset wsprintfW CreateFileW 21->22 23 180001212-180001218 GetLastError 22->23 24 18000121a-18000123b WriteFile 22->24 25 18000124c-1800012c2 SleepEx memset wsprintfW CreateFileW 23->25 26 180001243-180001246 CloseHandle 24->26 27 18000123d GetLastError 24->27 28 1800012c4-1800012ca GetLastError 25->28 29 1800012cc-1800012ed WriteFile 25->29 26->25 27->26 30 1800012fe-180001374 SleepEx memset wsprintfW CreateFileW 28->30 31 1800012f5-1800012f8 CloseHandle 29->31 32 1800012ef GetLastError 29->32 33 180001376-18000137c GetLastError 30->33 34 18000137e-18000139b WriteFile 30->34 31->30 32->31 35 1800013ac-1800013bb Sleep 33->35 36 1800013a3-1800013a6 CloseHandle 34->36 37 18000139d GetLastError 34->37 38 1800013c1-1800013e0 VirtualAlloc 35->38 39 180001568-180001570 35->39 36->35 37->36 38->39 40 1800013e6-18000142a memcpy CreateThread call 180001a10 38->40 39->12 43 180001523-180001562 memset memcpy CreateThread 40->43 44 180001430-18000149a VariantInit 40->44 43->39 46 18000149c-1800014bc SysAllocString 44->46 47 1800014be GetLastError 44->47 46->47 48 1800014c4-1800014c8 46->48 47->48 48->43 50 1800014ca-18000151e memset wsprintfW call 180001d60 48->50 50->43
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLast$File$Creatememset$memcpywsprintf$CloseHandleSleepWrite$AllocThreadmalloc$InitStringVariantVirtual
                                                                                                                                          • String ID: %s\%s$\Microsoft\Windows
                                                                                                                                          • API String ID: 1085075972-4137575348
                                                                                                                                          • Opcode ID: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                          • Instruction ID: ca852493329d7e8b29278f03f5207e3e8a0b6c409a20f5d7edd43a4be3d27a44
                                                                                                                                          • Opcode Fuzzy Hash: 11d6cde565b72d1d43927487ff83bed9824f46b89a23802b2bfd78be970e790e
                                                                                                                                          • Instruction Fuzzy Hash: 4DF18A32610F8985F7A6CF24E8087DD33A0F78DBA8F449215EE9A17694EF38C249C700

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FromString$CreateInitializeInstance
                                                                                                                                          • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                                          • API String ID: 511945936-2205580742
                                                                                                                                          • Opcode ID: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                          • Instruction ID: 28b9f900473ef5d70d4cda544e42fab565c9dc4f26e78512e927f69b0d8a042f
                                                                                                                                          • Opcode Fuzzy Hash: 024cd465da59768dcf6c08cf3900c20a72cd4ffd1450610ea91f3c4b38ce9232
                                                                                                                                          • Instruction Fuzzy Hash: 0291FD73D18BD4CAE311CF7994016EDBB70F799348F14A249EB946A919EB78E684CF00

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3335954432.00000254A27D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000254A27D0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a27d0000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressCallerLibraryLoadProc
                                                                                                                                          • String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
                                                                                                                                          • API String ID: 4215043672-3994871222
                                                                                                                                          • Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction ID: 5da7f39cbacceb92399f880ac11b8483b1045c25be6ff878235f79e0700b892a
                                                                                                                                          • Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction Fuzzy Hash: D0710434608E098FEF99EF58C85A7B9B7E1FF84311F20111AD809C7685DB34D9828F89

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 149 180001d60-180001d9f 150 180001da5-180001dd3 SysAllocString 149->150 151 180002078 149->151 150->151 157 180001dd9-180001e0a SysAllocString * 2 150->157 152 18000207a-180002097 call 180112660 151->152 157->151 159 180001e10-180001e49 157->159 159->151 164 180001e4f-180001e56 159->164 165 180001e5c-180001e8c 164->165 165->151 169 180001e92-180001efb 165->169 169->151 177 180001f01-180001f55 IIDFromString 169->177 181 180002075 177->181 182 180001f5b-180001fb4 SysAllocString * 2 177->182 181->151 182->151 188 180001fba-180001fd3 182->188 188->151 190 180001fd9-180002070 VariantInit SysAllocString 188->190 192 180002072 190->192 193 180002098-1800020ad 190->193 192->181 193->152
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: String$Alloc$FromInitVariant
                                                                                                                                          • String ID: SYSTEM${4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047}
                                                                                                                                          • API String ID: 929278495-107290059
                                                                                                                                          • Opcode ID: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                          • Instruction ID: 371f9a688604c33e3b5ae190077701ce0554801126743d20ac49bde758192535
                                                                                                                                          • Opcode Fuzzy Hash: ce7cb2923214bf6d84e2195aaa923cf65e5dbc7fe3967ba643ece21ae7ad8fe5
                                                                                                                                          • Instruction Fuzzy Hash: E5B1C236B00B558AEB40DF6AD88829D77B1FB88FA9F559016DE0E57B28DF35C189C300

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3335924780.00000254A27A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000254A27A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a27a0000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                          • String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
                                                                                                                                          • API String ID: 1029625771-3994871222
                                                                                                                                          • Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction ID: 9021d3ecbc34b4970be65b13060bafbda6fe6850f1967d82835826a3cbf9b043
                                                                                                                                          • Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction Fuzzy Hash: 21712534608E098FEF99EF18C8597B9B3E1FF84325F600519D809C7685DB34D9828B89

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 196 1800019d0-1800019e1 DeleteFileW 197 1800019e3-1800019f9 SleepEx DeleteFileW 196->197 198 1800019fb-180001a02 196->198 197->197 197->198
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DeleteFile$Sleep
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2100639427-0
                                                                                                                                          • Opcode ID: 819f48160997e5889829df66ddb1cfbaf94046e4fda21bae77f85b2f67c4eaa9
                                                                                                                                          • Instruction ID: ee9c1bd20bde787a3df6403edb75ddca03fdaf3f5216dae4a0b383b50a80e175
                                                                                                                                          • Opcode Fuzzy Hash: 819f48160997e5889829df66ddb1cfbaf94046e4fda21bae77f85b2f67c4eaa9
                                                                                                                                          • Instruction Fuzzy Hash: 5CD05E20301A0986FB9A5BB2E8583E613A85B0DBD2F0860249C1685280DF18C7CE8301

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 199 254a27a0345-254a27a035a 200 254a27a03ff-254a27a041c 199->200 201 254a27a0360-254a27a0361 199->201 202 254a27a0363-254a27a0385 201->202 203 254a27a0387-254a27a0397 VirtualFree 202->203 204 254a27a0399-254a27a03ba 202->204 205 254a27a03e8-254a27a03f9 203->205 206 254a27a03bc-254a27a03c0 204->206 207 254a27a03d5-254a27a03e5 204->207 205->200 205->202 208 254a27a03c2-254a27a03c6 206->208 209 254a27a03c8-254a27a03cb 206->209 207->205 210 254a27a03d1-254a27a03d3 208->210 209->205 211 254a27a03cd-254a27a03ce 209->211 210->205 210->207 211->210
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3335924780.00000254A27A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000254A27A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a27a0000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                          • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction ID: 75997eec585f0317f8414c677bffcf0459e421bc355df8ea6b1ca7857b1911b4
                                                                                                                                          • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction Fuzzy Hash: DC31E53568CA008BDB5DEA1CE8D1678B3D0F755315B70055DE9C7C7187EA39E8438689

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 212 254a27d0345-254a27d035a 213 254a27d0360-254a27d0361 212->213 214 254a27d03ff-254a27d041c 212->214 215 254a27d0363-254a27d0385 213->215 216 254a27d0399-254a27d03ba 215->216 217 254a27d0387-254a27d0397 VirtualFree 215->217 219 254a27d03bc-254a27d03c0 216->219 220 254a27d03d5-254a27d03e5 216->220 218 254a27d03e8-254a27d03f9 217->218 218->214 218->215 221 254a27d03c2-254a27d03c6 219->221 222 254a27d03c8-254a27d03cb 219->222 220->218 223 254a27d03d1-254a27d03d3 221->223 222->218 224 254a27d03cd-254a27d03ce 222->224 223->218 223->220 224->223
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3335954432.00000254A27D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000254A27D0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a27d0000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                          • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction ID: e3ed0f516c29daf8e20b6b3a591f9c0d0636def2597ccc9132ac2315a0f12283
                                                                                                                                          • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction Fuzzy Hash: A831F73168CA008BDB5DEA1CF8D1678B3D0F755305B34125DD9C7C7187EA39E8438A89

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: mallocmemset$CloseEnumHandleServiceServicesStatusmemcpy$FileManagerModuleNameOpenfreelstrcmpi
                                                                                                                                          • String ID: Schedule
                                                                                                                                          • API String ID: 3636854120-2739827629
                                                                                                                                          • Opcode ID: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                          • Instruction ID: 6ee3f7f16e62e9fbbf62cb728b63543f6f6100922e48a7ada6915e3d38cfd098
                                                                                                                                          • Opcode Fuzzy Hash: 7697f6b2c45ef8c94f65c33818677cfec83935d60c7d49dafd4f2fb68cf7ed65
                                                                                                                                          • Instruction Fuzzy Hash: 84A1AE36705B8886EBA5CB19E4883EDB7A4F78DB94F54D128EE8903755EF38D648C700

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1186 254a3330e10-254a3330f4f call 254a34487d0 1189 254a3330f50-254a3330f5c 1186->1189 1189->1189 1190 254a3330f5e-254a333109b 1189->1190 1191 254a33310a0-254a33310ac 1190->1191 1191->1191 1192 254a33310ae-254a3331102 call 254a34487c8 1191->1192 1195 254a3331104-254a3331115 call 254a34487b8 1192->1195 1196 254a333113b-254a333115a call 254a3441a60 1192->1196 1195->1196 1201 254a3331117-254a3331139 call 254a34487c0 1195->1201 1201->1196
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: :_:$:Y:$:$A::$X:[:$X:^:$Y::$Y:\:$\:[:$\:^:$^:G:
                                                                                                                                          • API String ID: 0-2205580742
                                                                                                                                          • Opcode ID: d90148109c58263767cfb54190a6e54a75e0a48cc10efb8014eb7dc9dcd99103
                                                                                                                                          • Instruction ID: 735d654c1826384a2aa375a990052bd8b2c40d728d339a4327521d6e3b39b447
                                                                                                                                          • Opcode Fuzzy Hash: d90148109c58263767cfb54190a6e54a75e0a48cc10efb8014eb7dc9dcd99103
                                                                                                                                          • Instruction Fuzzy Hash: 9D91FE73D18BD4CAE311CF7999016ADBB70F79534CF10A249EB9466919EB78E580DF00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfffffff
                                                                                                                                          • API String ID: 3215553584-1523873471
                                                                                                                                          • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction ID: 7c5b9028af6473dd728daef05391e74bafcea77e80a4e195b251d3550d854208
                                                                                                                                          • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction Fuzzy Hash: 869145767057CC86EF97CB2AE4013EDABA5A758BC4F06C022EA5947395DE3DC60AC701
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfffffff
                                                                                                                                          • API String ID: 3215553584-1523873471
                                                                                                                                          • Opcode ID: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction ID: 30fee2d5807d453b6a588d841feeedf77bfa83e5d18ed609280c2a3a8963a1f2
                                                                                                                                          • Opcode Fuzzy Hash: 2520fe7bf4aaf198221899a8f6838957eb71f23a71b26e0d8cd2dd751d59c1b4
                                                                                                                                          • Instruction Fuzzy Hash: 4D918A63759BC48AEF51EB2DD8283ADE7A4A758BDDF058062DE4947381FA3DC546C300

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1326835672-0
                                                                                                                                          • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction ID: 20208a98ab850ec38ed8325cc0af7ea2ed5af357558f35f83d8d5c5aa49ef683
                                                                                                                                          • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction Fuzzy Hash: C631923160994C86FBE7BBA5D4523EA2391AB4E3C4F45C425B94A473D7DE28CB4E8350

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__security_init_cookie__vcrt_initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1326835672-0
                                                                                                                                          • Opcode ID: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction ID: d84b1f094a5e861bc4132b67e6716586e3f27df7e718f2de4a55c43045e2aa54
                                                                                                                                          • Opcode Fuzzy Hash: 428f1bac40111efcf19b2a06b83d8cc5b337c87ddf82bc9150455d955b8395b0
                                                                                                                                          • Instruction Fuzzy Hash: 423157216ECE0086FAE4BBAC9C7D3E9E2919B4674FF448414954B4B2D7FA3988C5C31D

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1098 180019f69-180019fb0 call 18002dfb8 call 18002e018 1103 180019fb2-180019fc6 call 18002e018 1098->1103 1104 180019fcc-18001a00b call 18002e0a8 * 3 1098->1104 1103->1104 1109 18001a0c2-18001a0eb call 18001ac44 call 18002dfc0 1103->1109 1118 18001a08b-18001a0a8 call 18002e208 1104->1118 1119 18001a00d-18001a010 1104->1119 1120 18001a0f3-18001a0f7 1109->1120 1121 18001a0ed call 18002e088 1109->1121 1127 18001a0b7-18001a0c1 call 18001ac44 1118->1127 1128 18001a0aa 1118->1128 1119->1118 1123 18001a012-18001a015 1119->1123 1121->1120 1123->1118 1126 18001a017-18001a059 call 18002e480 1123->1126 1130 18001a060-18001a06a call 180019d44 1126->1130 1127->1109 1128->1130 1136 18001a0ac-18001a0b6 call 18001ac44 1130->1136 1137 18001a06c-18001a08a call 180019f58 1130->1137 1136->1127
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                                          • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                                          • API String ID: 2273495996-2419032777
                                                                                                                                          • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction ID: 430d6e6a62d8c94c9c04e7e52013dca82c213aedb955d9ad44379b1780147ad5
                                                                                                                                          • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction Fuzzy Hash: FF416D35206B4C82FBA79B20E9503EA2361AB4EBD0F54D525E90E477A4DF3CC68E8304

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail$__scrt_initialize_onexit_tables
                                                                                                                                          • String ID: `eh vector vbase constructor iterator'$`local vftable'$`udt returning'$onstructor closure'
                                                                                                                                          • API String ID: 2273495996-2419032777
                                                                                                                                          • Opcode ID: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction ID: 90b4c5fbda654a580379ecdd64fdc19c55e40c8ac8d647e7bc24f2a2a81f1b2a
                                                                                                                                          • Opcode Fuzzy Hash: 371735c951b6f4861318f081dd214222249cf913f5a589c2fbc766e687f75775
                                                                                                                                          • Instruction Fuzzy Hash: 4D413C242AAF008AFA94FB69ED38356A361AB4979FF445525D90E077A4FF3CC4C58308

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset$malloc$ExitFileModuleNameProcessmemcpy$AdminManagerOpenUserwcsstr
                                                                                                                                          • String ID: svchost.exe
                                                                                                                                          • API String ID: 2075570005-3106260013
                                                                                                                                          • Opcode ID: 58df4dc3bab4f7dd2091c0286527b5df24bc2997b8bd963c05bea4cdd90a2c72
                                                                                                                                          • Instruction ID: a7e4a02683164cc51efae999f71ec939c82b81573c8ef5df0e77f5c8c66af7f8
                                                                                                                                          • Opcode Fuzzy Hash: 58df4dc3bab4f7dd2091c0286527b5df24bc2997b8bd963c05bea4cdd90a2c72
                                                                                                                                          • Instruction Fuzzy Hash: 7E015231311A4D81FBAAEB21E8A93DA6360BB8D795F449125A99E46295DF3CC34CC740
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _set_statfp
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1156100317-0
                                                                                                                                          • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction ID: 3b9bd57b40fff3d8961f464b14179896b260d9c17b5d0c480fa0c6cf32fa7499
                                                                                                                                          • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction Fuzzy Hash: CB117732690A4D01F7E72129D4553F93340AB6D3F4F45C634BA76976D6CE248BC94302
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _set_statfp
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1156100317-0
                                                                                                                                          • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction ID: 38efe713ba3820d0123cc59c2e796974253eb674e49e581a234bfa05388514ff
                                                                                                                                          • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction Fuzzy Hash: F111AB22DFCE401EF7D5312CEC7D36990806B5D37FF14562DA966066E6EA3444C16708
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: *$ko-KR
                                                                                                                                          • API String ID: 3215553584-1095117856
                                                                                                                                          • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction ID: 247b425bc4075f99800c1718c7ffe54540729addd1f222e63731e205efc231c0
                                                                                                                                          • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction Fuzzy Hash: B0718F72504E58C6E7FA9F2980443BC3BA0F34DBD8F649216EA4646399DF31CA8AC750
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: *$ko-KR
                                                                                                                                          • API String ID: 3215553584-1095117856
                                                                                                                                          • Opcode ID: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction ID: f1e807a4db0d87b67aab9a728927d6e4f463adc49dfbfd187e263a3dbda979a7
                                                                                                                                          • Opcode Fuzzy Hash: 86bec7efc410530c5bc9a2fbb52b1d77945cde645c424444667ef471f83eee53
                                                                                                                                          • Instruction Fuzzy Hash: 2A71D4725ADA5086E7E4AFAC886826CBBA0FB05F5FF244116CA4642299F731CCC1D75C
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: __swift_1$__swift_2
                                                                                                                                          • API String ID: 0-2914474356
                                                                                                                                          • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction ID: e36f902788c0381efdc077c6dc949100de42eee437ea8b415927d241f746463c
                                                                                                                                          • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction Fuzzy Hash: CF618E32300A8882EF96DB29E5447E963A1FB4CBD4F488525EF6D4779ADF38D645C340
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: __swift_1$__swift_2
                                                                                                                                          • API String ID: 0-2914474356
                                                                                                                                          • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction ID: ef1ea6337782e490b8f05e99aa3ea2273c6c393758ce1a621aa8adb698155222
                                                                                                                                          • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction Fuzzy Hash: CE619F22364F4082EF94EB6DED68369A3A1F744B9EF484525DF6907795EF38D481C308
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$h-l1-2-0.dll
                                                                                                                                          • API String ID: 0-1747795296
                                                                                                                                          • Opcode ID: 0f20d8eddffe02f4355215346de876ec0be27590aef8c60f560b2699b0830f65
                                                                                                                                          • Instruction ID: 924f74cb30fddc6c4e55cf9e43baf3741a99b9cef80ec7fad032b2b7b485f419
                                                                                                                                          • Opcode Fuzzy Hash: 0f20d8eddffe02f4355215346de876ec0be27590aef8c60f560b2699b0830f65
                                                                                                                                          • Instruction Fuzzy Hash: 10E1B4627A4F4482EB84BB2DD95815CA3A0F745F9EF808129DB1D577A1EF38C4E5C348
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfff$o-l1-2-1
                                                                                                                                          • API String ID: 3215553584-1082851355
                                                                                                                                          • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction ID: 4e08fe91d50fd43471445e9309ac5ad4362738dffbe45d8770cad9fb3b789804
                                                                                                                                          • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction Fuzzy Hash: 5951F4737147C886E7A78B35E9413997B91E399BD0F48D221EB944BAD6CE38C698C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfff$o-l1-2-1
                                                                                                                                          • API String ID: 3215553584-1082851355
                                                                                                                                          • Opcode ID: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction ID: b749569b4a007d25fc1f23114267d9e33630d9bab7b8075e30aa88ef0bd2109a
                                                                                                                                          • Opcode Fuzzy Hash: 12dcbdbdd5235fb1b6ab94a0cc892e5fb23d71a1fe9ba5ecef1039a303d64847
                                                                                                                                          • Instruction Fuzzy Hash: 6D516AA276CBC04AE7A29F3DDC54359EB91E344BADF489261E79447BD6EA38C0C0C704
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                                          • API String ID: 3215553584-688204690
                                                                                                                                          • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction ID: 9d4985de47fc3aa1ddc341b920f7898ed377652abc42465d74999370fa1411ca
                                                                                                                                          • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction Fuzzy Hash: 86418E72705F888AE782CF65E8507CE73A5F7193C8F518126EA9807B99DF38C629C340
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: api-ms-win-core-sysinfo-l1-2-1$synch-l1-2-0
                                                                                                                                          • API String ID: 3215553584-688204690
                                                                                                                                          • Opcode ID: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction ID: 46d64b3124f350e1ca7d4e0e511919064d93394bec4800cb8bc59f5eb769a1e3
                                                                                                                                          • Opcode Fuzzy Hash: 0f102de843e7ec0c7a5e751bb160ca61ca373fda3eee5e3f3a8aa3db407457e4
                                                                                                                                          • Instruction Fuzzy Hash: 5C41AF72768F80CDE740EF69E86479D73E5E71939DF404226EA4843B94EA38C4A5C384
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                                          • String ID: csm
                                                                                                                                          • API String ID: 3780691363-1018135373
                                                                                                                                          • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction ID: 011c5e600e2baba1b5aebe761702f78806dc8dec4a9d5acc90072a234146c346
                                                                                                                                          • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction Fuzzy Hash: 40212D76204A4887E7B2DF15E05079E7760F39DBE4F008206EEA943795CF39DA8ACB01
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DestructExceptionObject$__vcrt_getptd_noexit
                                                                                                                                          • String ID: csm
                                                                                                                                          • API String ID: 3780691363-1018135373
                                                                                                                                          • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction ID: db631016fc255ebee16df964a9dc80ad8fd675eb29ed39a1037500a64f3dc729
                                                                                                                                          • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction Fuzzy Hash: 80214D36258A8087E6B0EF5AE85435EF760F788BAFF404201DE9903795DB38D8C2CB05
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __std_exception_copy
                                                                                                                                          • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                                          • API String ID: 592178966-1611991873
                                                                                                                                          • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction ID: c8ada3eb98077b3e77d28a4839308a809c4d6d91d1a7368aad5ed78790c858ba
                                                                                                                                          • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction Fuzzy Hash: 9EE01AB1200B0490DB068F65E8513E873A4EB4CB90F48C032AA5C47354EF38C6A9C301
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __std_exception_copy
                                                                                                                                          • String ID: `vector destructor iterator'$nt delete closure'
                                                                                                                                          • API String ID: 592178966-1611991873
                                                                                                                                          • Opcode ID: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction ID: 5b738856b9ff287e2c6b6e4a841630ecf92c0224ba10497305f73b9eec7e1930
                                                                                                                                          • Opcode Fuzzy Hash: 180211b27f776a29354646e6639c5d344605f4a19a09db6ac079198205e274bc
                                                                                                                                          • Instruction Fuzzy Hash: F4E04F72254F0095DF059F59F8641D8B3A4EB4CB59B4880229A5C47350EB38C5E9C304
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3332905008.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3332859160.0000000180000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333144378.0000000180119000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333205483.000000018011D000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3333250328.0000000180121000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                          • String ID: File
                                                                                                                                          • API String ID: 932687459-749574446
                                                                                                                                          • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction ID: 9145d171dbcecb2188c45693134888adfda474ee1ae56853841174419c243042
                                                                                                                                          • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction Fuzzy Hash: 49C08C3221488D91EB62EB10E8917DA5330B7A8384F818111F19C824B69F1CC30ECB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                          • String ID: File
                                                                                                                                          • API String ID: 932687459-749574446
                                                                                                                                          • Opcode ID: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction ID: 79f41258dfddd3ea3e4e969c354942cd47d6227d2cdda0284a2e50228a26f1f9
                                                                                                                                          • Opcode Fuzzy Hash: 5cc107604c7e858ffc48b5ed233f99d9330b9e91bd1076a405a7e456ecbb9fc9
                                                                                                                                          • Instruction Fuzzy Hash: 22C08C22278C81D2DE60FB4ADCB91C99331F79430EF900001A29D018B6BB38C289CB04
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                          • API String ID: 0-4293706295
                                                                                                                                          • Opcode ID: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
                                                                                                                                          • Instruction ID: f69630e2078579cbd478a6397b096ccb9c92713262dc92f8db5a815ab29da7de
                                                                                                                                          • Opcode Fuzzy Hash: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
                                                                                                                                          • Instruction Fuzzy Hash: 4E21D8616AAF0189FEC4BF59AC6C754A3A0AB48B4FF484428C85A07364FF7DC1C9C309
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                          • API String ID: 0-4293706295
                                                                                                                                          • Opcode ID: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
                                                                                                                                          • Instruction ID: c0cf42ef41d48db58bf3e2e4855ebbc6884eede43f60408b27bc7e5c53eaa0e6
                                                                                                                                          • Opcode Fuzzy Hash: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
                                                                                                                                          • Instruction Fuzzy Hash: 2721D6606AAF0189FEC4BF59AC6C754A3A0AB49B5FF484428C85A07360FF7DC0C8C309
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                          • API String ID: 0-4293706295
                                                                                                                                          • Opcode ID: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
                                                                                                                                          • Instruction ID: 4fd522d15ecb322b7fe739ffdad62c705632f6a434cd22ee66c735f64690f5f2
                                                                                                                                          • Opcode Fuzzy Hash: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
                                                                                                                                          • Instruction Fuzzy Hash: FA21C5606AAF0589FE84BF59AC7C754A7A0AB48B5FF484428C85A07360FF7DC0C8C349
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000003.00000002.3338336491.00000254A3330000.00000004.00000001.00020000.00000000.sdmp, Offset: 00000254A3330000, based on PE: true
                                                                                                                                          • Associated: 00000003.00000002.3338416930.00000254A3450000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000003.00000002.3338435140.00000254A3451000.00000020.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_3_2_254a3330000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: `vector constructor iterator'$ctor closure'$deleting destructor'$deleting destructor'
                                                                                                                                          • API String ID: 0-4293706295
                                                                                                                                          • Opcode ID: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
                                                                                                                                          • Instruction ID: a787eb7acb7e5a9edf36d486199a3b79d99642e3bddff8dff24af1d7c71cdf26
                                                                                                                                          • Opcode Fuzzy Hash: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
                                                                                                                                          • Instruction Fuzzy Hash: 3621C6646AAF0189FEC4BF59AD7C754A7A0AB48B5FF484428D85A07360FF7D80C8D319
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Arpha$CrashReport$CriticalLocalSectionUtils$ArgvCommandCurrentDumpEnterExceptionFreeLeaveLineThreadThrowWindow
                                                                                                                                          • String ID: arpha_winlocaldumpdir$arpha_winlocaldumpexe
                                                                                                                                          • API String ID: 862967442-3845740607
                                                                                                                                          • Opcode ID: 9b7d2a6452f4294c9ae12609badc9aeb7a3720a96c2b1d471fa69ec30be05c9f
                                                                                                                                          • Instruction ID: b3d26b2969ba49cf64adb42ed8df88547ad9b0a7d91abbb2c4a4e45998707155
                                                                                                                                          • Opcode Fuzzy Hash: 9b7d2a6452f4294c9ae12609badc9aeb7a3720a96c2b1d471fa69ec30be05c9f
                                                                                                                                          • Instruction Fuzzy Hash: F2027E7BA28A4286EB10DF65E8842AD73B5FB85F84F506136DA5E837A4DF3CD544CB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CurrentThread_invalid_parameter_noinfo_noreturn
                                                                                                                                          • String ID: open
                                                                                                                                          • API String ID: 361653118-2758837156
                                                                                                                                          • Opcode ID: 8711378cc4d88c9866921eb3efb112469b15824140c32bd2a7fd2f1077ccde59
                                                                                                                                          • Instruction ID: 146e033c861bf4ae8d2e2312f997c6e0dcdc295d2114f864d22caf3943249ba3
                                                                                                                                          • Opcode Fuzzy Hash: 8711378cc4d88c9866921eb3efb112469b15824140c32bd2a7fd2f1077ccde59
                                                                                                                                          • Instruction Fuzzy Hash: ACF19F3BA29A46C5EB108F65D4546B873A8FB89F88F506533DA1E877A4CF3CE485C740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MessageSend$Window$ItemLongMonitorParent$AttributesCreateFileFontFromInfoRectText
                                                                                                                                          • String ID: Courier
                                                                                                                                          • API String ID: 4098548037-11433440
                                                                                                                                          • Opcode ID: 51be89ca81b4b296aea4ebf967efc803dc8e68e722e8b27dfb8c421c1880ac70
                                                                                                                                          • Instruction ID: bc5a5596d770b01244cef75bdb75d6f3279a2e0535442e41bc3f4f1b541c76cc
                                                                                                                                          • Opcode Fuzzy Hash: 51be89ca81b4b296aea4ebf967efc803dc8e68e722e8b27dfb8c421c1880ac70
                                                                                                                                          • Instruction Fuzzy Hash: 8BB1C177A24B8086E310CF25D8446AD37B4FB88B88F216226EE5C57B65DF39E585CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CharNext$lstrcmpi
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3586774192-0
                                                                                                                                          • Opcode ID: f636738310906d75151c06eb12380793327fb6c1e74f559f82a50bb61b284e9e
                                                                                                                                          • Instruction ID: 3f58b013116a84b085c06b6810cab9abe54cd1137c4260060e2c97e887d0b2aa
                                                                                                                                          • Opcode Fuzzy Hash: f636738310906d75151c06eb12380793327fb6c1e74f559f82a50bb61b284e9e
                                                                                                                                          • Instruction Fuzzy Hash: B7E1B23BA2C68286E7608B14E4543B977A5FB8AB90F546172DBADC36D4DF3CE445CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3215553584-0
                                                                                                                                          • Opcode ID: 34914fdc811893076ebe52c116b17a98df711e6ed5216cab34887a6a278b9194
                                                                                                                                          • Instruction ID: 5de3c5ec00b59b5e196333f8d9c0285840c4fe607eec4c758aed11b56753bb26
                                                                                                                                          • Opcode Fuzzy Hash: 34914fdc811893076ebe52c116b17a98df711e6ed5216cab34887a6a278b9194
                                                                                                                                          • Instruction Fuzzy Hash: 1EA1B2A3B3868281EB20DBA59C146BA63B4FB45BD4F605136EE5E87BD4DF3CD4458700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1239891234-0
                                                                                                                                          • Opcode ID: 87d858a787b0cbed64fae6d3a0f8fc6a00e1c7d12333b0daa391c6b4482691b2
                                                                                                                                          • Instruction ID: 6d41d162991597d6b66ffb6df1895d44d3430b52fc354e0f010606eeba0abc14
                                                                                                                                          • Opcode Fuzzy Hash: 87d858a787b0cbed64fae6d3a0f8fc6a00e1c7d12333b0daa391c6b4482691b2
                                                                                                                                          • Instruction Fuzzy Hash: E4316177628B8186DB60CF65E8402AE73B4FB89B54F600136EA9D83B98DF3CD555CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorFileLastWrite$Console
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 786612050-0
                                                                                                                                          • Opcode ID: 6b18b0fd72322d6bb2da6d02afd8e82ef70d6a121f9e5404b0ac18ed32a2fc24
                                                                                                                                          • Instruction ID: 20c90bedae99e688d7feb48de87a4c2e724a8c834534ab63388f8c24c4df14a0
                                                                                                                                          • Opcode Fuzzy Hash: 6b18b0fd72322d6bb2da6d02afd8e82ef70d6a121f9e5404b0ac18ed32a2fc24
                                                                                                                                          • Instruction Fuzzy Hash: 7FE104B3B68A8589E701CFB4D9401ED7BB1FB45B88B640136DA4D97B99DE3CD116C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF671BFD26B
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                          • API String ID: 389471666-631824599
                                                                                                                                          • Opcode ID: 43f36b5dafdd9290870864911879261469b73582b4bfc8a2e8f83689ec6295af
                                                                                                                                          • Instruction ID: b9c56d568c0d4d436186bb7db2255b2fa55b518ae76e0996a2776b7085d42925
                                                                                                                                          • Opcode Fuzzy Hash: 43f36b5dafdd9290870864911879261469b73582b4bfc8a2e8f83689ec6295af
                                                                                                                                          • Instruction Fuzzy Hash: 74118F77A28B82A7F7149B62D54437932B4FB14B54F505136CA5DC2A50EF3CE074CB50
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: gfffffff
                                                                                                                                          • API String ID: 3215553584-1523873471
                                                                                                                                          • Opcode ID: 2fbdbe98dfdf278a036b236c306a1cfd7cdb5c896820042225897b8221c0ba70
                                                                                                                                          • Instruction ID: 92959db838b319bd3af010d117e23f85f21cfdfefe3f7bba5029d694e0c7fda7
                                                                                                                                          • Opcode Fuzzy Hash: 2fbdbe98dfdf278a036b236c306a1cfd7cdb5c896820042225897b8221c0ba70
                                                                                                                                          • Instruction Fuzzy Hash: 0F9159A3B297C686EF19CB6598013BD77B5AB54B84F258033CA9D87391DE3DE902C301
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Resource$LoadLockSizeof
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2853612939-0
                                                                                                                                          • Opcode ID: 839a15f0a8e26375efb4c7977fa49b83d425b3583371d8a9c158e74d23e43cd6
                                                                                                                                          • Instruction ID: 4b5ca4b8d963c369ca3ba59f0409fca9652be4727af99dbc4d4bf370ba8f5a34
                                                                                                                                          • Opcode Fuzzy Hash: 839a15f0a8e26375efb4c7977fa49b83d425b3583371d8a9c158e74d23e43cd6
                                                                                                                                          • Instruction Fuzzy Hash: AC01D65BF2964681EF508F55A40817D52B4AF49F94F2C2432DE7D87798DE3CD8809700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Heap$EntryFreeInterlockedListProcessPush
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1982578398-0
                                                                                                                                          • Opcode ID: 9ddc9a3d7f3f6e7d6ef903af4329b85bd444cf3ea9955d611ad34e81de62461f
                                                                                                                                          • Instruction ID: 02cc8331ba16bba8141ca9cac29c5f0b85c94721f5d9da1137d46cbd3bbc13d3
                                                                                                                                          • Opcode Fuzzy Hash: 9ddc9a3d7f3f6e7d6ef903af4329b85bd444cf3ea9955d611ad34e81de62461f
                                                                                                                                          • Instruction Fuzzy Hash: D0F0306BA29542C1FF199BD5EC541345376AF86F40FA8E033C91EC5261DE2CE886D600
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FileModuleNamePrivateProfileString
                                                                                                                                          • String ID: \arphaCrashReport.ini$detail_caption$detail_file_name$detail_files_size$main_crash_detail$main_crash_err1$main_crash_err2$main_crash_solution$main_ok$main_restart$msg_outofhandle$msg_outofmemory$process_text
                                                                                                                                          • API String ID: 2781712182-303698833
                                                                                                                                          • Opcode ID: 36392a72eff9b48c969e813c6c0786e7fb4b3d2539c94af18068d21a7dae569a
                                                                                                                                          • Instruction ID: c7f6e970172cc9cf12ae77db92f679b657538f93d8001756a9f1ec715f92cb52
                                                                                                                                          • Opcode Fuzzy Hash: 36392a72eff9b48c969e813c6c0786e7fb4b3d2539c94af18068d21a7dae569a
                                                                                                                                          • Instruction Fuzzy Hash: 3F021467628A4292EB10DF54E4401BAB7B4FB85FA4F906537EA5E83794DFBCD148CB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CharNext$CriticalSectionTask$AllocEnterFreeLeavelstrcmpiwcsstr
                                                                                                                                          • String ID: }}$'$'$HKCR$HKCU{Software{Classes
                                                                                                                                          • API String ID: 3732455964-2865048680
                                                                                                                                          • Opcode ID: a7b7e96d1e6b74aa215dbcd9d95254b13cd2db53ae61e1e2166b227c1109fcc6
                                                                                                                                          • Instruction ID: 7d02a099b6261c516e7dd766b7862e5cb88692db8687128529959a09bead7325
                                                                                                                                          • Opcode Fuzzy Hash: a7b7e96d1e6b74aa215dbcd9d95254b13cd2db53ae61e1e2166b227c1109fcc6
                                                                                                                                          • Instruction Fuzzy Hash: 95D1D92BA2DA4285EB618B15D45027D67B8EF86F94F146132DA6EC77E4DF3CE448CB00
                                                                                                                                          APIs
                                                                                                                                          • DecodePointer.KERNEL32(?,?,?,00007FF671BFD8CA,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD455
                                                                                                                                          • LoadLibraryExA.KERNEL32(?,?,?,00007FF671BFD8CA,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD46F
                                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF671BFD8CA,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD48B
                                                                                                                                          • EncodePointer.KERNEL32(?,?,?,00007FF671BFD8CA,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD49D
                                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF671BFD8CA,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD4B4
                                                                                                                                          • EncodePointer.KERNEL32(?,?,?,00007FF671BFD8CA,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD4C2
                                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF671BFD8CA,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD4D9
                                                                                                                                          • EncodePointer.KERNEL32(?,?,?,00007FF671BFD8CA,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD4E7
                                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF671BFD8CA,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD4FE
                                                                                                                                          • EncodePointer.KERNEL32(?,?,?,00007FF671BFD8CA,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD50C
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Pointer$AddressEncodeProc$DecodeLibraryLoad
                                                                                                                                          • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                                                          • API String ID: 4088972757-1745123996
                                                                                                                                          • Opcode ID: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
                                                                                                                                          • Instruction ID: 850bb796eb14a6e19db132ba61219da0fe146b60c9ef23e3caf1d9af705e68da
                                                                                                                                          • Opcode Fuzzy Hash: 318f5717511456cabe01ac0f45910221d27ad42c297a2242a16efb7a4ad3622b
                                                                                                                                          • Instruction Fuzzy Hash: BF21EAAAA6AB4391FF04CB91B85823422B4BF49F45FB46037C95E87760DE3CE549D740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Pointer$AddressEncodeProc$DecodeLibraryLoad
                                                                                                                                          • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                                                          • API String ID: 4088972757-1745123996
                                                                                                                                          • Opcode ID: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
                                                                                                                                          • Instruction ID: 0be0d38ad432ff93b61c4d8396348ccf8db4f6af0e9358774c5ec01e6e8d1043
                                                                                                                                          • Opcode Fuzzy Hash: 8c09dbcfe2dae1ad0642468bfe82c4cc15e963c79359e8f814b649e352f9735f
                                                                                                                                          • Instruction Fuzzy Hash: 2221D6AAA6AB4391EF04CB91B85427422B4BF4AF41FB8A036C95E87360DE3CF545D740
                                                                                                                                          APIs
                                                                                                                                          • DecodePointer.KERNEL32(?,?,?,00007FF671BFDA40,?,?,?,00007FF671BF2F1D), ref: 00007FF671BFD655
                                                                                                                                          • LoadLibraryExA.KERNEL32(?,?,?,00007FF671BFDA40,?,?,?,00007FF671BF2F1D), ref: 00007FF671BFD66F
                                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF671BFDA40,?,?,?,00007FF671BF2F1D), ref: 00007FF671BFD68B
                                                                                                                                          • EncodePointer.KERNEL32(?,?,?,00007FF671BFDA40,?,?,?,00007FF671BF2F1D), ref: 00007FF671BFD69D
                                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF671BFDA40,?,?,?,00007FF671BF2F1D), ref: 00007FF671BFD6B4
                                                                                                                                          • EncodePointer.KERNEL32(?,?,?,00007FF671BFDA40,?,?,?,00007FF671BF2F1D), ref: 00007FF671BFD6C2
                                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF671BFDA40,?,?,?,00007FF671BF2F1D), ref: 00007FF671BFD6D9
                                                                                                                                          • EncodePointer.KERNEL32(?,?,?,00007FF671BFDA40,?,?,?,00007FF671BF2F1D), ref: 00007FF671BFD6E7
                                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF671BFDA40,?,?,?,00007FF671BF2F1D), ref: 00007FF671BFD6FE
                                                                                                                                          • EncodePointer.KERNEL32(?,?,?,00007FF671BFDA40,?,?,?,00007FF671BF2F1D), ref: 00007FF671BFD70C
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Pointer$AddressEncodeProc$DecodeLibraryLoad
                                                                                                                                          • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                                                          • API String ID: 4088972757-1745123996
                                                                                                                                          • Opcode ID: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
                                                                                                                                          • Instruction ID: 26205d6341f3063fc855291106e9c66d47a3460073ce7aa12efb35e28febf8fc
                                                                                                                                          • Opcode Fuzzy Hash: e616ce5f37f1b4e4ce6758aa9da7daa550d8ae5af315314d3572aa898a2e0930
                                                                                                                                          • Instruction Fuzzy Hash: 3821D8AAA6EB8391EF04CB91F85423422B4BF4AF85FB46036C95E87360DE3CE545D740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Pointer$AddressEncodeProc$DecodeLibraryLoad
                                                                                                                                          • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                                                          • API String ID: 4088972757-1745123996
                                                                                                                                          • Opcode ID: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
                                                                                                                                          • Instruction ID: 9d48f6ca6e4bf7d7edb7bb982b9481565ef20e4660543b2519fab925739e571f
                                                                                                                                          • Opcode Fuzzy Hash: f8712fd5a3c25522077a4ff2ee864bf8c10fba992a64d8f947a4c16263d71c49
                                                                                                                                          • Instruction Fuzzy Hash: A221D6AAE6AB4391EF04CB91B85423422B4BF4AF45FB4A036D95E87360DE3CE545D740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Window$LongMonitorRect$FromInfoParent
                                                                                                                                          • String ID: (
                                                                                                                                          • API String ID: 1468510684-3887548279
                                                                                                                                          • Opcode ID: 412d6f7ca8d768e71eb13778a1bab90cf3c95b0798faceaac53b68d390f3ec05
                                                                                                                                          • Instruction ID: 984b8074617751c32063c1282998ba9e715f71a4dff0fe8cbb1da9fc073fef45
                                                                                                                                          • Opcode Fuzzy Hash: 412d6f7ca8d768e71eb13778a1bab90cf3c95b0798faceaac53b68d390f3ec05
                                                                                                                                          • Instruction Fuzzy Hash: C251C63B728A4186E720CB65E545229B375FB89F90F605132EA9DC3B58CF3CE5458B00
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 00007FF671BF30E0: CharNextW.USER32(?,?,00007FF671BF57B6), ref: 00007FF671BF3114
                                                                                                                                            • Part of subcall function 00007FF671BF30E0: CharNextW.USER32(?,?,00007FF671BF57B6), ref: 00007FF671BF314C
                                                                                                                                            • Part of subcall function 00007FF671BF30E0: CharNextW.USER32(?,?,00007FF671BF57B6), ref: 00007FF671BF316E
                                                                                                                                            • Part of subcall function 00007FF671BF30E0: CharNextW.USER32(?,?,00007FF671BF57B6), ref: 00007FF671BF3186
                                                                                                                                            • Part of subcall function 00007FF671BF30E0: CharNextW.USER32(?,?,00007FF671BF57B6), ref: 00007FF671BF3195
                                                                                                                                            • Part of subcall function 00007FF671BF30E0: CharNextW.USER32(?,?,00007FF671BF57B6), ref: 00007FF671BF3205
                                                                                                                                          • lstrcmpiW.KERNEL32(?,?,00000027,00000000,00000000,?,?,?,00007FF671BF3FB0), ref: 00007FF671BF428A
                                                                                                                                          • lstrcmpiW.KERNEL32(?,00000027,00000000,00000000,?,?,?,00007FF671BF3FB0), ref: 00007FF671BF42A0
                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,00000027,00000000,00000000,?,?,?,00007FF671BF3FB0), ref: 00007FF671BF4E50
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CharNext$lstrcmpi$Close
                                                                                                                                          • String ID: Delete$ForceRemove$NoRemove$REGISTRY$Val
                                                                                                                                          • API String ID: 3752141797-3633700294
                                                                                                                                          • Opcode ID: 04aa429bae3d8595f7f3c8ca20f3c370a6b79915d783884065d625aa2123f27a
                                                                                                                                          • Instruction ID: 4e43112443fac11161f8e6a05085876f3927654c76df70e9327d6d99d5ceb04e
                                                                                                                                          • Opcode Fuzzy Hash: 04aa429bae3d8595f7f3c8ca20f3c370a6b79915d783884065d625aa2123f27a
                                                                                                                                          • Instruction Fuzzy Hash: 5291B33FA2864381FB118B65980067A62A9BF46F94F606133DE6DC76D4EF3CE944CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Window$Parent$ItemLongMessageMonitorPathSend$ArphaCrashDestroyEnableExceptionFindFromInfoRectReportResourceShowStripTextThrow
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1380867179-0
                                                                                                                                          • Opcode ID: 348fac252a4aef1dafe8e3b2d16a5a9dd828d8a4cf78c04bfdbeb9f54c8b2748
                                                                                                                                          • Instruction ID: eed7226c653d5774ae4101ee07d85c5394a1a91a58f8f9248ceeb9d0057d1275
                                                                                                                                          • Opcode Fuzzy Hash: 348fac252a4aef1dafe8e3b2d16a5a9dd828d8a4cf78c04bfdbeb9f54c8b2748
                                                                                                                                          • Instruction Fuzzy Hash: D0B1D27BB28A4282EB00DB26D45426D63A4FB86FA4F505532DB6D877D4DF3CE841CB40
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Window$CriticalHeapParentPathSection$ActiveAllocArphaCrashCreateCurrentDialogEnableEnterErrorExceptionItemLastLeaveParamProcessReportShowStripTextThreadThrowUpdate
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3077039260-0
                                                                                                                                          • Opcode ID: 4ab98e69dc85c3c2fb14e5b274084fd2f8c30c7f9b1560f41e70154f0f5547c0
                                                                                                                                          • Instruction ID: c81d5a27d250247791bf4f86f0ceafedc7ecdbdfee5ce3ed7c2f5bfcb8122153
                                                                                                                                          • Opcode Fuzzy Hash: 4ab98e69dc85c3c2fb14e5b274084fd2f8c30c7f9b1560f41e70154f0f5547c0
                                                                                                                                          • Instruction Fuzzy Hash: 3AA1BE7BA28B4682EB00DB2AD44466D73A4FF86F90F545536DA2E837A5DF3CE444CB40
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryLoad$Resource$ErrorFindFreeLast
                                                                                                                                          • String ID: Delete$ForceRemove$NoRemove$Val
                                                                                                                                          • API String ID: 328770362-1781481701
                                                                                                                                          • Opcode ID: 104876e65e64e225624c55cc7cedff8ac941019aa07597be9b47fdf8fb06b7cf
                                                                                                                                          • Instruction ID: 18b2f2815daf24555a09d0c63cb171e24e6f61fed6d5c7a65736dbf693624a1e
                                                                                                                                          • Opcode Fuzzy Hash: 104876e65e64e225624c55cc7cedff8ac941019aa07597be9b47fdf8fb06b7cf
                                                                                                                                          • Instruction Fuzzy Hash: 6851953BB2864282EB10CB26A44077966E5BF9AFD0F201236DA6D83B94DF3CD5459F00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ArphaCrashProcessReportThreadWindow$ButtonCheckedCreateFileMessagePathPostRemoveShowSpec
                                                                                                                                          • String ID: h
                                                                                                                                          • API String ID: 1094471175-2439710439
                                                                                                                                          • Opcode ID: 9162a5b24f374cef23787fbb5ed542cac54d9306ac9f3df57fb38a73f5910643
                                                                                                                                          • Instruction ID: d70ed972418366eaff83acebd374114914fd62a829055c2da0e5cd0c7d216141
                                                                                                                                          • Opcode Fuzzy Hash: 9162a5b24f374cef23787fbb5ed542cac54d9306ac9f3df57fb38a73f5910643
                                                                                                                                          • Instruction Fuzzy Hash: CF518277A28A8282D724CB29E44436E7365FBC5F90F205236DA6D83BA9DF3DD441DB40
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                          • API String ID: 3215553584-2617248754
                                                                                                                                          • Opcode ID: 6244dfc220e43207033ba98a0b75a8b0f72335050adab1bc5d1091457c629230
                                                                                                                                          • Instruction ID: 42d3bf0ac36f36571cfc1447b9997d42e80c7fd720d28b51850edf6bf7f4979f
                                                                                                                                          • Opcode Fuzzy Hash: 6244dfc220e43207033ba98a0b75a8b0f72335050adab1bc5d1091457c629230
                                                                                                                                          • Instruction Fuzzy Hash: 93418CB2B28B4189E700CFA5E8517A933B5FB14388F608536EA5C97B98EE3DD525C340
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1011152198-0
                                                                                                                                          • Opcode ID: e49450ee6f6a2700efc2b99d1c8661abeac7e54670bb419982dbb3fd25f039fb
                                                                                                                                          • Instruction ID: ed829f333f96aa9a63c62b7c3bcc859b798da85a1433c9b0a1604ba9f8a44fd0
                                                                                                                                          • Opcode Fuzzy Hash: e49450ee6f6a2700efc2b99d1c8661abeac7e54670bb419982dbb3fd25f039fb
                                                                                                                                          • Instruction Fuzzy Hash: 3F31802BE3C24382FB50ABE594513B913A59F47B44F55603BE65DDB2D3DE2CF8058A10
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                          • String ID: http://$https://
                                                                                                                                          • API String ID: 3668304517-1916535328
                                                                                                                                          • Opcode ID: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction ID: 2d8ec758f2024d87eac741e142602e8a48f909491f62229aab3fc920f03cdf3d
                                                                                                                                          • Opcode Fuzzy Hash: 032175703d403af43845841e7270c54589e151d9aabe520c8013fad0eb530d90
                                                                                                                                          • Instruction Fuzzy Hash: 2F61FF7BB24A4282EF14DF29D64426963A9EB45F90F486536DF7C87799CF3CE5808B00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                          • String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
                                                                                                                                          • API String ID: 1646373207-1053001802
                                                                                                                                          • Opcode ID: 20089e5d2971f2188681404f846e6fbac90836ded4d1cbbc1ea064e876e7ab19
                                                                                                                                          • Instruction ID: e19b8dd5626bcdda414d0ad75e0bac383e469fd401058edff0d9a9be7c53b15b
                                                                                                                                          • Opcode Fuzzy Hash: 20089e5d2971f2188681404f846e6fbac90836ded4d1cbbc1ea064e876e7ab19
                                                                                                                                          • Instruction Fuzzy Hash: 1D313C6BB28A81C1EB11CB49E8543256770FB49BC4F686472DE5C87769DF3CE495CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CharNext
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3213498283-0
                                                                                                                                          • Opcode ID: eb08412ae23408e54903caef5597c695f1dc0257622fede5c28489c7bd1c0e7d
                                                                                                                                          • Instruction ID: 316586ff031443a2ff7a11d1340cb5025a1015e05a9fec9fe4024fc90b560cfd
                                                                                                                                          • Opcode Fuzzy Hash: eb08412ae23408e54903caef5597c695f1dc0257622fede5c28489c7bd1c0e7d
                                                                                                                                          • Instruction Fuzzy Hash: A151C22B72AA8280EB604F52E54427863B5EB16FC0F909433DB8D837A4EF3CD599C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressCloseCreateHandleModuleProc
                                                                                                                                          • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                                                                                                          • API String ID: 1765684683-2994018265
                                                                                                                                          • Opcode ID: d8527f3200958c9813d54c6006e2ee44f0c375931f585d63d0865af0cced587a
                                                                                                                                          • Instruction ID: 52d7d12f24d1ab9d2b56714b2bc0a5082d9bceed66fc68eaffca4e7ae50c60ce
                                                                                                                                          • Opcode Fuzzy Hash: d8527f3200958c9813d54c6006e2ee44f0c375931f585d63d0865af0cced587a
                                                                                                                                          • Instruction Fuzzy Hash: 16413C3B619B818ADB60CF56E48066AB3A4FB89B80F544136EE9D83B54DF3CD555CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ArphaCommandCriticalLineSectionUtilsWindow$ArgvCommonControlsCurrentDestroyDumpEnterInitInitializeLeaveLocalThreadUninitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2267807331-0
                                                                                                                                          • Opcode ID: 6016dd98208aa9a108adf78c0108ff9928f39f32039d0d110344441888cf9f30
                                                                                                                                          • Instruction ID: 4a3c48c8abc8581945bcc55e96677e7042818e8c3ddac011e605d5da4c738e7d
                                                                                                                                          • Opcode Fuzzy Hash: 6016dd98208aa9a108adf78c0108ff9928f39f32039d0d110344441888cf9f30
                                                                                                                                          • Instruction Fuzzy Hash: 3B31487BA28A4286EB14DFA1E45026873B4FF89F84F68503BDA4E87695CF3CE504C740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressCloseHandleModuleOpenProc
                                                                                                                                          • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                                                                                                                          • API String ID: 823179699-3913318428
                                                                                                                                          • Opcode ID: 4c946042f32618201f5a8803388fc1709d891790a8072950d2495006dc88b301
                                                                                                                                          • Instruction ID: e3ad4d7adeba44799dc2efda8c03ed7b0a102266b3de84b383c4f673731275fb
                                                                                                                                          • Opcode Fuzzy Hash: 4c946042f32618201f5a8803388fc1709d891790a8072950d2495006dc88b301
                                                                                                                                          • Instruction Fuzzy Hash: C8213E3BA29B41C6EB20CF56E480129B3A4FB49B80F645136EE9D87B64DF3CE555CB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                          • String ID: CONOUT$
                                                                                                                                          • API String ID: 3230265001-3130406586
                                                                                                                                          • Opcode ID: adc55ee30bdc430fba986ddaa2414178506904cb4db684181134fb1382a77809
                                                                                                                                          • Instruction ID: ae861b5628753640d3577935d6bd258db7e166ac6ccb5ee5cb00f4ad093c30c8
                                                                                                                                          • Opcode Fuzzy Hash: adc55ee30bdc430fba986ddaa2414178506904cb4db684181134fb1382a77809
                                                                                                                                          • Instruction Fuzzy Hash: 231179A2B28A81C6E7508B82A85432962B0FB88FE4F344236EA5DC7794CF7CD8148740
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$ArphaCrashReport$TextWindow
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1203364530-0
                                                                                                                                          • Opcode ID: 9f4b65d3ec95df0c91807e3bf37b6eb5b8ba7b4b4cbf9ca1c62c61d0966dc73c
                                                                                                                                          • Instruction ID: b9b1459d8a481783ecff5069792078e3fbeaa243f9d9d536ac7f4b9ecdd18537
                                                                                                                                          • Opcode Fuzzy Hash: 9f4b65d3ec95df0c91807e3bf37b6eb5b8ba7b4b4cbf9ca1c62c61d0966dc73c
                                                                                                                                          • Instruction Fuzzy Hash: 1B81C167B24A5685EB00CBA9E8453AC6375BB89FE4F505232EE2D97BD9DE3CD041C700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MessageSend$Item$DialogParentTextWindow
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 271282217-0
                                                                                                                                          • Opcode ID: 052a828648b87492a7a14e08253b75787d6a8319cc53b8d316027b8f1f35d00e
                                                                                                                                          • Instruction ID: 4b3b10fefabe3daa392438c8b87e43f3cb9b7f4bf7583183902659c17a5aceab
                                                                                                                                          • Opcode Fuzzy Hash: 052a828648b87492a7a14e08253b75787d6a8319cc53b8d316027b8f1f35d00e
                                                                                                                                          • Instruction Fuzzy Hash: 3C415E3BB18745C2EB508B2AE44027973A5FB89B94F545036EB5D877A9CF3CE891CB00
                                                                                                                                          APIs
                                                                                                                                          • InterlockedPopEntrySList.KERNEL32(?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD762
                                                                                                                                            • Part of subcall function 00007FF671BFD814: GetProcessHeap.KERNEL32(?,?,?,00007FF671BFD757,?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD830
                                                                                                                                            • Part of subcall function 00007FF671BFD814: HeapAlloc.KERNEL32(?,?,?,00007FF671BFD757,?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD842
                                                                                                                                            • Part of subcall function 00007FF671BFD814: InitializeSListHead.KERNEL32(?,?,?,00007FF671BFD757,?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD853
                                                                                                                                            • Part of subcall function 00007FF671BFD814: GetProcessHeap.KERNEL32(?,?,?,00007FF671BFD757,?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD863
                                                                                                                                            • Part of subcall function 00007FF671BFD814: HeapFree.KERNEL32(?,?,?,00007FF671BFD757,?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD871
                                                                                                                                          • VirtualAlloc.KERNEL32(?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD793
                                                                                                                                          • RaiseException.KERNEL32(?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD7AE
                                                                                                                                          • InterlockedPopEntrySList.KERNEL32(?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD7C1
                                                                                                                                          • VirtualFree.KERNEL32(?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD7DA
                                                                                                                                          • InterlockedPushEntrySList.KERNEL32(?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD7F6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HeapList$EntryInterlocked$AllocFreeProcessVirtual$ExceptionHeadInitializePushRaise
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2142016258-0
                                                                                                                                          • Opcode ID: 16ae44e21a93293100ad8d48e44b2f8e3cbb69987ce9b98bdcbde6910d86fe6f
                                                                                                                                          • Instruction ID: dd8c1985b97d4e77475690dee0c9556edd1b8228b0c1062e2d60c38a6ca9aa4e
                                                                                                                                          • Opcode Fuzzy Hash: 16ae44e21a93293100ad8d48e44b2f8e3cbb69987ce9b98bdcbde6910d86fe6f
                                                                                                                                          • Instruction Fuzzy Hash: 9321A22AF38A4281FF15DB56E8106796265AF89F80FA4A036CD1ECB761DE2CE4418B00
                                                                                                                                          APIs
                                                                                                                                          • IsWindow.USER32(?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,00007FF671BFAECA), ref: 00007FF671BFCD1D
                                                                                                                                          • GetParent.USER32(?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,00007FF671BFAECA), ref: 00007FF671BFCD2B
                                                                                                                                          • IsWindow.USER32(?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,00007FF671BFAECA), ref: 00007FF671BFCD34
                                                                                                                                          • GetParent.USER32(?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,00007FF671BFAECA), ref: 00007FF671BFCD42
                                                                                                                                          • EnableWindow.USER32(?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,00007FF671BFAECA), ref: 00007FF671BFCD50
                                                                                                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,00007FF671BFAECA), ref: 00007FF671BFCD5A
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Window$Parent$DestroyEnable
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2549540158-0
                                                                                                                                          • Opcode ID: 2bb13052c7cf26e7de56ff1d4bc1bb3e76ef28178d89c37ca3a658b1d5aa1eac
                                                                                                                                          • Instruction ID: 259d52b52e02f2dac0a3eef6bd5b46e685bc509b004353489b5f78763fc849ef
                                                                                                                                          • Opcode Fuzzy Hash: 2bb13052c7cf26e7de56ff1d4bc1bb3e76ef28178d89c37ca3a658b1d5aa1eac
                                                                                                                                          • Instruction Fuzzy Hash: 03F0DA6AA64942C1EB109FA2EC5473863B4EF89F85F285036C91EC62A0DF2CD885D760
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressCreateFileHandleModuleProc
                                                                                                                                          • String ID: CreateFileTransactedW$kernel32.dll
                                                                                                                                          • API String ID: 2580138172-2053874626
                                                                                                                                          • Opcode ID: 02427ab3b42849df072f26c3d517596b14f549963aef437c67c1a92d75162d1d
                                                                                                                                          • Instruction ID: 8f1aa1ce484badcba90eae35a8402b6a260e4ac2bc4bb4b99d213ac491de7dba
                                                                                                                                          • Opcode Fuzzy Hash: 02427ab3b42849df072f26c3d517596b14f549963aef437c67c1a92d75162d1d
                                                                                                                                          • Instruction Fuzzy Hash: F331303B62CB8186D760CB55F44026AB3A4F789BA4F545236EAAD93BA4DF3CD4448B04
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                          • Opcode ID: 7a83ac91d3b6832f89a68afdb0a05514a4ac3a4204deb52a236f0e8f4ae27cba
                                                                                                                                          • Instruction ID: 29ed65674f89d937959dda81cdabd7694bb806fdda7e788d0947163b65c9a6cb
                                                                                                                                          • Opcode Fuzzy Hash: 7a83ac91d3b6832f89a68afdb0a05514a4ac3a4204deb52a236f0e8f4ae27cba
                                                                                                                                          • Instruction Fuzzy Hash: 28F03AE7B7964282EB448BE0E8843782370AF88750F64113ADA0FC5664EF2CD588D700
                                                                                                                                          APIs
                                                                                                                                          • _invalid_parameter_noinfo.LIBCMT ref: 00007FF671C0E8ED
                                                                                                                                          • GetConsoleMode.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,?,?,00007FF671C0E86B,00000000,00000000,00000000,00007FF671C0AC67), ref: 00007FF671C0E9AC
                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,?,?,00007FF671C0E86B,00000000,00000000,00000000,00007FF671C0AC67), ref: 00007FF671C0EA2C
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2210144848-0
                                                                                                                                          • Opcode ID: 6890b1e15a1fb5cc30c4a85a2736fd56731a4e3fb5bd04c8ea37afb590e47ab0
                                                                                                                                          • Instruction ID: 9f5c0218c3a7bdcd939bbf43e07fb46e14deec93e3319e3eb305db5e2909fc44
                                                                                                                                          • Opcode Fuzzy Hash: 6890b1e15a1fb5cc30c4a85a2736fd56731a4e3fb5bd04c8ea37afb590e47ab0
                                                                                                                                          • Instruction Fuzzy Hash: F381AFA3E7861A89F7509BE58C912BD2B70FF48B94F644137DA0EA3695DF3CA481C310
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _set_statfp
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1156100317-0
                                                                                                                                          • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction ID: 636f0e8ec1a2c972aad3142879a7bd2d31e2853a49e810a07767608c13f16b88
                                                                                                                                          • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                                                                                                                          • Instruction Fuzzy Hash: 4E11C1E3E7CA1343F76411E8ECD337610B46F58370F380232EA6E8A6D68E6CA8C15614
                                                                                                                                          APIs
                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,00007FF671BFD757,?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD830
                                                                                                                                          • HeapAlloc.KERNEL32(?,?,?,00007FF671BFD757,?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD842
                                                                                                                                          • InitializeSListHead.KERNEL32(?,?,?,00007FF671BFD757,?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD853
                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,00007FF671BFD757,?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD863
                                                                                                                                          • HeapFree.KERNEL32(?,?,?,00007FF671BFD757,?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD871
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Heap$Process$AllocFreeHeadInitializeList
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 927271182-0
                                                                                                                                          • Opcode ID: 14d5ffe20980cb43a1a40300d7efdf2ea6198e7e26337d1d7422f02d616f1342
                                                                                                                                          • Instruction ID: 01a06f17f33ef62221d88d307dcd6df86ba46f625162e24ce71393f6621b5fde
                                                                                                                                          • Opcode Fuzzy Hash: 14d5ffe20980cb43a1a40300d7efdf2ea6198e7e26337d1d7422f02d616f1342
                                                                                                                                          • Instruction Fuzzy Hash: 3B018CBAB69B01C2EB048BA2E80022922B1FF49F94F649136CD4D83724EF3DE485C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                                                          • String ID: csm
                                                                                                                                          • API String ID: 2280078643-1018135373
                                                                                                                                          • Opcode ID: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction ID: 4f74214853e0200d65d8f04ba802d47d85797f6807de40d82a0f8420f01b64e7
                                                                                                                                          • Opcode Fuzzy Hash: d49d3c1e60c3354247970e5f405f23988a7ea1f58b6bb3f0a1cf52d8215e401e
                                                                                                                                          • Instruction Fuzzy Hash: 49212B7B62864182E730DF55E44066EB7B0F789BA5F210226DE9D43795DF3DE881CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ByteCharCriticalFindMultiResourceSectionWide$EnterLeave
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2462052736-0
                                                                                                                                          • Opcode ID: 0dfbb6077d379c04c7fa74544144c9af0e17c2dc9fc63beecfdf1cb9ee66edb3
                                                                                                                                          • Instruction ID: 85c7694ae369300e6319413ac6c474edc5cf1d693291244b1f1e90c793133f86
                                                                                                                                          • Opcode Fuzzy Hash: 0dfbb6077d379c04c7fa74544144c9af0e17c2dc9fc63beecfdf1cb9ee66edb3
                                                                                                                                          • Instruction Fuzzy Hash: 5571AF3BB29B0582EB109B16D40423DB3A6BF85F84F14A136DA6D877A5DF3CE442CB40
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseFileHandle$ErrorLastReadSize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2874038178-0
                                                                                                                                          • Opcode ID: be5c366c1aee1bb0493212f3807dab99741dc336282f279b984104bc03ce7b0e
                                                                                                                                          • Instruction ID: e3f56c2e37e1d7f66051982390af4ce12be47aa21ba4bf4d96b5dbe4bc50a912
                                                                                                                                          • Opcode Fuzzy Hash: be5c366c1aee1bb0493212f3807dab99741dc336282f279b984104bc03ce7b0e
                                                                                                                                          • Instruction Fuzzy Hash: 9151F53BA28A4186E710DF26E44426A7364FB86FA4F145236EFAD83794CF3CE544CB40
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3550545212-0
                                                                                                                                          • Opcode ID: 040b0679540e2a900ba248f1840ab6053cbc3b60983c4fd2c85778e1d435c15a
                                                                                                                                          • Instruction ID: 7561503c04d194fd40ad3e84114c14b40a5c448c41274a655e5cf1204955d8d7
                                                                                                                                          • Opcode Fuzzy Hash: 040b0679540e2a900ba248f1840ab6053cbc3b60983c4fd2c85778e1d435c15a
                                                                                                                                          • Instruction Fuzzy Hash: B621AE3BA28B4292EB00CB92E8801796775FB8AFC0F685432DE1D87B51DF3CD2518700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: *
                                                                                                                                          • API String ID: 3215553584-163128923
                                                                                                                                          • Opcode ID: c01764dfbe32b028f5056c7d83d2cee1126fd816d89c7b91bdc522376125e6a5
                                                                                                                                          • Instruction ID: d2b5c049c5a6cb94052c3875037b31fc78d2ceabc4e85f02db28c3ca33317ca7
                                                                                                                                          • Opcode Fuzzy Hash: c01764dfbe32b028f5056c7d83d2cee1126fd816d89c7b91bdc522376125e6a5
                                                                                                                                          • Instruction Fuzzy Hash: 04719FF79386528AE7698FA98A4413C3BB0EB45F18F342237CA4AC6295DF3CD581D750
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                          • String ID: e+000$gfff
                                                                                                                                          • API String ID: 3215553584-3030954782
                                                                                                                                          • Opcode ID: c3eb90e04eeb98973408be6b9dec83dab8f3b75c1a56071b46acd4d231908e16
                                                                                                                                          • Instruction ID: 09a683e2cd19e0c9fae252562cdaccb1f4733800c0ae18ff5b5ec10208ca4139
                                                                                                                                          • Opcode Fuzzy Hash: c3eb90e04eeb98973408be6b9dec83dab8f3b75c1a56071b46acd4d231908e16
                                                                                                                                          • Instruction Fuzzy Hash: 345128A3F386C186E7248BB59D413697BA1EB41B90F58D236D79C87BD6CE2DE044C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MessagePost_invalid_parameter_noinfo_noreturn
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3882714859-3916222277
                                                                                                                                          • Opcode ID: 4914b8256ecab36f4fd6b595dfc67f5a411be51a6585e9d9d24558f354d24091
                                                                                                                                          • Instruction ID: 1ddfb318a92613f2425f2f8e5626784e3227691af7aca5e62a767e8ba6e82dd1
                                                                                                                                          • Opcode Fuzzy Hash: 4914b8256ecab36f4fd6b595dfc67f5a411be51a6585e9d9d24558f354d24091
                                                                                                                                          • Instruction Fuzzy Hash: F241CF2BA28A8181E7148B25E4406696764FB8AFB4F55A332EE7C43BD5DF3CD481CB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorFileLastWrite
                                                                                                                                          • String ID: U
                                                                                                                                          • API String ID: 442123175-4171548499
                                                                                                                                          • Opcode ID: 5a806dc1491d0c6271bbbc8e5008386da0c6929f9748225bac500225c6b8e426
                                                                                                                                          • Instruction ID: e8a6ba350c7ec135d6c48dad200d89685ad5df30eebc186f1fbe9c656016dec0
                                                                                                                                          • Opcode Fuzzy Hash: 5a806dc1491d0c6271bbbc8e5008386da0c6929f9748225bac500225c6b8e426
                                                                                                                                          • Instruction Fuzzy Hash: 9941B263A39A4582DB20CFA5E8443B96761FB98794FA14032EE4DD7794DF3CD441CB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Stringtry_get_function
                                                                                                                                          • String ID: LCMapStringEx
                                                                                                                                          • API String ID: 2588686239-3893581201
                                                                                                                                          • Opcode ID: f4f5ecbe5d30e1b070dccf9b5405843729b019c2da799db4096029bea26e8635
                                                                                                                                          • Instruction ID: a0843326ac5b2d2ee412f1231d08ef22d44fe6bd502d80bd10efb387dbacd12d
                                                                                                                                          • Opcode Fuzzy Hash: f4f5ecbe5d30e1b070dccf9b5405843729b019c2da799db4096029bea26e8635
                                                                                                                                          • Instruction Fuzzy Hash: 99113B76A18BC186D760CB96B4402AAB7B1FB89B94F644136EF8D83B19CF3CD4418B00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                                                          • String ID: InitializeCriticalSectionEx
                                                                                                                                          • API String ID: 539475747-3084827643
                                                                                                                                          • Opcode ID: ea3bbbd1d9426669e13d278dee503b85decd3218e17dc90cdb93af113aee1925
                                                                                                                                          • Instruction ID: a22c0a6aba17114ce040eeb94892e7f8fb33e89ee7fea0c6db6fb2617119f37e
                                                                                                                                          • Opcode Fuzzy Hash: ea3bbbd1d9426669e13d278dee503b85decd3218e17dc90cdb93af113aee1925
                                                                                                                                          • Instruction Fuzzy Hash: 62F0B4A7F3869181E7048BC5B4840652331EF49BA0F685033DA0E43B14CE3CD556D350
                                                                                                                                          APIs
                                                                                                                                          • try_get_function.LIBVCRUNTIME ref: 00007FF671C0A425
                                                                                                                                          • TlsSetValue.KERNEL32(?,?,00002B992DDFA232,00007FF671C075AE,?,?,00002B992DDFA232,00007FF671C02559,?,?,?,?,00007FF671C077A2,?,?,00000000), ref: 00007FF671C0A43C
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Valuetry_get_function
                                                                                                                                          • String ID: FlsSetValue
                                                                                                                                          • API String ID: 738293619-3750699315
                                                                                                                                          • Opcode ID: dc19925df7054c3da7d384d372df0438c0b9b9f5ff54b080332979567a3050fc
                                                                                                                                          • Instruction ID: 6d314e14994d174f1c6794f114a637f51b1d61e2d9e2cc597531249aa5049946
                                                                                                                                          • Opcode Fuzzy Hash: dc19925df7054c3da7d384d372df0438c0b9b9f5ff54b080332979567a3050fc
                                                                                                                                          • Instruction Fuzzy Hash: 70E065E7A7C646C1FB044BD4E8440F82232AF48B80FB85037DA1D86254CE3DE885D211
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DownlevelLocaleName__crttry_get_function
                                                                                                                                          • String ID: LocaleNameToLCID
                                                                                                                                          • API String ID: 404522899-2050040251
                                                                                                                                          • Opcode ID: ff1e8b1d26c56ae76a8f1a34358a17a3ebd64fa55d651b56af5456e7e1f2b463
                                                                                                                                          • Instruction ID: f7fac779f599d9ecf9a35cac95f96c963bda971c18c1008b9e624bb5b62eb8a1
                                                                                                                                          • Opcode Fuzzy Hash: ff1e8b1d26c56ae76a8f1a34358a17a3ebd64fa55d651b56af5456e7e1f2b463
                                                                                                                                          • Instruction Fuzzy Hash: DCE06DA3A38987C1EB149BD8A8400B52332AF89750F784033D61E4A299DE3CE895E311
                                                                                                                                          APIs
                                                                                                                                          • try_get_function.LIBVCRUNTIME ref: 00007FF671C02025
                                                                                                                                          • TlsSetValue.KERNEL32(?,?,?,00007FF671C00651,?,?,?,?,00007FF671C004C4,?,?,?,?,00007FF671BFDDE7), ref: 00007FF671C0203C
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Valuetry_get_function
                                                                                                                                          • String ID: FlsSetValue
                                                                                                                                          • API String ID: 738293619-3750699315
                                                                                                                                          • Opcode ID: 1970a22e63e2612b00cc6773b3d3c61cbd35341fbabfd1e7bc5587ff0409e431
                                                                                                                                          • Instruction ID: d225898e6af3e656d43d59a33f19d069a50f7a62c041d491ba6546a6089fba50
                                                                                                                                          • Opcode Fuzzy Hash: 1970a22e63e2612b00cc6773b3d3c61cbd35341fbabfd1e7bc5587ff0409e431
                                                                                                                                          • Instruction Fuzzy Hash: 6BE065E7A38642D2EB055BD1EC440B46231AF48794FB85037D91D86294CE3CD545D301
                                                                                                                                          APIs
                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD89A
                                                                                                                                          • HeapAlloc.KERNEL32(?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD8AC
                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD8EF
                                                                                                                                          • HeapFree.KERNEL32(?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD8FD
                                                                                                                                            • Part of subcall function 00007FF671BFD73C: InterlockedPopEntrySList.KERNEL32(?,?,?,00007FF671BFD8E6,?,?,?,00007FF671BF2EF6), ref: 00007FF671BFD762
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000004.00000002.2097694119.00007FF671BF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF671BF0000, based on PE: true
                                                                                                                                          • Associated: 00000004.00000002.2097643355.00007FF671BF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100387854.00007FF671C12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100443527.00007FF671C22000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          • Associated: 00000004.00000002.2100575870.00007FF671C25000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_4_2_7ff671bf0000_ParphaCrashReport64.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Heap$Process$AllocEntryFreeInterlockedList
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3120275070-0
                                                                                                                                          • Opcode ID: 3a660664334770742c661381b6aa630b8fc30d44945546b2439c104621ff65a6
                                                                                                                                          • Instruction ID: 2f1e03b89ccdbdded97fcd82656c016dd47711e0f88806986886e5554784f94d
                                                                                                                                          • Opcode Fuzzy Hash: 3a660664334770742c661381b6aa630b8fc30d44945546b2439c104621ff65a6
                                                                                                                                          • Instruction Fuzzy Hash: 4001816FE2A703C1FF199BB5A81417825A59F06F00FA8553AC81E81350EE3CF486EA10

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:3.8%
                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                          Signature Coverage:31.2%
                                                                                                                                          Total number of Nodes:862
                                                                                                                                          Total number of Limit Nodes:83
                                                                                                                                          execution_graph 29442 180015621 29445 1800224e0 29442->29445 29444 18001562c 29446 180022526 memset memset memset 29445->29446 29447 180022667 memset gethostname gethostbyname inet_ntoa wsprintfW 29446->29447 29449 180022792 lstrcatW GetForegroundWindow 29447->29449 29451 1800227c3 GetWindowTextW 29449->29451 29452 1800227d9 VirtualAlloc 29449->29452 29451->29452 29453 1800228ab GetComputerNameW GetCurrentProcess IsWow64Process RegOpenKeyExW 29452->29453 29454 1800227fc GetModuleHandleW 29452->29454 29456 1800229af GlobalMemoryStatusEx wsprintfW VirtualAlloc VirtualAlloc 29453->29456 29457 180022930 RegQueryValueExW 29453->29457 29454->29453 29455 180022818 GetProcAddress 29454->29455 29460 180022832 GetModuleHandleW 29455->29460 29461 18002282d 29455->29461 29458 180022a93 memset GetWindowsDirectoryW 29456->29458 29459 180022a32 29456->29459 29462 180022971 RegCloseKey GetSystemInfo wsprintfW 29457->29462 29463 180022969 RegCloseKey 29457->29463 29465 180022ad3 GetVolumeInformationW wsprintfA wsprintfA wsprintfW CoInitializeEx 29458->29465 29466 180022ac9 GetLastError 29458->29466 29459->29458 29464 180022a37 GetUserNameW GetCurrentProcessId 29459->29464 29467 18002288b 29460->29467 29468 18002285f GetProcAddress 29460->29468 29461->29460 29462->29456 29463->29456 29513 18002c950 memset CreateToolhelp32Snapshot 29464->29513 29474 180022ce8 GetCurrentProcess IsWow64Process 29465->29474 29475 180022bd9 CoCreateInstance 29465->29475 29466->29465 29503 18002bdc0 29467->29503 29468->29467 29470 180022874 29468->29470 29470->29467 29480 180022d2e 29474->29480 29475->29474 29477 180022c09 29475->29477 29476 18002289a VirtualFree 29476->29453 29477->29474 29478 180022cb2 SysFreeString 29477->29478 29479 180022ce2 CoUninitialize 29477->29479 29478->29477 29479->29474 29520 180013330 VirtualAlloc 29480->29520 29485 180013330 51 API calls 29486 180022e89 29485->29486 29487 180022ec2 VirtualFree 29486->29487 29488 180022ed7 29486->29488 29487->29488 29489 180022ee9 VirtualFree 29488->29489 29610 180026f00 IsBadReadPtr 29488->29610 29491 180022f02 VirtualFree 29489->29491 29492 180022f17 29489->29492 29491->29492 29494 180022f29 VirtualFree 29492->29494 29495 180026f00 6 API calls 29492->29495 29497 180022f40 29494->29497 29496 180022f25 29495->29496 29496->29494 29498 180022f75 29497->29498 29499 180022f60 VirtualFree 29497->29499 29500 180022f87 VirtualFree 29498->29500 29501 180026f00 6 API calls 29498->29501 29499->29498 29500->29444 29502 180022f83 29501->29502 29502->29500 29504 18002be50 29503->29504 29505 18002c586 memset 29504->29505 29506 18002c730 lstrcatW 29505->29506 29507 18002c5dd 29505->29507 29506->29476 29508 18002c602 29507->29508 29509 18002c5eb lstrcatW 29507->29509 29512 18002c628 29507->29512 29508->29506 29510 18002c611 lstrcatW 29508->29510 29508->29512 29509->29508 29510->29512 29511 18002c72a lstrcatW 29511->29506 29512->29506 29512->29511 29514 18002c991 Process32FirstW 29513->29514 29515 180022a57 wsprintfW VirtualFree VirtualFree 29513->29515 29516 18002c9af 29514->29516 29519 18002c9c8 29514->29519 29515->29458 29518 18002c9b6 Process32NextW 29516->29518 29516->29519 29517 18002ca3e CloseHandle 29517->29515 29518->29516 29518->29519 29519->29515 29519->29517 29521 180013842 29520->29521 29522 180013359 VirtualAlloc 29520->29522 29596 1800223b0 CreateToolhelp32Snapshot 29521->29596 29523 1800133b0 IsBadReadPtr 29522->29523 29524 18001339f InitializeCriticalSection 29522->29524 29525 1800133c6 29523->29525 29526 18001341b IsBadReadPtr 29523->29526 29524->29523 29525->29526 29527 1800133cb EnterCriticalSection VirtualAlloc 29525->29527 29528 180013431 29526->29528 29529 180013486 IsBadReadPtr 29526->29529 29532 180013411 LeaveCriticalSection 29527->29532 29533 1800133f1 29527->29533 29528->29529 29534 180013436 EnterCriticalSection VirtualAlloc 29528->29534 29530 1800134f1 IsBadReadPtr 29529->29530 29531 18001349c 29529->29531 29536 180013507 29530->29536 29537 18001355c IsBadReadPtr 29530->29537 29531->29530 29535 1800134a1 EnterCriticalSection VirtualAlloc 29531->29535 29532->29526 29533->29532 29538 18001347c LeaveCriticalSection 29534->29538 29539 18001345c 29534->29539 29540 1800134e7 LeaveCriticalSection 29535->29540 29541 1800134c7 29535->29541 29536->29537 29542 18001350c EnterCriticalSection VirtualAlloc 29536->29542 29543 180013572 29537->29543 29544 1800135c7 IsBadReadPtr 29537->29544 29538->29529 29539->29538 29540->29530 29541->29540 29547 180013552 LeaveCriticalSection 29542->29547 29548 180013532 29542->29548 29543->29544 29549 180013577 EnterCriticalSection VirtualAlloc 29543->29549 29545 180013632 IsBadReadPtr 29544->29545 29546 1800135dd 29544->29546 29551 180013648 29545->29551 29552 18001367e 29545->29552 29546->29545 29550 1800135e2 EnterCriticalSection VirtualAlloc 29546->29550 29547->29537 29548->29547 29553 1800135bd LeaveCriticalSection 29549->29553 29554 18001359d 29549->29554 29555 180013628 LeaveCriticalSection 29550->29555 29556 180013608 29550->29556 29551->29552 29557 18001364d EnterCriticalSection 29551->29557 29558 180013681 IsBadReadPtr 29552->29558 29553->29544 29554->29553 29555->29545 29556->29555 29559 180013662 29557->29559 29560 180013675 LeaveCriticalSection 29557->29560 29561 1800136d1 29558->29561 29562 18001369b 29558->29562 29559->29560 29564 180013848 LeaveCriticalSection 29559->29564 29560->29552 29563 1800136d4 IsBadReadPtr 29561->29563 29562->29561 29565 1800136a0 EnterCriticalSection 29562->29565 29566 18001372c 29563->29566 29567 1800136ee 29563->29567 29564->29558 29568 1800136b5 29565->29568 29569 1800136c8 LeaveCriticalSection 29565->29569 29572 18001372f IsBadReadPtr 29566->29572 29567->29566 29571 1800136f3 EnterCriticalSection 29567->29571 29568->29569 29570 18001385a LeaveCriticalSection 29568->29570 29569->29561 29570->29563 29573 180013723 LeaveCriticalSection 29571->29573 29577 180013708 29571->29577 29574 180013749 29572->29574 29575 18001377f 29572->29575 29573->29566 29574->29575 29578 18001374e EnterCriticalSection 29574->29578 29576 180013782 IsBadReadPtr 29575->29576 29579 1800137d2 29576->29579 29580 18001379c 29576->29580 29577->29573 29581 18001386c LeaveCriticalSection 29577->29581 29582 180013763 29578->29582 29583 180013776 LeaveCriticalSection 29578->29583 29585 1800137d5 IsBadReadPtr 29579->29585 29580->29579 29584 1800137a1 EnterCriticalSection 29580->29584 29581->29572 29582->29583 29586 18001387e LeaveCriticalSection 29582->29586 29583->29575 29587 1800137b6 29584->29587 29588 1800137c9 LeaveCriticalSection 29584->29588 29589 18001382c 29585->29589 29590 1800137ef 29585->29590 29586->29576 29587->29588 29591 180013890 LeaveCriticalSection 29587->29591 29588->29579 29589->29521 29590->29589 29592 1800137f4 EnterCriticalSection 29590->29592 29591->29585 29593 180013823 LeaveCriticalSection 29592->29593 29594 180013809 29592->29594 29593->29589 29594->29593 29595 1800138a2 LeaveCriticalSection 29594->29595 29595->29589 29597 1800223d4 malloc 29596->29597 29598 1800224d1 29596->29598 29599 1800224c3 CloseHandle 29597->29599 29600 1800223f0 Process32FirstW 29597->29600 29598->29485 29599->29598 29601 180022412 lstrlenW 29600->29601 29602 1800224ba free 29600->29602 29603 180022425 lstrlenW 29601->29603 29604 18002245a Process32NextW 29601->29604 29602->29599 29606 18002244b 29603->29606 29605 1800224b5 29604->29605 29608 18002246a 29604->29608 29605->29602 29606->29604 29607 180022470 lstrlenW 29607->29608 29608->29607 29609 1800224a5 Process32NextW 29608->29609 29609->29605 29609->29607 29611 180022ee5 29610->29611 29612 180026f18 29610->29612 29611->29489 29612->29611 29613 180026f1d EnterCriticalSection 29612->29613 29614 180026f39 29613->29614 29615 180026f5a LeaveCriticalSection DeleteCriticalSection VirtualFree 29613->29615 29616 180026f40 VirtualFree 29614->29616 29615->29611 29616->29615 29616->29616 29617 180032930 WSASocketW 29618 1800329a6 getaddrinfo WSAGetLastError 29617->29618 29619 18003299b GetLastError 29617->29619 29621 1800329e5 29618->29621 29622 1800329da WSAGetLastError 29618->29622 29620 180032aff 29619->29620 29621->29622 29623 1800329eb htons connect 29621->29623 29622->29620 29623->29619 29624 180032a27 setsockopt setsockopt setsockopt WSAIoctl setsockopt 29623->29624 29624->29620 29625 180032c50 VirtualAlloc CreateEventW WSARecv WSAGetLastError 29626 180032d54 29625->29626 29627 180032d04 WaitForMultipleObjects 29625->29627 29630 180032d69 29626->29630 29631 180032d5e CloseHandle 29626->29631 29628 180032d26 WSAGetOverlappedResult 29627->29628 29629 180032d1d 29627->29629 29632 180032d4c WSAGetLastError 29628->29632 29629->29626 29629->29632 29633 180032d84 VirtualFree 29630->29633 29634 180032d95 29630->29634 29631->29630 29632->29626 29633->29634 29635 180027eb0 GetTickCount CreateFileW 29636 180027f72 29635->29636 29637 180027f0f 29635->29637 29637->29636 29638 180027f10 GetLastError 29637->29638 29639 180027f24 GetTickCount 29637->29639 29638->29637 29638->29639 29639->29636 29640 180027f33 SleepEx CreateFileW 29639->29640 29640->29636 29640->29638 29641 180011c70 CreateEventW VirtualAlloc 29651 180020680 VirtualAlloc 29641->29651 29643 180011cd5 WaitForSingleObject 29644 180011cea NtQuerySystemInformation 29643->29644 29645 180011cc7 29643->29645 29644->29645 29645->29643 29646 180011d0e VirtualFree VirtualAlloc 29645->29646 29647 180011d41 memset NtQuerySystemInformation 29645->29647 29648 180011d7c lstrcmpiW 29645->29648 29649 180011dcb WaitForSingleObject 29645->29649 29646->29645 29647->29645 29648->29645 29649->29645 29650 180011de4 CloseHandle 29649->29650 29650->29645 29652 180020d9b 29651->29652 29653 1800206a9 GetCurrentProcess OpenProcessToken 29651->29653 29652->29645 29654 1800206e3 LookupPrivilegeValueW AdjustTokenPrivileges GetLastError 29653->29654 29655 180020741 VirtualAlloc 29653->29655 29654->29655 29656 180020731 29654->29656 29657 180020771 IsBadReadPtr 29655->29657 29658 180020760 InitializeCriticalSection 29655->29658 29656->29655 29659 18002073b CloseHandle 29656->29659 29660 180020787 29657->29660 29661 1800207dc IsBadReadPtr 29657->29661 29658->29657 29659->29655 29660->29661 29664 18002078c EnterCriticalSection VirtualAlloc 29660->29664 29662 1800207f2 29661->29662 29663 180020847 IsBadReadPtr 29661->29663 29662->29663 29665 1800207f7 EnterCriticalSection VirtualAlloc 29662->29665 29666 1800208b2 IsBadReadPtr 29663->29666 29667 18002085d 29663->29667 29668 1800207d2 LeaveCriticalSection 29664->29668 29669 1800207b2 29664->29669 29670 18002083d LeaveCriticalSection 29665->29670 29671 18002081d 29665->29671 29673 1800208c8 29666->29673 29674 18002091d IsBadReadPtr 29666->29674 29667->29666 29672 180020862 EnterCriticalSection VirtualAlloc 29667->29672 29668->29661 29669->29668 29670->29663 29671->29670 29677 1800208a8 LeaveCriticalSection 29672->29677 29678 180020888 29672->29678 29673->29674 29679 1800208cd EnterCriticalSection VirtualAlloc 29673->29679 29675 180020933 29674->29675 29676 180020988 IsBadReadPtr 29674->29676 29675->29676 29680 180020938 EnterCriticalSection VirtualAlloc 29675->29680 29681 1800209f3 IsBadReadPtr 29676->29681 29682 18002099e 29676->29682 29677->29666 29678->29677 29683 180020913 LeaveCriticalSection 29679->29683 29684 1800208f3 29679->29684 29685 18002097e LeaveCriticalSection 29680->29685 29686 18002095e 29680->29686 29688 180020a09 29681->29688 29689 180020a5e IsBadReadPtr 29681->29689 29682->29681 29687 1800209a3 EnterCriticalSection VirtualAlloc 29682->29687 29683->29674 29684->29683 29685->29676 29686->29685 29692 1800209e9 LeaveCriticalSection 29687->29692 29693 1800209c9 29687->29693 29688->29689 29694 180020a0e EnterCriticalSection VirtualAlloc 29688->29694 29690 180020a74 29689->29690 29691 180020ac9 IsBadReadPtr 29689->29691 29690->29691 29695 180020a79 EnterCriticalSection VirtualAlloc 29690->29695 29696 180020b1c 29691->29696 29697 180020adf 29691->29697 29692->29681 29693->29692 29698 180020a54 LeaveCriticalSection 29694->29698 29699 180020a34 29694->29699 29700 180020abf LeaveCriticalSection 29695->29700 29701 180020a9f 29695->29701 29703 180020b1f IsBadReadPtr 29696->29703 29697->29696 29702 180020ae4 EnterCriticalSection 29697->29702 29698->29689 29699->29698 29700->29691 29701->29700 29704 180020b13 LeaveCriticalSection 29702->29704 29712 180020af9 29702->29712 29705 180020b38 29703->29705 29706 180020b6e 29703->29706 29704->29696 29705->29706 29708 180020b3d EnterCriticalSection 29705->29708 29707 180020b71 IsBadReadPtr 29706->29707 29709 180020bc1 29707->29709 29710 180020b8b 29707->29710 29713 180020b52 29708->29713 29714 180020b65 LeaveCriticalSection 29708->29714 29717 180020bc4 IsBadReadPtr 29709->29717 29710->29709 29716 180020b90 EnterCriticalSection 29710->29716 29711 180020da1 LeaveCriticalSection 29711->29703 29712->29704 29712->29711 29713->29714 29715 180020db3 LeaveCriticalSection 29713->29715 29714->29706 29715->29707 29718 180020bb8 LeaveCriticalSection 29716->29718 29719 180020ba5 29716->29719 29720 180020c1c 29717->29720 29721 180020bde 29717->29721 29718->29709 29719->29718 29723 180020dc5 LeaveCriticalSection 29719->29723 29722 180020c1f IsBadReadPtr 29720->29722 29721->29720 29724 180020be3 EnterCriticalSection 29721->29724 29725 180020c39 29722->29725 29726 180020c6f 29722->29726 29723->29717 29727 180020c13 LeaveCriticalSection 29724->29727 29728 180020bf8 29724->29728 29725->29726 29729 180020c3e EnterCriticalSection 29725->29729 29730 180020c72 IsBadReadPtr 29726->29730 29727->29720 29728->29727 29735 180020dd7 LeaveCriticalSection 29728->29735 29731 180020c53 29729->29731 29732 180020c66 LeaveCriticalSection 29729->29732 29733 180020cc2 29730->29733 29734 180020c8c 29730->29734 29731->29732 29737 180020de9 LeaveCriticalSection 29731->29737 29732->29726 29736 180020cc5 IsBadReadPtr 29733->29736 29734->29733 29738 180020c91 EnterCriticalSection 29734->29738 29735->29722 29739 180020d1c 29736->29739 29740 180020cdf 29736->29740 29737->29730 29741 180020ca6 29738->29741 29742 180020cb9 LeaveCriticalSection 29738->29742 29744 180020d1f IsBadReadPtr 29739->29744 29740->29739 29743 180020ce4 EnterCriticalSection 29740->29743 29741->29742 29745 180020dfb LeaveCriticalSection 29741->29745 29742->29733 29746 180020d13 LeaveCriticalSection 29743->29746 29747 180020cf9 29743->29747 29748 180020d39 29744->29748 29749 180020d6f 29744->29749 29745->29736 29746->29739 29747->29746 29751 180020e0d LeaveCriticalSection 29747->29751 29748->29749 29750 180020d3e EnterCriticalSection 29748->29750 29749->29652 29752 180020d53 29750->29752 29753 180020d66 LeaveCriticalSection 29750->29753 29751->29744 29752->29753 29754 180020e1f LeaveCriticalSection 29752->29754 29753->29749 29754->29749 29755 180011e90 CreateThread 29756 180011ed1 IsBadReadPtr 29755->29756 29757 180011f64 GetNativeSystemInfo 29755->29757 29758 180011f57 29756->29758 29759 180011efe 29756->29759 29760 180011f94 29757->29760 29761 180011f9a CreateThread 29757->29761 29758->29757 29759->29758 29762 180011f03 EnterCriticalSection VirtualAlloc 29759->29762 29760->29761 29768 180011ff2 29760->29768 29763 180011fc6 CreateThread 29761->29763 29764 180011fbd CloseHandle 29761->29764 29765 180011f45 LeaveCriticalSection 29762->29765 29766 180011f30 29762->29766 29767 180011fe9 CloseHandle 29763->29767 29763->29768 29764->29763 29765->29758 29766->29765 29767->29768 29769 180013e10 29770 180013330 51 API calls 29769->29770 29771 180013e36 29770->29771 29772 180013e78 VirtualAlloc 29771->29772 29773 180014129 29771->29773 29774 180013e94 29772->29774 29781 180013e9b 29772->29781 29775 180015070 3 API calls 29773->29775 29776 180013fd4 VirtualFree 29774->29776 29777 180013fe9 29774->29777 29787 180014139 29775->29787 29776->29777 29778 180013ffb VirtualFree 29777->29778 29779 180026f00 6 API calls 29777->29779 29780 180014201 29778->29780 29782 180013ff7 29779->29782 29781->29774 29783 180013f9f VirtualAlloc 29781->29783 29782->29778 29784 180014016 29783->29784 29785 180013fbb VirtualFree 29783->29785 29801 180036444 29784->29801 29785->29774 29790 1800141c7 VirtualFree 29787->29790 29791 1800141dc 29787->29791 29790->29791 29792 1800141ea 29791->29792 29793 180026f00 6 API calls 29791->29793 29794 1800141f1 VirtualFree 29792->29794 29793->29792 29794->29780 29796 1800140d8 VirtualFree 29797 1800140ed 29796->29797 29798 1800140ff VirtualFree VirtualFree 29797->29798 29799 180026f00 6 API calls 29797->29799 29798->29794 29800 1800140fb 29799->29800 29800->29798 29807 180036458 29801->29807 29804 180015070 _time64 srand 29805 180015100 rand 29804->29805 29805->29805 29806 180014047 29805->29806 29806->29796 29806->29797 29814 18003996c 29807->29814 29809 1800364b2 29811 180036514 29809->29811 29813 18001402c 29809->29813 29817 180038d24 22 API calls 29809->29817 29818 180039638 29811->29818 29813->29804 29822 1800396ec 29814->29822 29817->29809 29819 180039659 29818->29819 29820 18003967c free 29819->29820 29821 18003965f 29819->29821 29820->29821 29821->29813 29823 180039732 29822->29823 29831 18003980c 29822->29831 29824 1800397f4 malloc 29823->29824 29823->29831 29825 180039816 malloc 29824->29825 29824->29831 29826 18003988e 29825->29826 29827 180039921 29826->29827 29829 1800398f1 29826->29829 29828 180039638 free 29827->29828 29828->29831 29832 180039998 memset 29829->29832 29831->29809 29832->29831 29833 180017e90 GetCurrentProcessId ProcessIdToSessionId WTSEnumerateSessionsW 29834 180017f75 CreateThread 29833->29834 29837 180017eea 29833->29837 29835 180017f65 WTSFreeMemory 29835->29834 29836 180017f00 WTSQuerySessionInformationW 29836->29837 29837->29835 29837->29836 29838 180017f4d WTSFreeMemory 29837->29838 29839 180017f60 29837->29839 29841 1800176e0 memset GetSystemDirectoryW 29837->29841 29838->29837 29839->29835 29842 180017724 GetLastError 29841->29842 29843 18001772a lstrcatW IsBadReadPtr 29841->29843 29842->29843 29845 18001791a 29843->29845 29846 18001794f 29843->29846 29845->29846 29847 18001791f EnterCriticalSection 29845->29847 29848 180020680 73 API calls 29846->29848 29849 180017934 29847->29849 29850 180017946 LeaveCriticalSection 29847->29850 29851 18001796f 29848->29851 29849->29850 29852 180017bda LeaveCriticalSection 29849->29852 29850->29846 29854 180017b95 29851->29854 29855 1800179ad IsBadReadPtr 29851->29855 29852->29846 29853 180017bc3 29852->29853 29853->29838 29856 180026f00 6 API calls 29854->29856 29857 180017a19 CreateThread 29855->29857 29858 1800179ce 29855->29858 29861 180017b9e VirtualFree 29856->29861 29859 180017a51 IsBadReadPtr 29857->29859 29860 180017abb 29857->29860 29858->29857 29862 1800179d3 EnterCriticalSection VirtualAlloc 29858->29862 29859->29860 29863 180017a71 29859->29863 29877 180028120 VirtualAlloc 29860->29877 29861->29853 29865 1800179fa 29862->29865 29866 180017a0f LeaveCriticalSection 29862->29866 29863->29860 29867 180017a76 EnterCriticalSection VirtualAlloc 29863->29867 29865->29866 29866->29857 29869 180017ab1 LeaveCriticalSection 29867->29869 29870 180017a9c 29867->29870 29869->29860 29870->29869 29871 180017b08 IsBadReadPtr 29872 180017b21 29871->29872 29873 180017b6b CreateThread 29871->29873 29872->29873 29874 180017b26 EnterCriticalSection VirtualAlloc 29872->29874 29873->29854 29875 180017b61 LeaveCriticalSection 29874->29875 29876 180017b4c 29874->29876 29875->29873 29876->29875 29878 180028145 InitializeCriticalSection 29877->29878 29879 180017ac3 memset GetCurrentProcessId wsprintfW 29877->29879 29878->29879 29879->29871 29880 180015150 memset wsprintfW 29881 1800151b7 CreateFileW 29880->29881 29882 1800151f5 GetFileSize 29881->29882 29904 1800152b5 29881->29904 29884 18001520b ReadFile 29882->29884 29882->29904 29883 1800152c0 SetThreadExecutionState SystemParametersInfoW SystemParametersInfoW 29885 1800152fa lstrlenW 29883->29885 29886 180015569 29883->29886 29887 1800152ac CloseHandle 29884->29887 29891 18001522f 29884->29891 29888 180015334 lstrlenA 29885->29888 29885->29904 29887->29904 29889 180015349 lstrcmpiW lstrcmpiW lstrcmpiW 29888->29889 29888->29904 29889->29904 29890 180020680 73 API calls 29892 1800153c4 htons 29890->29892 29891->29887 29891->29891 29893 1800153df 29892->29893 29894 180026f00 6 API calls 29893->29894 29895 1800153e8 VirtualFree 29894->29895 29908 180014410 VirtualAlloc 29895->29908 29897 180015441 VirtualAlloc 29897->29904 29906 1800154f0 29897->29906 29899 180015545 WaitForSingleObject 29899->29904 29900 180015511 VirtualFree 29900->29906 29901 180015488 CreateThread 29902 180013330 51 API calls 29901->29902 29902->29904 29903 1800154d2 VirtualFree 29903->29904 29904->29881 29904->29883 29904->29890 29904->29897 29904->29900 29904->29901 29904->29903 29905 1800154f9 VirtualFree 29904->29905 29904->29906 29905->29906 29906->29899 29906->29900 29906->29904 29906->29905 29907 180026f00 6 API calls 29906->29907 30025 180014d20 47 API calls 29906->30025 29907->29906 29909 180014d0f 29908->29909 29910 18001443f VirtualAlloc 29908->29910 29909->29904 29911 180014481 IsBadReadPtr 29910->29911 29912 180014470 InitializeCriticalSection 29910->29912 29913 18001449a 29911->29913 29914 1800144ef IsBadReadPtr 29911->29914 29912->29911 29913->29914 29915 18001449f EnterCriticalSection VirtualAlloc 29913->29915 29916 180014508 29914->29916 29917 18001455d IsBadReadPtr 29914->29917 29918 1800144e5 LeaveCriticalSection 29915->29918 29919 1800144c5 29915->29919 29916->29917 29920 18001450d EnterCriticalSection VirtualAlloc 29916->29920 29921 180014576 29917->29921 29922 1800145cb IsBadReadPtr 29917->29922 29918->29914 29919->29918 29925 180014553 LeaveCriticalSection 29920->29925 29926 180014533 29920->29926 29921->29922 29927 18001457b EnterCriticalSection VirtualAlloc 29921->29927 29923 1800145e4 29922->29923 29924 180014639 IsBadReadPtr 29922->29924 29923->29924 29928 1800145e9 EnterCriticalSection VirtualAlloc 29923->29928 29929 180014652 29924->29929 29930 1800146a7 InitializeCriticalSection IsBadReadPtr 29924->29930 29925->29917 29926->29925 29931 1800145c1 LeaveCriticalSection 29927->29931 29932 1800145a1 29927->29932 29933 18001462f LeaveCriticalSection 29928->29933 29934 18001460f 29928->29934 29929->29930 29935 180014657 EnterCriticalSection VirtualAlloc 29929->29935 29936 1800146d3 29930->29936 29937 18001470c 29930->29937 29931->29922 29932->29931 29933->29924 29934->29933 29939 18001469d LeaveCriticalSection 29935->29939 29940 18001467d 29935->29940 29936->29937 29941 1800146d8 EnterCriticalSection 29936->29941 29938 18001470f IsBadReadPtr 29937->29938 29942 180014762 29938->29942 29943 18001472c 29938->29943 29939->29930 29940->29939 29944 180014703 LeaveCriticalSection 29941->29944 29951 1800146ed 29941->29951 29946 180014765 IsBadReadPtr 29942->29946 29943->29942 29945 180014731 EnterCriticalSection 29943->29945 29944->29937 29947 180014759 LeaveCriticalSection 29945->29947 29954 180014746 29945->29954 29948 180014782 29946->29948 29949 1800147bc 29946->29949 29947->29942 29948->29949 29955 180014787 EnterCriticalSection 29948->29955 29952 1800147bf IsBadReadPtr 29949->29952 29950 180014a04 LeaveCriticalSection 29950->29938 29951->29944 29951->29950 29956 180014812 29952->29956 29957 1800147dc 29952->29957 29953 180014a16 LeaveCriticalSection 29953->29946 29954->29947 29954->29953 29958 1800147b3 LeaveCriticalSection 29955->29958 29959 18001479c 29955->29959 29961 180014815 IsBadReadPtr 29956->29961 29957->29956 29960 1800147e1 EnterCriticalSection 29957->29960 29958->29949 29959->29958 29966 180014a28 LeaveCriticalSection 29959->29966 29962 1800147f6 29960->29962 29963 180014809 LeaveCriticalSection 29960->29963 29964 180014832 29961->29964 29965 18001486c 29961->29965 29962->29963 29967 180014a3a LeaveCriticalSection 29962->29967 29963->29956 29964->29965 29968 180014837 EnterCriticalSection 29964->29968 29969 18001486f CreateEventW WSACreateEvent CreateEventW CreateEventW 29965->29969 29966->29952 29967->29961 29972 180014863 LeaveCriticalSection 29968->29972 29973 18001484c 29968->29973 29970 1800148eb 29969->29970 29971 180014a9f 29969->29971 30026 180032de0 20 API calls 29970->30026 29975 180014aa7 29971->29975 29976 180014bfb VirtualAlloc 29971->29976 29972->29965 29973->29972 29981 180014a4c LeaveCriticalSection 29973->29981 30027 180034fa0 42 API calls 29975->30027 29977 1800149f1 29976->29977 29978 180014c1e CreateEventW CreateEventW CreateEventW CreateEventW 29976->29978 29977->29909 29982 180013330 51 API calls 29978->29982 29979 1800148f0 29979->29977 29983 1800148fc IsBadReadPtr 29979->29983 29981->29969 29985 180014c89 InitializeCriticalSection 29982->29985 29986 180014912 29983->29986 29987 18001494c 29983->29987 29984 180014aac 29984->29977 29988 180014ab8 IsBadReadPtr 29984->29988 29985->29977 29986->29987 29989 180014917 EnterCriticalSection 29986->29989 29992 18001494f IsBadReadPtr 29987->29992 29990 180014b0c 29988->29990 29991 180014ace 29988->29991 29993 180014943 LeaveCriticalSection 29989->29993 29994 18001492c 29989->29994 29998 180014b0f IsBadReadPtr 29990->29998 29991->29990 29995 180014ad3 EnterCriticalSection 29991->29995 29996 180014968 29992->29996 29997 18001499e 29992->29997 29993->29987 29994->29993 30007 180014a5e LeaveCriticalSection 29994->30007 30000 180014b03 LeaveCriticalSection 29995->30000 30001 180014ae8 29995->30001 29996->29997 30002 18001496d EnterCriticalSection 29996->30002 29999 1800149a1 IsBadReadPtr 29997->29999 30003 180014b28 29998->30003 30004 180014b5e 29998->30004 29999->29977 30005 1800149bb 29999->30005 30000->29990 30001->30000 30015 180014bc8 LeaveCriticalSection 30001->30015 30008 180014982 30002->30008 30009 180014995 LeaveCriticalSection 30002->30009 30003->30004 30010 180014b2d EnterCriticalSection 30003->30010 30006 180014b61 IsBadReadPtr 30004->30006 30005->29977 30013 1800149c0 EnterCriticalSection 30005->30013 30006->29977 30014 180014b7b 30006->30014 30007->29992 30008->30009 30016 180014a70 LeaveCriticalSection 30008->30016 30009->29997 30011 180014b42 30010->30011 30012 180014b55 LeaveCriticalSection 30010->30012 30011->30012 30017 180014bda LeaveCriticalSection 30011->30017 30012->30004 30018 1800149d5 30013->30018 30019 1800149e8 LeaveCriticalSection 30013->30019 30014->29977 30020 180014b80 EnterCriticalSection 30014->30020 30015->29998 30016->29999 30017->30006 30018->30019 30021 180014a82 LeaveCriticalSection 30018->30021 30019->29977 30022 180014ba4 LeaveCriticalSection 30020->30022 30023 180014b95 30020->30023 30021->29977 30022->29977 30023->30022 30024 180014bec LeaveCriticalSection 30023->30024 30024->29977 30026->29979 30027->29984 30028 18001aad0 GetModuleHandleW RegisterClassW CreateWindowExW 30029 18001ac46 30028->30029 30030 18001abae SetWindowLongPtrW WTSRegisterSessionNotification 30028->30030 30030->30029 30031 18001abd1 ShowWindow GetMessageW 30030->30031 30032 18001ac0b 30031->30032 30033 18001ac3d WTSUnRegisterSessionNotification 30031->30033 30034 18001ac10 TranslateMessage DispatchMessageW GetMessageW 30032->30034 30033->30029 30034->30033 30034->30034 30035 180013bd0 30036 180013c12 WSAEventSelect 30035->30036 30037 180013c0a 30035->30037 30038 180013c36 30036->30038 30039 180013dc8 30036->30039 30037->30036 30038->30039 30040 180013330 51 API calls 30038->30040 30052 180013c5a 30040->30052 30041 180013c60 SetThreadExecutionState SystemParametersInfoW SystemParametersInfoW 30042 180013cb2 WSAWaitForMultipleEvents 30041->30042 30041->30052 30043 180013d7b WSAGetLastError 30042->30043 30042->30052 30044 180013d38 30043->30044 30044->30039 30046 180013da5 30044->30046 30047 180013d90 VirtualFree 30044->30047 30045 180013ce5 WSAEnumNetworkEvents 30045->30043 30045->30052 30049 180013db7 VirtualFree 30046->30049 30050 180026f00 6 API calls 30046->30050 30047->30046 30048 180013ddd 30048->30043 30049->30039 30051 180013db3 30050->30051 30051->30049 30052->30041 30052->30042 30052->30043 30052->30044 30052->30045 30052->30048 30054 180013d61 SetEvent 30052->30054 30056 1800138d0 30052->30056 30054->30044 30064 180013904 30056->30064 30057 180013b8a 30057->30052 30058 1800139f5 VirtualAlloc 30058->30057 30059 180013a19 VirtualAlloc 30058->30059 30059->30057 30060 180013a39 30059->30060 30065 1800362e4 30060->30065 30063 180013b2b VirtualFree 30063->30064 30064->30057 30064->30058 30064->30063 30068 1800362fc 30065->30068 30067 180013a58 VirtualFree 30067->30063 30067->30064 30069 180036339 30068->30069 30072 180037cbc 30069->30072 30071 18003636c 30071->30067 30074 180037be0 30072->30074 30073 180037c56 malloc 30075 180037c16 30073->30075 30074->30073 30074->30075 30075->30071 30076 1f95c700000 30079 1f95c700a68 30076->30079 30078 1f95c700019 30080 1f95c700a84 30079->30080 30082 1f95c700b0a 30080->30082 30083 1f95c700768 30080->30083 30082->30078 30086 1f95c700778 30083->30086 30085 1f95c700771 30085->30082 30087 1f95c7007a8 30086->30087 30089 1f95c70088a 30087->30089 30090 1f95c700508 30087->30090 30089->30085 30091 1f95c70052c 30090->30091 30092 1f95c70061d LoadLibraryA 30091->30092 30093 1f95c7006fa 30091->30093 30094 1f95c7006c1 GetProcAddressForCaller 30091->30094 30092->30091 30092->30093 30093->30089 30094->30091 30094->30093 30095 1f95c700345 30096 1f95c7003ff 30095->30096 30098 1f95c700360 30095->30098 30097 1f95c700387 VirtualFree 30097->30098 30098->30096 30098->30097 30099 180032b20 30100 180032b44 CreateEventW WSASend WSAGetLastError 30099->30100 30101 180032b37 30099->30101 30102 180032bd8 WaitForMultipleObjects 30100->30102 30103 180032c2b 30100->30103 30106 180032bf4 30102->30106 30107 180032bfd WSAGetOverlappedResult 30102->30107 30104 180032c35 CloseHandle 30103->30104 30105 180032c3b 30103->30105 30104->30105 30106->30103 30108 180032c23 WSAGetLastError 30106->30108 30107->30108 30108->30103 30109 1800205a0 30114 18001c0f0 30109->30114 30111 1800205cf CreateFileW 30112 180020608 memset lstrlenA DeviceIoControl CloseHandle 30111->30112 30113 180020669 30111->30113 30112->30113 30115 18001c116 30114->30115 30115->30111 30116 180027fa0 PeekNamedPipe 30117 18002807d GetLastError 30116->30117 30118 180027fdd 30116->30118 30118->30117 30119 180027fe9 VirtualAlloc 30118->30119 30120 18002805b GetLastError 30119->30120 30121 18002800a ReadFile 30119->30121 30122 18002803c VirtualFree FlushFileBuffers 30121->30122 30123 18002802e 30121->30123 30122->30120 30124 18002806e 30122->30124 30123->30122 30125 180027e20 CreateNamedPipeW 30126 180027e6b GetLastError 30125->30126 30127 180027e7c ConnectNamedPipe 30125->30127 30126->30127 30128 180027e9b 30127->30128 30129 180027e8b GetLastError 30127->30129 30129->30128 30130 1800201a0 GetCurrentProcess OpenProcessToken 30131 180020223 GetLastError 30130->30131 30132 18002022e DuplicateTokenEx 30130->30132 30134 18002033b 30131->30134 30132->30131 30133 18002025b SetTokenInformation 30132->30133 30133->30131 30135 180020277 CreateEnvironmentBlock 30133->30135 30135->30131 30136 18002028c CreateProcessAsUserW 30135->30136 30137 1800202d4 CreateProcessAsUserW 30136->30137 30138 180020321 30136->30138 30137->30131 30137->30138 30140 18001f9e0 VirtualAllocEx 30138->30140 30141 18001fa4a VirtualAllocEx 30140->30141 30142 18001fa3f GetLastError 30140->30142 30143 18001fa99 GetLastError 30141->30143 30144 18001fa79 WriteProcessMemory 30141->30144 30156 18001fcdb 30142->30156 30143->30156 30144->30143 30145 18001faa4 VirtualAllocEx 30144->30145 30146 18001fcd3 GetLastError 30145->30146 30147 18001fad7 WriteProcessMemory 30145->30147 30146->30156 30147->30146 30148 18001fafc 30147->30148 30158 18001f560 30148->30158 30150 18001fb04 WriteProcessMemory 30150->30146 30152 18001fc02 VirtualProtectEx VirtualProtectEx 30150->30152 30153 18001fc88 30152->30153 30154 18001fc4d memset GetThreadContext SetThreadContext 30152->30154 30153->30156 30157 18001fc8d memset Wow64GetThreadContext Wow64SetThreadContext 30153->30157 30155 18001fcc6 ResumeThread 30154->30155 30155->30146 30155->30156 30156->30134 30157->30155 30159 18001f6f1 30158->30159 30160 18001f574 30158->30160 30159->30150 30160->30159 30161 18001f584 VirtualAlloc 30160->30161 30162 18001f6ba 30161->30162 30163 18001f5b0 memcpy 30161->30163 30162->30150 30164 18001f5c4 30163->30164 30165 18001f6d9 VirtualFree 30164->30165 30166 18001f69a 30164->30166 30165->30162 30167 18001f6cf VirtualFree 30166->30167 30168 18001f6af VirtualFree 30166->30168 30167->30162 30168->30162 30169 180013180 30170 18001319a 30169->30170 30171 1800131c3 ceil VirtualAlloc 30170->30171 30172 1800131ba memcpy 30170->30172 30174 180013271 30171->30174 30175 180013200 30171->30175 30172->30174 30175->30172 30176 180013218 memcpy 30175->30176 30177 18001323c VirtualFree 30175->30177 30176->30172 30176->30177 30177->30172 30178 180012fc0 30179 180012fd5 30178->30179 30180 180012fde ceil 30178->30180 30179->30180 30181 180013002 30179->30181 30180->30181 30182 18001300f VirtualAlloc 30180->30182 30183 180013045 30182->30183 30184 180013030 30182->30184 30185 180013052 30183->30185 30186 18001306e VirtualFree 30183->30186 30187 18001305d memcpy 30183->30187 30185->30186 30187->30186 30188 1800194c0 30189 180013330 51 API calls 30188->30189 30190 180019510 CreateToolhelp32Snapshot 30189->30190 30191 180019564 30190->30191 30192 180019535 GetProcessHeap HeapAlloc 30190->30192 30195 18001957a 30191->30195 30196 18001956d WTSGetActiveConsoleSessionId 30191->30196 30193 1800196c8 Process32FirstW 30192->30193 30194 18001955e CloseHandle 30192->30194 30197 18001970a GetProcessHeap HeapFree CloseHandle 30193->30197 30198 1800196db 30193->30198 30194->30191 30223 180016bc0 IsBadReadPtr 30195->30223 30196->30195 30197->30191 30200 18001972f ProcessIdToSessionId 30197->30200 30199 1800196e0 lstrcmpiW 30198->30199 30201 1800196f5 Process32NextW 30199->30201 30202 180019705 30199->30202 30200->30195 30201->30199 30201->30202 30202->30197 30204 1800195a2 WaitForSingleObject 30205 18001965e 30204->30205 30220 1800195bc 30204->30220 30206 180019685 VirtualFree 30205->30206 30207 18001969a 30205->30207 30206->30207 30209 1800196ac VirtualFree 30207->30209 30211 180026f00 6 API calls 30207->30211 30208 1800195c0 CreateToolhelp32Snapshot 30210 1800195d7 GetProcessHeap HeapAlloc 30208->30210 30208->30220 30212 180019744 Process32FirstW 30210->30212 30213 180019600 CloseHandle 30210->30213 30216 1800196a8 30211->30216 30215 18001978a GetProcessHeap HeapFree CloseHandle 30212->30215 30212->30220 30213->30220 30214 18001960f WTSGetActiveConsoleSessionId 30214->30220 30218 1800197af ProcessIdToSessionId 30215->30218 30215->30220 30216->30209 30217 180019760 lstrcmpiW 30219 180019775 Process32NextW 30217->30219 30217->30220 30218->30220 30219->30217 30219->30220 30220->30208 30220->30214 30220->30215 30220->30217 30221 180016bc0 4 API calls 30220->30221 30222 180019644 WaitForSingleObject 30221->30222 30222->30205 30222->30208 30224 180016c5b 30223->30224 30225 180016bed 30223->30225 30224->30204 30225->30224 30226 180016bf2 EnterCriticalSection 30225->30226 30227 180016c0c 30226->30227 30228 180016c1e LeaveCriticalSection 30226->30228 30227->30228 30230 180016c3e LeaveCriticalSection 30227->30230 30229 180016c27 30228->30229 30229->30204 30230->30229 30231 180012140 30312 18002b990 VirtualAlloc 30231->30312 30233 180012156 30319 18002d340 GetModuleHandleW 30233->30319 30235 18001215b WSAStartup 30236 180012175 30235->30236 30267 18001236b 30235->30267 30329 18002d7d0 CoInitializeEx 30236->30329 30238 18001219a GetCommandLineW CommandLineToArgvW 30339 18001afc0 VirtualAlloc 30238->30339 30241 1800121f4 VirtualAlloc 30243 18001221a InitializeCriticalSection 30241->30243 30244 18001222b memset GetCurrentProcessId 30241->30244 30242 1800121e3 InitializeCriticalSection 30242->30241 30243->30244 30245 18002c950 5 API calls 30244->30245 30246 180012256 lstrcmpiW 30245->30246 30247 180012273 lstrcmpiW 30246->30247 30248 18001226e 30246->30248 30249 180012297 lstrcmpiW 30247->30249 30250 180012289 30247->30250 30248->30247 30252 1800122be lstrcmpiW 30249->30252 30253 1800122ad GetCurrentProcess TerminateProcess 30249->30253 30359 180012830 GetModuleHandleW GetModuleHandleW GetModuleHandleW VirtualProtect VirtualProtect 30250->30359 30255 1800122d8 30252->30255 30256 1800123e0 30252->30256 30253->30252 30254 18001228e ExitThread 30350 18002d140 OpenSCManagerW 30255->30350 30258 1800125c7 lstrcmpiW 30256->30258 30259 1800123ed memset GetModuleFileNameW wcsstr 30256->30259 30260 180012697 30258->30260 30261 1800125e0 30258->30261 30263 180012473 memset GetModuleFileNameW IsUserAnAdmin 30259->30263 30264 18001242f GetNativeSystemInfo 30259->30264 30369 180012000 103 API calls 30260->30369 30261->30267 30268 1800125ed lstrcmpiW 30261->30268 30265 1800124a6 30263->30265 30266 1800124b7 30263->30266 30272 180012642 30264->30272 30273 18001245b 30264->30273 30289 180012681 GetCurrentProcess TerminateProcess 30265->30289 30363 180020e40 16 API calls 30266->30363 30268->30260 30275 180012606 GetNativeSystemInfo 30268->30275 30270 1800123a1 CreateThread 30270->30270 30277 1800123c7 WaitForSingleObject CloseHandle 30270->30277 30271 1800122f4 30360 18002ca60 10 API calls 30271->30360 30278 18002d140 10 API calls 30272->30278 30273->30272 30280 180012465 30273->30280 30275->30272 30283 18001262e 30275->30283 30277->30270 30284 18001264e 30278->30284 30362 1800126b0 84 API calls 30280->30362 30282 1800124c3 30364 180020fa0 41 API calls 30282->30364 30283->30272 30291 180012634 30283->30291 30292 180012654 30284->30292 30293 18001267c 30284->30293 30285 180012300 30286 180012304 OpenProcess 30285->30286 30287 180012330 30285->30287 30286->30287 30295 18001231c TerminateProcess CloseHandle 30286->30295 30302 180012394 Sleep 30287->30302 30303 18001233d WaitForSingleObject GetExitCodeProcess 30287->30303 30361 1800126b0 84 API calls 30287->30361 30288 18001246a ExitProcess 30289->30267 30367 1800126b0 84 API calls 30291->30367 30294 180020680 73 API calls 30292->30294 30368 1800126b0 84 API calls 30293->30368 30294->30265 30295->30287 30298 1800124d6 30365 18002d2a0 8 API calls 30298->30365 30301 180012639 ExitProcess 30302->30287 30303->30267 30303->30287 30304 1800124e2 memset wsprintfW 30366 180001070 30304->30366 30313 18002b9cf memcpy 30312->30313 30314 18002bc0e 30312->30314 30313->30314 30315 18002b9fa VirtualAlloc 30313->30315 30314->30233 30315->30314 30316 18002ba1e memcpy memcpy 30315->30316 30317 18002ba90 30316->30317 30317->30317 30318 18002baff memset ExpandEnvironmentStringsW memset 30317->30318 30318->30233 30320 18002d371 GetCurrentProcess K32GetModuleInformation memset GetSystemDirectoryW 30319->30320 30321 18002d590 30319->30321 30322 18002d3c5 lstrcatW CreateFileW 30320->30322 30323 18002d57d 30320->30323 30321->30235 30324 18002d415 CreateFileMappingW 30322->30324 30326 18002d538 30322->30326 30323->30235 30325 18002d43c MapViewOfFile 30324->30325 30324->30326 30325->30326 30327 18002d469 30325->30327 30326->30235 30327->30326 30328 18002d4d5 VirtualProtect memcpy VirtualProtect 30327->30328 30328->30327 30330 18002d8c5 30329->30330 30331 18002d82e CoCreateInstance 30329->30331 30330->30238 30332 18002d84f 30331->30332 30333 18002d86e CoUninitialize 30331->30333 30334 18002d864 30332->30334 30335 18002d87a SysAllocString 30332->30335 30333->30238 30334->30333 30336 18002d89d SysFreeString 30335->30336 30337 18002d8b0 CoUninitialize 30336->30337 30337->30330 30340 18001afe9 CreateEventW VirtualAlloc 30339->30340 30341 1800121c2 VirtualAlloc 30339->30341 30342 18001b094 InitializeCriticalSection 30340->30342 30343 18001b0a5 VirtualAlloc 30340->30343 30341->30241 30341->30242 30342->30343 30344 18001b0dc VirtualAlloc 30343->30344 30345 18001b0cb InitializeCriticalSection 30343->30345 30346 18001b102 InitializeCriticalSection 30344->30346 30347 18001b113 VirtualAlloc 30344->30347 30345->30344 30346->30347 30348 18001b14a 30347->30348 30349 18001b139 InitializeCriticalSection 30347->30349 30348->30341 30349->30348 30351 18002d177 EnumServicesStatusExW malloc 30350->30351 30358 1800122e4 GetCurrentProcessId 30350->30358 30352 18002d1d4 memset EnumServicesStatusExW 30351->30352 30351->30358 30353 18002d228 CloseServiceHandle free 30352->30353 30354 18002d24d CloseServiceHandle 30352->30354 30353->30358 30355 18002d25e 30354->30355 30354->30358 30356 18002d260 lstrcmpiW 30355->30356 30355->30358 30356->30355 30357 18002d286 free 30356->30357 30357->30358 30358->30270 30358->30271 30359->30254 30360->30285 30361->30287 30362->30288 30363->30282 30364->30298 30365->30304 30367->30301 30368->30289 30370 180011ae0 CreateEventW VirtualAlloc 30371 180020680 73 API calls 30370->30371 30376 180011b37 30371->30376 30372 180011b45 WaitForSingleObject 30373 180011b5a NtQuerySystemInformation 30372->30373 30372->30376 30373->30376 30374 180011b7e VirtualFree VirtualAlloc 30374->30376 30375 180011bb1 memset NtQuerySystemInformation 30375->30376 30376->30372 30376->30374 30376->30375 30377 180011bec lstrcmpiW 30376->30377 30378 180011c3b WaitForSingleObject 30376->30378 30377->30376 30378->30376 30379 180011c54 CloseHandle 30378->30379 30379->30376

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 0 180020680-1800206a3 VirtualAlloc 1 180020d9b-180020da0 0->1 2 1800206a9-1800206e1 GetCurrentProcess OpenProcessToken 0->2 3 1800206e3-18002072f LookupPrivilegeValueW AdjustTokenPrivileges GetLastError 2->3 4 180020741-18002075e VirtualAlloc 2->4 3->4 5 180020731-180020739 3->5 6 180020771-180020785 IsBadReadPtr 4->6 7 180020760-18002076d InitializeCriticalSection 4->7 5->4 8 18002073b CloseHandle 5->8 9 180020787-18002078a 6->9 10 1800207dc-1800207f0 IsBadReadPtr 6->10 7->6 8->4 9->10 13 18002078c-1800207b0 EnterCriticalSection VirtualAlloc 9->13 11 1800207f2-1800207f5 10->11 12 180020847-18002085b IsBadReadPtr 10->12 11->12 14 1800207f7-18002081b EnterCriticalSection VirtualAlloc 11->14 15 1800208b2-1800208c6 IsBadReadPtr 12->15 16 18002085d-180020860 12->16 17 1800207d2-1800207d6 LeaveCriticalSection 13->17 18 1800207b2-1800207cf 13->18 19 18002083d-180020841 LeaveCriticalSection 14->19 20 18002081d-18002083a 14->20 22 1800208c8-1800208cb 15->22 23 18002091d-180020931 IsBadReadPtr 15->23 16->15 21 180020862-180020886 EnterCriticalSection VirtualAlloc 16->21 17->10 18->17 19->12 20->19 26 1800208a8-1800208ac LeaveCriticalSection 21->26 27 180020888-1800208a5 21->27 22->23 28 1800208cd-1800208f1 EnterCriticalSection VirtualAlloc 22->28 24 180020933-180020936 23->24 25 180020988-18002099c IsBadReadPtr 23->25 24->25 29 180020938-18002095c EnterCriticalSection VirtualAlloc 24->29 30 1800209f3-180020a07 IsBadReadPtr 25->30 31 18002099e-1800209a1 25->31 26->15 27->26 32 180020913-180020917 LeaveCriticalSection 28->32 33 1800208f3-180020910 28->33 34 18002097e-180020982 LeaveCriticalSection 29->34 35 18002095e-18002097b 29->35 37 180020a09-180020a0c 30->37 38 180020a5e-180020a72 IsBadReadPtr 30->38 31->30 36 1800209a3-1800209c7 EnterCriticalSection VirtualAlloc 31->36 32->23 33->32 34->25 35->34 41 1800209e9-1800209ed LeaveCriticalSection 36->41 42 1800209c9-1800209e6 36->42 37->38 43 180020a0e-180020a32 EnterCriticalSection VirtualAlloc 37->43 39 180020a74-180020a77 38->39 40 180020ac9-180020add IsBadReadPtr 38->40 39->40 44 180020a79-180020a9d EnterCriticalSection VirtualAlloc 39->44 45 180020b1c 40->45 46 180020adf-180020ae2 40->46 41->30 42->41 47 180020a54-180020a58 LeaveCriticalSection 43->47 48 180020a34-180020a51 43->48 49 180020abf-180020ac3 LeaveCriticalSection 44->49 50 180020a9f-180020abc 44->50 52 180020b1f-180020b36 IsBadReadPtr 45->52 46->45 51 180020ae4-180020af7 EnterCriticalSection 46->51 47->38 48->47 49->40 50->49 53 180020b13-180020b16 LeaveCriticalSection 51->53 54 180020af9 51->54 55 180020b38-180020b3b 52->55 56 180020b6e 52->56 53->45 58 180020b00-180020b04 54->58 55->56 59 180020b3d-180020b50 EnterCriticalSection 55->59 57 180020b71-180020b89 IsBadReadPtr 56->57 60 180020bc1 57->60 61 180020b8b-180020b8e 57->61 62 180020da1-180020dae LeaveCriticalSection 58->62 63 180020b0a-180020b11 58->63 64 180020b52-180020b56 59->64 65 180020b65-180020b68 LeaveCriticalSection 59->65 69 180020bc4-180020bdc IsBadReadPtr 60->69 61->60 68 180020b90-180020ba3 EnterCriticalSection 61->68 62->52 63->53 63->58 66 180020db3-180020dc0 LeaveCriticalSection 64->66 67 180020b5c-180020b63 64->67 65->56 66->57 67->64 67->65 70 180020bb8-180020bbb LeaveCriticalSection 68->70 71 180020ba5-180020ba9 68->71 72 180020c1c 69->72 73 180020bde-180020be1 69->73 70->60 75 180020dc5-180020dd2 LeaveCriticalSection 71->75 76 180020baf-180020bb6 71->76 74 180020c1f-180020c37 IsBadReadPtr 72->74 73->72 77 180020be3-180020bf6 EnterCriticalSection 73->77 78 180020c39-180020c3c 74->78 79 180020c6f 74->79 75->69 76->70 76->71 80 180020c13-180020c16 LeaveCriticalSection 77->80 81 180020bf8 77->81 78->79 82 180020c3e-180020c51 EnterCriticalSection 78->82 83 180020c72-180020c8a IsBadReadPtr 79->83 80->72 84 180020c00-180020c04 81->84 85 180020c53-180020c57 82->85 86 180020c66-180020c69 LeaveCriticalSection 82->86 87 180020cc2 83->87 88 180020c8c-180020c8f 83->88 89 180020dd7-180020de4 LeaveCriticalSection 84->89 90 180020c0a-180020c11 84->90 92 180020de9-180020df6 LeaveCriticalSection 85->92 93 180020c5d-180020c64 85->93 86->79 91 180020cc5-180020cdd IsBadReadPtr 87->91 88->87 94 180020c91-180020ca4 EnterCriticalSection 88->94 89->74 90->80 90->84 95 180020d1c 91->95 96 180020cdf-180020ce2 91->96 92->83 93->85 93->86 97 180020ca6-180020caa 94->97 98 180020cb9-180020cbc LeaveCriticalSection 94->98 100 180020d1f-180020d37 IsBadReadPtr 95->100 96->95 99 180020ce4-180020cf7 EnterCriticalSection 96->99 101 180020dfb-180020e08 LeaveCriticalSection 97->101 102 180020cb0-180020cb7 97->102 98->87 103 180020d13-180020d16 LeaveCriticalSection 99->103 104 180020cf9 99->104 105 180020d39-180020d3c 100->105 106 180020d6f-180020d96 100->106 101->91 102->97 102->98 103->95 107 180020d00-180020d04 104->107 105->106 108 180020d3e-180020d51 EnterCriticalSection 105->108 106->1 109 180020d0a-180020d11 107->109 110 180020e0d-180020e1a LeaveCriticalSection 107->110 111 180020d53-180020d57 108->111 112 180020d66-180020d69 LeaveCriticalSection 108->112 109->103 109->107 110->100 113 180020e1f-180020e2c LeaveCriticalSection 111->113 114 180020d5d-180020d64 111->114 112->106 113->106 114->111 114->112
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Leave$EnterRead$AllocVirtual$ProcessToken$AdjustCloseCurrentErrorHandleInitializeLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                          • String ID: SeDebugPrivilege
                                                                                                                                          • API String ID: 3221255601-2896544425
                                                                                                                                          • Opcode ID: 79b32153c8a47bce9488e86581e1df08a4a5845b2d426890eb6905a67430a941
                                                                                                                                          • Instruction ID: 8182a6c1e6bb2c399cdab592ca016c8a5b7603f4b1f61c7e89913c231e199cb3
                                                                                                                                          • Opcode Fuzzy Hash: 79b32153c8a47bce9488e86581e1df08a4a5845b2d426890eb6905a67430a941
                                                                                                                                          • Instruction Fuzzy Hash: 03320C35301F4986EB9B8F11EA543A97366FB48BC0F64C515EA6A43B95EF38D66CC300

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 115 1800224e0-18002266d memset * 3 118 180022677-18002267e 115->118 119 18002266f-180022675 115->119 120 180022681-1800226d8 118->120 119->120 123 1800226e0-180022731 120->123 123->123 124 180022733-180022790 memset gethostname gethostbyname inet_ntoa wsprintfW 123->124 125 180022792-180022799 124->125 126 18002279b-1800227a4 124->126 127 1800227ad-1800227c1 lstrcatW GetForegroundWindow 125->127 126->127 128 1800227a6 126->128 129 1800227c3-1800227d3 GetWindowTextW 127->129 130 1800227d9-1800227f6 VirtualAlloc 127->130 128->127 129->130 131 1800228ab-18002292e GetComputerNameW GetCurrentProcess IsWow64Process RegOpenKeyExW 130->131 132 1800227fc-180022812 GetModuleHandleW 130->132 134 1800229af-180022a30 GlobalMemoryStatusEx wsprintfW VirtualAlloc * 2 131->134 135 180022930-180022967 RegQueryValueExW 131->135 132->131 133 180022818-18002282b GetProcAddress 132->133 138 180022832-18002285d GetModuleHandleW 133->138 139 18002282d 133->139 136 180022a93-180022ac7 memset GetWindowsDirectoryW 134->136 137 180022a32-180022a35 134->137 140 180022971-1800229a9 RegCloseKey GetSystemInfo wsprintfW 135->140 141 180022969-18002296f RegCloseKey 135->141 143 180022adc-180022ae1 136->143 144 180022ac9-180022ad1 GetLastError 136->144 137->136 142 180022a37-180022a8d GetUserNameW GetCurrentProcessId call 18002c950 wsprintfW VirtualFree * 2 137->142 145 18002288b-1800228a5 call 18002bdc0 VirtualFree 138->145 146 18002285f-180022872 GetProcAddress 138->146 139->138 140->134 141->134 142->136 150 180022ae8-180022bd3 GetVolumeInformationW wsprintfA * 2 wsprintfW CoInitializeEx 143->150 144->143 148 180022ad3-180022ada 144->148 145->131 146->145 149 180022874-180022882 146->149 148->150 149->145 153 180022ce8-180022ec0 GetCurrentProcess IsWow64Process call 180013330 call 1800223b0 call 180013330 150->153 154 180022bd9-180022c03 CoCreateInstance 150->154 201 180022ec2-180022ed4 VirtualFree 153->201 202 180022ed7-180022ede 153->202 154->153 156 180022c09-180022c1f 154->156 158 180022c25-180022c27 156->158 158->153 160 180022c2d-180022c3e 158->160 163 180022c40-180022c5d 160->163 163->153 166 180022c63-180022c8a 163->166 170 180022ccb-180022cd8 166->170 171 180022c8c-180022cb0 166->171 178 180022ce2 CoUninitialize 170->178 179 180022cda-180022cdc 170->179 176 180022cb2-180022cb8 SysFreeString 171->176 177 180022cbe-180022cc5 171->177 176->177 177->170 178->153 179->163 179->178 201->202 203 180022ee9-180022f00 VirtualFree 202->203 204 180022ee0-180022ee5 call 180026f00 202->204 206 180022f02-180022f14 VirtualFree 203->206 207 180022f17-180022f1e 203->207 204->203 206->207 209 180022f29-180022f5e VirtualFree 207->209 210 180022f20-180022f25 call 180026f00 207->210 216 180022f75-180022f7c 209->216 217 180022f60-180022f72 VirtualFree 209->217 210->209 218 180022f87-180022fad VirtualFree 216->218 219 180022f7e-180022f83 call 180026f00 216->219 217->216 219->218
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Alloc$wsprintf$CriticalSection$Processmemset$CurrentEnterRead$AddressCloseHandleInitializeLeaveModuleNameProcWindowWow64$ComputerCreateDirectoryErrorForegroundGlobalInfoInformationInstanceLastMemoryOpenQueryStatusStringSystemTextUninitializeUserValueVolumeWindowsgethostbynamegethostnameinet_ntoalstrcat
                                                                                                                                          • String ID: %08X$%X%X%hs$%d*%dMHz$%dMB$%hs$1216$:$FriendlyName$HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0$HTTP$RtlGetNtVersionNumbers$RtlGetVersion$TCP$UDP$[U]:%s | [P]:%s$ntdll.dll$~MHZ
                                                                                                                                          • API String ID: 1654958678-2219617641
                                                                                                                                          • Opcode ID: 568594e8bc2c5765bfc1ae6a0361cb2a71fe365cdb98b8f02094b72811b38f6b
                                                                                                                                          • Instruction ID: 85167b4e31fce27fea4a3dd865718084707bdea1bb1ad3282e4a31ddf71c6b33
                                                                                                                                          • Opcode Fuzzy Hash: 568594e8bc2c5765bfc1ae6a0361cb2a71fe365cdb98b8f02094b72811b38f6b
                                                                                                                                          • Instruction Fuzzy Hash: 6F628C36A14BC486EB62DF25DC547ED33A1FB9DB88F419215EA5947A64EF38C388C700

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 222 180012140-18001216f call 18002b990 call 18002d340 WSAStartup 227 180012175-1800121e1 call 18002d7d0 GetCommandLineW CommandLineToArgvW call 18001afc0 VirtualAlloc 222->227 228 18001238b-180012393 222->228 233 1800121f4-180012218 VirtualAlloc 227->233 234 1800121e3-1800121f0 InitializeCriticalSection 227->234 235 18001221a-180012227 InitializeCriticalSection 233->235 236 18001222b-18001226c memset GetCurrentProcessId call 18002c950 lstrcmpiW 233->236 234->233 235->236 239 180012273-180012287 lstrcmpiW 236->239 240 18001226e 236->240 241 180012297-1800122ab lstrcmpiW 239->241 242 180012289-180012290 call 180012830 ExitThread 239->242 240->239 244 1800122be-1800122d2 lstrcmpiW 241->244 245 1800122ad-1800122b8 GetCurrentProcess TerminateProcess 241->245 247 1800122d8-1800122ee call 18002d140 GetCurrentProcessId 244->247 248 1800123e0-1800123e7 244->248 245->244 262 1800123a1-1800123c5 CreateThread 247->262 263 1800122f4-180012302 call 18002ca60 247->263 250 1800125c7-1800125da lstrcmpiW 248->250 251 1800123ed-18001242d memset GetModuleFileNameW wcsstr 248->251 252 180012697-18001269f call 180012000 250->252 253 1800125e0-1800125e7 250->253 255 180012473-1800124a4 memset GetModuleFileNameW IsUserAnAdmin 251->255 256 18001242f-180012455 GetNativeSystemInfo 251->256 259 18001236b-180012383 253->259 260 1800125ed-180012600 lstrcmpiW 253->260 257 1800124a6-1800124b2 call 180005a00 255->257 258 1800124b7-180012554 call 180020e40 call 180020fa0 call 18002d2a0 memset wsprintfW call 180001070 OpenSCManagerW 255->258 264 180012642-180012652 call 18002d140 256->264 265 18001245b-18001245f 256->265 283 180012681-180012692 GetCurrentProcess TerminateProcess 257->283 304 180012561-18001259f OpenServiceW ChangeServiceConfig2W 258->304 305 180012556-18001255c GetLastError 258->305 259->228 260->252 268 180012606-18001262c GetNativeSystemInfo 260->268 262->262 270 1800123c7-1800123de WaitForSingleObject CloseHandle 262->270 280 180012304-18001231a OpenProcess 263->280 281 180012330-18001233b call 1800126b0 263->281 286 180012654-18001267a call 180020680 264->286 287 18001267c call 1800126b0 264->287 265->264 273 180012465-18001246c call 1800126b0 ExitProcess 265->273 268->264 277 18001262e-180012632 268->277 270->262 277->264 285 180012634-18001263b call 1800126b0 ExitProcess 277->285 280->281 289 18001231c-18001232a TerminateProcess CloseHandle 280->289 298 180012394-18001239f Sleep 281->298 299 18001233d-180012369 WaitForSingleObject GetExitCodeProcess 281->299 283->259 286->283 287->283 289->281 298->281 299->259 299->281 304->283 306 1800125a5-1800125ae GetLastError 304->306 305->283 307 1800125b9-1800125c2 CloseServiceHandle 306->307 308 1800125b0-1800125b3 CloseServiceHandle 306->308 307->283 308->307
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 000000018002B990: VirtualAlloc.KERNEL32 ref: 000000018002B9B9
                                                                                                                                            • Part of subcall function 000000018002B990: memcpy.NTDLL ref: 000000018002B9DD
                                                                                                                                            • Part of subcall function 000000018002B990: VirtualAlloc.KERNEL32 ref: 000000018002BA08
                                                                                                                                            • Part of subcall function 000000018002B990: memcpy.NTDLL ref: 000000018002BA3D
                                                                                                                                            • Part of subcall function 000000018002B990: memcpy.NTDLL ref: 000000018002BA73
                                                                                                                                            • Part of subcall function 000000018002B990: memset.NTDLL ref: 000000018002BB0C
                                                                                                                                            • Part of subcall function 000000018002B990: ExpandEnvironmentStringsW.KERNEL32 ref: 000000018002BB23
                                                                                                                                            • Part of subcall function 000000018002B990: memset.NTDLL ref: 000000018002BB38
                                                                                                                                            • Part of subcall function 000000018002D340: GetModuleHandleW.KERNEL32 ref: 000000018002D35F
                                                                                                                                            • Part of subcall function 000000018002D340: GetCurrentProcess.KERNEL32 ref: 000000018002D379
                                                                                                                                            • Part of subcall function 000000018002D340: K32GetModuleInformation.KERNEL32 ref: 000000018002D390
                                                                                                                                            • Part of subcall function 000000018002D340: memset.NTDLL ref: 000000018002D3A8
                                                                                                                                            • Part of subcall function 000000018002D340: GetSystemDirectoryW.KERNEL32 ref: 000000018002D3B7
                                                                                                                                            • Part of subcall function 000000018002D340: lstrcatW.KERNEL32 ref: 000000018002D3D9
                                                                                                                                            • Part of subcall function 000000018002D340: CreateFileW.KERNEL32 ref: 000000018002D406
                                                                                                                                            • Part of subcall function 000000018002D340: CreateFileMappingW.KERNELBASE ref: 000000018002D42D
                                                                                                                                            • Part of subcall function 000000018002D340: MapViewOfFile.KERNEL32 ref: 000000018002D457
                                                                                                                                            • Part of subcall function 000000018002D340: VirtualProtect.KERNEL32 ref: 000000018002D4F2
                                                                                                                                            • Part of subcall function 000000018002D340: memcpy.NTDLL ref: 000000018002D507
                                                                                                                                          • WSAStartup.WS2_32 ref: 0000000180012167
                                                                                                                                            • Part of subcall function 000000018002D7D0: CoInitializeEx.COMBASE ref: 000000018002D820
                                                                                                                                            • Part of subcall function 000000018002D7D0: CoCreateInstance.COMBASE ref: 000000018002D845
                                                                                                                                            • Part of subcall function 000000018002D7D0: CoUninitialize.OLE32 ref: 000000018002D86E
                                                                                                                                          • GetCommandLineW.KERNEL32 ref: 00000001800121A4
                                                                                                                                          • CommandLineToArgvW.SHELL32 ref: 00000001800121B4
                                                                                                                                            • Part of subcall function 000000018001AFC0: VirtualAlloc.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001AFD7
                                                                                                                                            • Part of subcall function 000000018001AFC0: CreateEventW.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B061
                                                                                                                                            • Part of subcall function 000000018001AFC0: VirtualAlloc.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B086
                                                                                                                                            • Part of subcall function 000000018001AFC0: InitializeCriticalSection.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B098
                                                                                                                                            • Part of subcall function 000000018001AFC0: VirtualAlloc.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B0BD
                                                                                                                                            • Part of subcall function 000000018001AFC0: InitializeCriticalSection.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B0CF
                                                                                                                                            • Part of subcall function 000000018001AFC0: VirtualAlloc.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B0F4
                                                                                                                                            • Part of subcall function 000000018001AFC0: InitializeCriticalSection.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B106
                                                                                                                                            • Part of subcall function 000000018001AFC0: VirtualAlloc.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B12B
                                                                                                                                            • Part of subcall function 000000018001AFC0: InitializeCriticalSection.KERNEL32(?,?,?,0000000180011E17), ref: 000000018001B13D
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 00000001800121D5
                                                                                                                                          • InitializeCriticalSection.KERNEL32 ref: 00000001800121E7
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018001220C
                                                                                                                                          • InitializeCriticalSection.KERNEL32 ref: 000000018001221E
                                                                                                                                          • memset.NTDLL ref: 000000018001223F
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0000000180012244
                                                                                                                                          • lstrcmpiW.KERNEL32 ref: 0000000180012264
                                                                                                                                          • lstrcmpiW.KERNEL32 ref: 000000018001227F
                                                                                                                                          • ExitThread.KERNEL32 ref: 0000000180012290
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$Initialize$CriticalSection$Creatememcpymemset$File$CommandCurrentLineModuleProcesslstrcmpi$ArgvDirectoryEnvironmentEventExitExpandHandleInformationInstanceMappingProtectStartupStringsSystemThreadUninitializeViewlstrcat
                                                                                                                                          • String ID: %s\%s$/Processid:{F8284233-48F4-4680-ADDD-F8284233}$52.74.204.186$C:\Program Files\Windows Mail$Inject Test$Microsoft Mail Update Task MachineCore$MicrosoftMailUpdateTask$ParphaCrashReport64.exe$Schedule$perfmon.exe$svchost.exe$taskmgr.exe
                                                                                                                                          • API String ID: 3540647475-3759651048
                                                                                                                                          • Opcode ID: 569088badbbcdac6d42bf1008e5f6975a5e4569a9871405a7f488f6c7dbac2ae
                                                                                                                                          • Instruction ID: 2d135b880d5fe02e417b51c7c9d75e0b01d22dc8dd8ce6cea38afdafabf7ab39
                                                                                                                                          • Opcode Fuzzy Hash: 569088badbbcdac6d42bf1008e5f6975a5e4569a9871405a7f488f6c7dbac2ae
                                                                                                                                          • Instruction Fuzzy Hash: E3E15B31210F8986EBA69B21EC543D92362FB8CBC5F54C229F95A466A5FF38C75DD300

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 309 1800176e0-180017722 memset GetSystemDirectoryW 310 180017724 GetLastError 309->310 311 18001772a-18001788f 309->311 310->311 312 180017890-18001789c 311->312 312->312 313 18001789e-180017918 lstrcatW IsBadReadPtr 312->313 314 18001791a-18001791d 313->314 315 18001794f-1800179a7 call 180020680 313->315 314->315 316 18001791f-180017932 EnterCriticalSection 314->316 326 180017b95-180017bbb call 180026f00 VirtualFree 315->326 327 1800179ad-1800179cc IsBadReadPtr 315->327 318 180017934-180017937 316->318 319 180017946-180017949 LeaveCriticalSection 316->319 321 180017bda-180017be8 LeaveCriticalSection 318->321 322 18001793d-180017944 318->322 319->315 321->315 323 180017bee 321->323 322->318 322->319 325 180017bc3-180017bd9 323->325 326->325 329 180017a19-180017a4f CreateThread 327->329 330 1800179ce-1800179d1 327->330 331 180017a51-180017a6f IsBadReadPtr 329->331 332 180017abe-180017b1f call 180028120 memset GetCurrentProcessId wsprintfW IsBadReadPtr 329->332 330->329 334 1800179d3-1800179f8 EnterCriticalSection VirtualAlloc 330->334 335 180017a71-180017a74 331->335 336 180017abb 331->336 345 180017b21-180017b24 332->345 346 180017b6b-180017b8d CreateThread 332->346 338 1800179fa-180017a0c 334->338 339 180017a0f-180017a13 LeaveCriticalSection 334->339 335->336 340 180017a76-180017a9a EnterCriticalSection VirtualAlloc 335->340 336->332 338->339 339->329 342 180017ab1-180017ab5 LeaveCriticalSection 340->342 343 180017a9c-180017aae 340->343 342->336 343->342 345->346 347 180017b26-180017b4a EnterCriticalSection VirtualAlloc 345->347 346->326 348 180017b61-180017b65 LeaveCriticalSection 347->348 349 180017b4c-180017b5e 347->349 348->346 349->348
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Virtual$Alloc$EnterLeaveRead$Process$CreateCurrentErrorLastThreadTokenmemset$AdjustCloseDirectoryFreeHandleInitializeLookupOpenPrivilegePrivilegesSystemValuelstrcatwsprintf
                                                                                                                                          • String ID: :G:$:$A:|:$B:_:$I:N:$I:S:$R:U:$U:Y:$V:V:$\\.\Pipe\%d_pipe%d$^:$_:I:$f:^:$j:H:${:~:$~:~:
                                                                                                                                          • API String ID: 1888231936-1994672154
                                                                                                                                          • Opcode ID: d1dc49243b75cc45df72bb56242f6d83b0d0b9c438548c6c26e7b7a07f614e83
                                                                                                                                          • Instruction ID: 3889ea3ac3043fc74429e799f3028dbf4620c996b15624d143a50c7995104de0
                                                                                                                                          • Opcode Fuzzy Hash: d1dc49243b75cc45df72bb56242f6d83b0d0b9c438548c6c26e7b7a07f614e83
                                                                                                                                          • Instruction Fuzzy Hash: FCE19373604F848AE7518F31E8407EE77B5FB89B88F549215EE9907A59EF38D648CB00

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 350 180015150-1800151b0 memset wsprintfW 351 1800151b7-1800151ef CreateFileW 350->351 352 1800152b5-1800152bf 351->352 353 1800151f5-180015205 GetFileSize 351->353 354 1800152c0-1800152f4 SetThreadExecutionState SystemParametersInfoW * 2 352->354 353->352 355 18001520b-180015229 ReadFile 353->355 356 1800152fa-18001532e lstrlenW 354->356 357 180015569-18001558b 354->357 358 1800152ac-1800152af CloseHandle 355->358 359 18001522f-18001523a 355->359 360 180015334-180015343 lstrlenA 356->360 361 180015550-18001555e 356->361 358->352 362 180015240-180015294 359->362 360->361 363 180015349-1800153b9 lstrcmpiW * 3 360->363 361->354 365 180015564 361->365 362->362 364 180015296-18001529c 362->364 363->361 366 1800153bf-180015412 call 180020680 htons call 180026f00 VirtualFree call 180014410 363->366 364->358 367 18001529e 364->367 365->351 366->361 376 180015418-18001543b 366->376 369 1800152a1-1800152aa 367->369 369->358 369->369 379 180015441-18001545c VirtualAlloc 376->379 380 18001552d-180015543 call 180014d20 376->380 381 180015522-180015528 379->381 382 180015462-180015482 379->382 380->361 387 180015545-18001554a WaitForSingleObject 380->387 381->380 388 180015511-18001551c VirtualFree 382->388 389 180015488-1800154aa CreateThread call 180013330 382->389 387->361 388->381 391 1800154af-1800154c8 389->391 393 18001550a 391->393 394 1800154ca-1800154d0 391->394 393->388 395 1800154d2-1800154e4 VirtualFree 394->395 396 1800154e7-1800154ee 394->396 395->396 397 1800154f9-180015504 VirtualFree 396->397 398 1800154f0-1800154f5 call 180026f00 396->398 397->393 398->397
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Filelstrcmpi$CreateInfoParametersSystemThreadlstrlen$AllocCloseExecutionHandleObjectReadSingleSizeStateWaithtonsmemsetwsprintf
                                                                                                                                          • String ID: %s\%s$52.74.204.186$C:\Program Files\Windows Mail$HTTP$PTCP$TCP$UDP$install.cfg
                                                                                                                                          • API String ID: 1274318034-1938615182
                                                                                                                                          • Opcode ID: 663568433656cea89e63caccbc2b97e320fd9943314f34955629d2a210d6f6f0
                                                                                                                                          • Instruction ID: 2f6e79b09caedb5c6ecaa2b644d67a3a665af9ed5fdace6e6c7bc957c955e5e0
                                                                                                                                          • Opcode Fuzzy Hash: 663568433656cea89e63caccbc2b97e320fd9943314f34955629d2a210d6f6f0
                                                                                                                                          • Instruction Fuzzy Hash: E3B14832611B4986EB968F22EC54BD937A6FB8DBC1F548225ED9A47750EF38C64CC700

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocErrorLastVirtual$MemoryProcessWrite
                                                                                                                                          • String ID: @$h
                                                                                                                                          • API String ID: 1382438346-1029331998
                                                                                                                                          • Opcode ID: 68fc5231bb649cffb2ef201a26c0452fc735f8ffc7358dd3c59d4300c21df8ec
                                                                                                                                          • Instruction ID: a7a10f81cb03d2afda9468892e7ca3dc18b483b94c8c543e7091a66b8c703a11
                                                                                                                                          • Opcode Fuzzy Hash: 68fc5231bb649cffb2ef201a26c0452fc735f8ffc7358dd3c59d4300c21df8ec
                                                                                                                                          • Instruction Fuzzy Hash: F481F832218BC486E7A18B59B85479EAB51F79A7C4F448219FEC647B49DF3CC709CB40

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 535 180011ae0-180011b3a CreateEventW VirtualAlloc call 180020680 538 180011b40-180011b43 535->538 538->538 539 180011b45-180011b58 WaitForSingleObject 538->539 539->538 540 180011b5a-180011b77 NtQuerySystemInformation 539->540 541 180011baa 540->541 542 180011b79-180011b7c 540->542 543 180011bac-180011baf 541->543 544 180011ba6-180011ba8 542->544 545 180011b7e-180011ba3 VirtualFree VirtualAlloc 542->545 543->538 546 180011bb1-180011bda memset NtQuerySystemInformation 543->546 544->543 545->544 546->538 547 180011be0 546->547 548 180011be3-180011bea 547->548 549 180011bec-180011bfb lstrcmpiW 548->549 550 180011bfd-180011c01 548->550 549->550 551 180011c0c-180011c11 549->551 550->538 552 180011c07-180011c0a 550->552 551->538 553 180011c17-180011c35 551->553 552->548 553->538 555 180011c3b-180011c4e WaitForSingleObject 553->555 555->538 556 180011c54-180011c5f CloseHandle 555->556 556->538
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$CriticalSection$CloseEnterHandleInformationObjectProcessQueryReadSingleSystemTokenWait$AdjustCreateCurrentErrorEventFreeInitializeLastLeaveLookupOpenPrivilegePrivilegesValuelstrcmpimemset
                                                                                                                                          • String ID: taskmgr.exe
                                                                                                                                          • API String ID: 441768363-4156271273
                                                                                                                                          • Opcode ID: 0621dc44498ae919b7e903597f6a72dc258cdebb099c8e8026c95ccd3122d783
                                                                                                                                          • Instruction ID: 8c534c4529b1279cb1ee3dcd0e8a20b8e351fbbc3e98abf8b0580985b8146b18
                                                                                                                                          • Opcode Fuzzy Hash: 0621dc44498ae919b7e903597f6a72dc258cdebb099c8e8026c95ccd3122d783
                                                                                                                                          • Instruction Fuzzy Hash: BE419331309A4886E79A9F52E9547EAB752FB8CBD1F14C119FD5643A94EF38CA0CC740

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 557 180011c70-180011cca CreateEventW VirtualAlloc call 180020680 560 180011cd0-180011cd3 557->560 560->560 561 180011cd5-180011ce8 WaitForSingleObject 560->561 561->560 562 180011cea-180011d07 NtQuerySystemInformation 561->562 563 180011d3a 562->563 564 180011d09-180011d0c 562->564 567 180011d3c-180011d3f 563->567 565 180011d36-180011d38 564->565 566 180011d0e-180011d33 VirtualFree VirtualAlloc 564->566 565->567 566->565 567->560 568 180011d41-180011d6a memset NtQuerySystemInformation 567->568 568->560 569 180011d70 568->569 570 180011d73-180011d7a 569->570 571 180011d7c-180011d8b lstrcmpiW 570->571 572 180011d8d-180011d91 570->572 571->572 573 180011d9c-180011da1 571->573 572->560 574 180011d97-180011d9a 572->574 573->560 575 180011da7-180011dc5 573->575 574->570 575->560 577 180011dcb-180011dde WaitForSingleObject 575->577 577->560 578 180011de4-180011def CloseHandle 577->578 578->560
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$CriticalSection$CloseEnterHandleInformationObjectProcessQueryReadSingleSystemTokenWait$AdjustCreateCurrentErrorEventFreeInitializeLastLeaveLookupOpenPrivilegePrivilegesValuelstrcmpimemset
                                                                                                                                          • String ID: perfmon.exe
                                                                                                                                          • API String ID: 441768363-2343862317
                                                                                                                                          • Opcode ID: 1ff94469c56b8cc6a5d9ee662ab4a9b8b7f31cb7e0d49a88a5d64ab3ffe76320
                                                                                                                                          • Instruction ID: 1ff6f72ff0560bcc7d3ab5e25184d4435df018d7ec391edcb978b88ee9d5e7f7
                                                                                                                                          • Opcode Fuzzy Hash: 1ff94469c56b8cc6a5d9ee662ab4a9b8b7f31cb7e0d49a88a5d64ab3ffe76320
                                                                                                                                          • Instruction Fuzzy Hash: FC418231305A4C46EB9A8F56F9147EAB762FB8CBD1F14C129FD5643A94DF38C6088780

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Message$RegisterWindow$NotificationSession$ClassCreateDispatchHandleLongModuleShowTranslate
                                                                                                                                          • String ID: Session Logon
                                                                                                                                          • API String ID: 1979525249-2950959013
                                                                                                                                          • Opcode ID: 0d96d5dafa15c8008ce9f0b536f309e21048c116557f430f552321169d452b8d
                                                                                                                                          • Instruction ID: d08fdae4d4f9fdd3136886858d865e0be8124aefc151439e2e8a41504d97a45e
                                                                                                                                          • Opcode Fuzzy Hash: 0d96d5dafa15c8008ce9f0b536f309e21048c116557f430f552321169d452b8d
                                                                                                                                          • Instruction Fuzzy Hash: 26415532658B8583E751CF25F85439AB3A1FB9D784F64D225EA9942A24EF38C189CB00

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 594 180013e10-180013e72 call 180013330 599 180013e78-180013e92 VirtualAlloc 594->599 600 180014129-180014147 call 180015070 594->600 601 180013e94-180013e96 599->601 602 180013e9b-180013eb2 599->602 609 180014150-18001416c 600->609 604 180013fcc-180013fd2 601->604 610 180013eb8-180013ebd 602->610 611 180013f8d-180013f9d call 180036550 602->611 607 180013fd4-180013fe6 VirtualFree 604->607 608 180013fe9-180013ff0 604->608 607->608 612 180013ff2-180013ff7 call 180026f00 608->612 613 180013ffb-180014011 VirtualFree 608->613 609->609 614 18001416e-180014177 609->614 610->611 616 180013ec3-180013ec7 610->616 611->604 624 180013f9f-180013fb9 VirtualAlloc 611->624 612->613 618 180014201-18001421a 613->618 619 180014180-18001418c 614->619 616->611 621 180013ecd-180013ed0 616->621 619->619 623 18001418e-1800141c5 619->623 625 180013ed6-180013ede 621->625 626 180013f68-180013f78 621->626 644 1800141c7-1800141d9 VirtualFree 623->644 645 1800141dc-1800141e3 623->645 627 180014016-180014056 call 180036444 call 180015070 624->627 628 180013fbb-180013fc6 VirtualFree 624->628 629 180013ee7-180013f08 625->629 630 180013ee0-180013ee5 625->630 631 180013f80-180013f8b 626->631 643 180014060-180014078 627->643 628->604 633 180013f10-180013f62 629->633 630->629 631->611 631->631 633->633 636 180013f64-180013f66 633->636 636->611 636->626 643->643 646 18001407a-18001407f 643->646 644->645 647 1800141e5-1800141ea call 180026f00 645->647 648 1800141ee 645->648 649 180014080-18001408c 646->649 647->648 651 1800141f1-1800141ff VirtualFree 648->651 649->649 652 18001408e-1800140d6 649->652 651->618 659 1800140d8-1800140ea VirtualFree 652->659 660 1800140ed-1800140f4 652->660 659->660 661 1800140f6-1800140fb call 180026f00 660->661 662 1800140ff-180014124 VirtualFree * 2 660->662 661->662 662->651
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180013E86
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180013FAD
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180013FC6
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180013FDC
                                                                                                                                          • VirtualFree.KERNELBASE ref: 00000001800140E0
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001410A
                                                                                                                                          • VirtualFree.KERNELBASE ref: 000000018001411B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180014006
                                                                                                                                          • VirtualFree.KERNELBASE ref: 00000001800141CF
                                                                                                                                          • VirtualFree.KERNELBASE ref: 00000001800141F9
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Alloc$CriticalSection$EnterRead$Leave$Initialize_time64randsrand
                                                                                                                                          • String ID: :
                                                                                                                                          • API String ID: 3336294232-336475711
                                                                                                                                          • Opcode ID: 320fe126eff4e4079a3c9b3cb6761e39752f23555b150b95cbf71f8c5b9ac005
                                                                                                                                          • Instruction ID: ac7c9b2bb9ed7eb79858a5ee46919171fc2b07e9708586d287d69a6b6e660aff
                                                                                                                                          • Opcode Fuzzy Hash: 320fe126eff4e4079a3c9b3cb6761e39752f23555b150b95cbf71f8c5b9ac005
                                                                                                                                          • Instruction Fuzzy Hash: CDB1C032710B8482EB568F2AE4053A9A7A1FBCEFC4F14D225EE8947755EF38C649C740

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseEnumHandleServiceServicesStatusfree$ManagerOpenlstrcmpimallocmemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2647132813-0
                                                                                                                                          • Opcode ID: c2b9930ff57626eae451ef52e78241fd2a7e99a3c5bb9cb5767dca943c792e03
                                                                                                                                          • Instruction ID: 7c73760ca3ebe89c16cf9c31f76af7ec992950ddbeb1bc6f2b7493007aa42a7f
                                                                                                                                          • Opcode Fuzzy Hash: c2b9930ff57626eae451ef52e78241fd2a7e99a3c5bb9cb5767dca943c792e03
                                                                                                                                          • Instruction Fuzzy Hash: 53418832205B48CAE7A58F25F84479AB7A5FB8CB94F548525EE8D43B14EF38C64DDB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process32lstrlen$Next$CloseCreateFirstHandleSnapshotToolhelp32freemalloc
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4027670598-0
                                                                                                                                          • Opcode ID: 439f8d2e972513238416a548221f462a94073303e1c60fa0b93f47d4e757f503
                                                                                                                                          • Instruction ID: 5ce6378f21c5ee87597c9bb07d5787008eb168cc985a55d02f6761e40f426007
                                                                                                                                          • Opcode Fuzzy Hash: 439f8d2e972513238416a548221f462a94073303e1c60fa0b93f47d4e757f503
                                                                                                                                          • Instruction Fuzzy Hash: 02315A71204B5582EB919F26E85439967B1FB8CFD0F549225EE5A43B68EF3CC64DCB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLastVirtual$AllocCloseCreateEventFreeHandleMultipleObjectsOverlappedRecvResultWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 425432780-0
                                                                                                                                          • Opcode ID: ed0ee6d2a44e02ea4b8664fa35f5b3073364424dd04f963a90776adab9f5fb3d
                                                                                                                                          • Instruction ID: 80ddba25ada4c12ba25501bbea63694672ddceb4bf4905497e17ba262c6017a4
                                                                                                                                          • Opcode Fuzzy Hash: ed0ee6d2a44e02ea4b8664fa35f5b3073364424dd04f963a90776adab9f5fb3d
                                                                                                                                          • Instruction Fuzzy Hash: 19319532314B9482E766CF11F844B9BB7A5FB8DBD0F558125EA9903B24EF78C649CB01
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$CreateToken$User$BlockCurrentDuplicateEnvironmentErrorInformationLastOpen
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2924300727-0
                                                                                                                                          • Opcode ID: 16c3d07ec9acde65d2acdc43e71b5766c09dd73d369f4e5c742e79ed460f77ea
                                                                                                                                          • Instruction ID: 13034978c3ab2fb9f9047006cc71b10522f326b05abda6e4f2bcf0c65b74da56
                                                                                                                                          • Opcode Fuzzy Hash: 16c3d07ec9acde65d2acdc43e71b5766c09dd73d369f4e5c742e79ed460f77ea
                                                                                                                                          • Instruction Fuzzy Hash: 54513C32B04B858AE791CFA1E8807DD37B5F798788F509215AE8D67B18DF38C259D740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseControlCreateDeviceFileHandlelstrlenmemset
                                                                                                                                          • String ID: \\.\{F8284233-48F4-4680-ADDD-F8284233}
                                                                                                                                          • API String ID: 2589617790-329358119
                                                                                                                                          • Opcode ID: a3b02f37b284e632ff8c0487233c56c7f58dd63dbc29904f1061be0df106d2bb
                                                                                                                                          • Instruction ID: 39cc20b0d125f0f5a721635b497ca12531b62917f9f5da8482c53947056ba4d5
                                                                                                                                          • Opcode Fuzzy Hash: a3b02f37b284e632ff8c0487233c56c7f58dd63dbc29904f1061be0df106d2bb
                                                                                                                                          • Instruction Fuzzy Hash: 26111F36218B8582E7A2CB54F8547CAB7A1F7CD784F548126EA8D43B58EF7DC648CB40
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: NamedPipe$ConnectCreateErrorLast
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3851520242-0
                                                                                                                                          • Opcode ID: 5202d77b4504b343c25026c585eb62c568917b05fbb34b8c84aa117687ab1fdd
                                                                                                                                          • Instruction ID: 6bb7147edad98ca35960e2d476685a951813d0cf86fdcec3da0d9f41873a4748
                                                                                                                                          • Opcode Fuzzy Hash: 5202d77b4504b343c25026c585eb62c568917b05fbb34b8c84aa117687ab1fdd
                                                                                                                                          • Instruction Fuzzy Hash: CC017172304A4482D7518B16F940399B3A6EF8C7F4F148321FA79437A4EF78C9588B00

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 401 1800194c0-180019533 call 180013330 CreateToolhelp32Snapshot 404 180019564-18001956b 401->404 405 180019535-180019558 GetProcessHeap HeapAlloc 401->405 408 18001957a-1800195b6 call 180016bc0 WaitForSingleObject 404->408 409 18001956d-180019573 WTSGetActiveConsoleSessionId 404->409 406 1800196c8-1800196d9 Process32FirstW 405->406 407 18001955e CloseHandle 405->407 410 18001970a-180019729 GetProcessHeap HeapFree CloseHandle 406->410 411 1800196db 406->411 407->404 421 1800195bc 408->421 422 18001965e-180019683 408->422 409->408 410->404 414 18001972f-18001973f ProcessIdToSessionId 410->414 412 1800196e0-1800196f3 lstrcmpiW 411->412 415 1800196f5-180019703 Process32NextW 412->415 416 180019707 412->416 414->408 415->412 417 180019705 415->417 416->410 417->410 425 1800195c0-1800195d5 CreateToolhelp32Snapshot 421->425 423 180019685-180019697 VirtualFree 422->423 424 18001969a-1800196a1 422->424 423->424 426 1800196a3-1800196a8 call 180026f00 424->426 427 1800196ac-1800196c7 VirtualFree 424->427 428 180019606-18001960d 425->428 429 1800195d7-1800195fa GetProcessHeap HeapAlloc 425->429 426->427 433 18001961c-180019658 call 180016bc0 WaitForSingleObject 428->433 434 18001960f-180019615 WTSGetActiveConsoleSessionId 428->434 431 180019744-180019755 Process32FirstW 429->431 432 180019600 CloseHandle 429->432 435 180019757 431->435 436 18001978a-1800197a9 GetProcessHeap HeapFree CloseHandle 431->436 432->428 433->422 433->425 434->433 439 180019760-180019773 lstrcmpiW 435->439 436->428 440 1800197af-1800197bf ProcessIdToSessionId 436->440 441 180019775-180019783 Process32NextW 439->441 442 180019787 439->442 440->433 441->439 444 180019785 441->444 442->436 444->436
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Heap$AllocVirtual$CriticalProcessSection$CloseFreeHandleProcess32Session$EnterRead$ActiveConsoleCreateFirstLeaveNextObjectSingleSnapshotToolhelp32Waitlstrcmpi$Initialize
                                                                                                                                          • String ID: explorer.exe
                                                                                                                                          • API String ID: 2751948232-3187896405
                                                                                                                                          • Opcode ID: b05089d6881e8808c4204a9cfe87279db86dff134d3bf9d3ac2242ebd18fc37f
                                                                                                                                          • Instruction ID: 32f2e8d2d4c86b41326691215f700daf0fb0283404abdd8ad98e089d9f1d483d
                                                                                                                                          • Opcode Fuzzy Hash: b05089d6881e8808c4204a9cfe87279db86dff134d3bf9d3ac2242ebd18fc37f
                                                                                                                                          • Instruction Fuzzy Hash: 8C815C31205B4982EB96DF62E85879973A2FB8DFD0F55C214E92A43794EF38C68DD700

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: File$CreateModuleProtectVirtual$CurrentDirectoryHandleInformationMappingProcessSystemViewlstrcatmemcpymemset
                                                                                                                                          • String ID: .text$\ntdll.dll$ntdll.dll
                                                                                                                                          • API String ID: 992094507-3745270394
                                                                                                                                          • Opcode ID: 69df7cb737dd3e51747fbe578d65583dad7475f3be71c5b6a57530708f646bad
                                                                                                                                          • Instruction ID: 8bd433b68c42a9f1e6cbfa5eabf8f168c2bd36ca7b2ceeebe8acacb2e18380a2
                                                                                                                                          • Opcode Fuzzy Hash: 69df7cb737dd3e51747fbe578d65583dad7475f3be71c5b6a57530708f646bad
                                                                                                                                          • Instruction Fuzzy Hash: CB51A372714B9886EBB2CF11E4487DA73A1F78DB84F548115EA9A03B58EF78D648CB00

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3333918170.000001F95C700000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F95C700000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_1f95c700000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressCallerLibraryLoadProc
                                                                                                                                          • String ID: RtlA$RtlR$ateH$eAll$eHea$eap$l.dl$l.dl$lloc$ntdl$ntdl$ocat
                                                                                                                                          • API String ID: 4215043672-3994871222
                                                                                                                                          • Opcode ID: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction ID: e28301270e63258b91be899e1f25ebc0563a05ef341f5d9e4179ad93a5171efd
                                                                                                                                          • Opcode Fuzzy Hash: 1e80394ff1d37946f5ee3994f364bbb739b556a1a1e79a645345825dff1cf6d4
                                                                                                                                          • Instruction Fuzzy Hash: 2771A530614E0A8BEF59AF68C8457F97BE2FF94320F11422AD40AD7695EB35D842CF85

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLast$Socketgetaddrinfo
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1420131935-0
                                                                                                                                          • Opcode ID: 588b49dada4d53f0dea3a9a8b5e910038bbe1c700624a725d7562d88239a8e1e
                                                                                                                                          • Instruction ID: 97eaf826a2d0138a961afbfcea83aa305bd307fdac7432dd28095282f106e3e8
                                                                                                                                          • Opcode Fuzzy Hash: 588b49dada4d53f0dea3a9a8b5e910038bbe1c700624a725d7562d88239a8e1e
                                                                                                                                          • Instruction Fuzzy Hash: 8951AA72610B848AE721CFA1E8047ED37B5FB4C798F148225EE5923B98DF39C659DB01
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateThread$CloseCriticalHandleSection$AllocEnterInfoLeaveNativeReadSystemVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3571750651-0
                                                                                                                                          • Opcode ID: 1363fd4b51c054286b4f9f0578cb1f11da93afc1d0dca13003e3c5ae9259af37
                                                                                                                                          • Instruction ID: 4cfd0974d185cad5ebef8526de560f1575828462ff0e0d72f99396545f92925d
                                                                                                                                          • Opcode Fuzzy Hash: 1363fd4b51c054286b4f9f0578cb1f11da93afc1d0dca13003e3c5ae9259af37
                                                                                                                                          • Instruction Fuzzy Hash: FF418132215F8586DBA5CF21E8043D973A5FB88BC5F55C629EE9A03754EF38C699C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: StringUninitialize$AllocCreateFreeInitializeInstance
                                                                                                                                          • String ID: Block All Outbound
                                                                                                                                          • API String ID: 4211003860-2946277995
                                                                                                                                          • Opcode ID: 295a4f62168f5a6f5119dea70b951de674f26a9291ccd047ab80a2b95cdfc5e8
                                                                                                                                          • Instruction ID: eff029c1c001f8c9a6eb9d0a089e59113f9457e89b19bb553c66083ed83c8d7d
                                                                                                                                          • Opcode Fuzzy Hash: 295a4f62168f5a6f5119dea70b951de674f26a9291ccd047ab80a2b95cdfc5e8
                                                                                                                                          • Instruction Fuzzy Hash: FF31E876A00B44CAEB419F35DC4439C77B0F798B88F148926EA1D47B24DF34C669CB50
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Allocmemcpy
                                                                                                                                          • String ID: M$Z
                                                                                                                                          • API String ID: 2981101286-4250246861
                                                                                                                                          • Opcode ID: ec89bfb9e9449c1fd831b7383df3345bb054ba2f3537415f9bda132d024155c3
                                                                                                                                          • Instruction ID: cf809e79dc0892ad841741375ddc97645b6d00976cb6bac53320efcc6f1ca8b7
                                                                                                                                          • Opcode Fuzzy Hash: ec89bfb9e9449c1fd831b7383df3345bb054ba2f3537415f9bda132d024155c3
                                                                                                                                          • Instruction Fuzzy Hash: 8E41E232B10FC581FBA28B3DD4103B96751A7DABD4F24C315FA96563A5EF29C6498300
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLast$CloseCreateEventHandleMultipleObjectsSendWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 248740593-0
                                                                                                                                          • Opcode ID: 3d6319584adb544b58c2476fc8f8a49f60c538f7d4a53f43cd1c7f5bcbecd3ed
                                                                                                                                          • Instruction ID: b6522aaf7b9705b3331a087d41d1cdb7034589dd00909351bf40176251c1a654
                                                                                                                                          • Opcode Fuzzy Hash: 3d6319584adb544b58c2476fc8f8a49f60c538f7d4a53f43cd1c7f5bcbecd3ed
                                                                                                                                          • Instruction Fuzzy Hash: 6F319932618B8486E7628F64F8407DEB361FB88794F148226FB9843B54DF7CC698DB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorFileLastVirtual$AllocBuffersFlushFreeNamedPeekPipeRead
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1637252459-0
                                                                                                                                          • Opcode ID: 7caf67ba2c754cc6c7e94bd91c5a8169c82a3c47d0c13808e784c8b6e6b47a5f
                                                                                                                                          • Instruction ID: 84c90537bd11c363a65bf3c1b8adbf25634bbd752cf977323eecfa1631f8ab92
                                                                                                                                          • Opcode Fuzzy Hash: 7caf67ba2c754cc6c7e94bd91c5a8169c82a3c47d0c13808e784c8b6e6b47a5f
                                                                                                                                          • Instruction Fuzzy Hash: 58215336304B5486E7A28F66F84079AB3A1FB8CBE5F048124EE5D43B54EF78D5999B00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeMemoryProcessSession$CreateCurrentDirectoryEnumerateErrorInformationLastQuerySessionsSystemThreadlstrcatmemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3188162108-0
                                                                                                                                          • Opcode ID: a0f1e4af9b35d422d03ebaa43e648843dcc74811eb2673a9a5bc5e68af15dc2a
                                                                                                                                          • Instruction ID: 1bc6d48ed340dc3225d4b568e8b82601facd276a6dbc3db6c5582e2979f78f1e
                                                                                                                                          • Opcode Fuzzy Hash: a0f1e4af9b35d422d03ebaa43e648843dcc74811eb2673a9a5bc5e68af15dc2a
                                                                                                                                          • Instruction Fuzzy Hash: FD310136218B4487E7918F65E84079E77B1F788780F54912AFB8E43B68DF38D659CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CountCreateFileTick$ErrorLastSleep
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2478964991-0
                                                                                                                                          • Opcode ID: 44fd06d3c223e048c4d0489ead7cd8fe85b8e69849f9c6ee32731d4873113aa6
                                                                                                                                          • Instruction ID: 0d24daabcc90d10d39f6b18fddba5017850f092dcdace4eb30a0eea9189b84cf
                                                                                                                                          • Opcode Fuzzy Hash: 44fd06d3c223e048c4d0489ead7cd8fe85b8e69849f9c6ee32731d4873113aa6
                                                                                                                                          • Instruction Fuzzy Hash: 91216F31204B4486E3A19F20B95435A77E6F78C7F4F144725FAAA53BD8CF38CA899B41
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$FreeVirtual$DeleteEnterLeaveRead
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4123369522-0
                                                                                                                                          • Opcode ID: aa19078ca0c6afd7a821f8a8ac8a84ee5709a37a32491cc2cb8c739b25d204c7
                                                                                                                                          • Instruction ID: ceee25a761f9f408724335fd3bce8a2bff4b5a7f466412d899da667b3da1218d
                                                                                                                                          • Opcode Fuzzy Hash: aa19078ca0c6afd7a821f8a8ac8a84ee5709a37a32491cc2cb8c739b25d204c7
                                                                                                                                          • Instruction Fuzzy Hash: C4014C31714B4582EBC68F12EA543996362FB8CBC5F58C124EF6A07B64EF38C2698700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy$AllocVirtualceil
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 311976409-0
                                                                                                                                          • Opcode ID: ed14ec51c383a9a13ba0ce0240a1051b4facac114c8e2550c0a0b869aba092f1
                                                                                                                                          • Instruction ID: 533183b41e036c783a1da9afa5a9cdf264f69900d761d72cd9a8306f1bb4b55c
                                                                                                                                          • Opcode Fuzzy Hash: ed14ec51c383a9a13ba0ce0240a1051b4facac114c8e2550c0a0b869aba092f1
                                                                                                                                          • Instruction Fuzzy Hash: CF31A232305A9496EB8A8F56E951399B3A0F78CBC0F10C429FB1A93B44DF38D57A8700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1267121359-0
                                                                                                                                          • Opcode ID: 44c899de9843c07d997477ea65153a2f26deeedfdeec94036e1e1bc8e67b5a7d
                                                                                                                                          • Instruction ID: 873e7e7ddb6e82f6207e00a8e9629a882d6d6560c0b57f88a74779bcce2b5edf
                                                                                                                                          • Opcode Fuzzy Hash: 44c899de9843c07d997477ea65153a2f26deeedfdeec94036e1e1bc8e67b5a7d
                                                                                                                                          • Instruction Fuzzy Hash: F6315C36A08B8982E752CB28D5083AD7360F79DB98F19E315EF9902256EF34D2C8C700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocFreeceilmemcpy
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 941304502-0
                                                                                                                                          • Opcode ID: b42a51ca5293a3dee87d5691d064886e3cec9dc4675c393a7935541609b8591d
                                                                                                                                          • Instruction ID: bd9c6ff85a7bdc568ee300e77c50e526046de82073029a9ad3e89b39f8e5a581
                                                                                                                                          • Opcode Fuzzy Hash: b42a51ca5293a3dee87d5691d064886e3cec9dc4675c393a7935541609b8591d
                                                                                                                                          • Instruction Fuzzy Hash: FC210832714A448AEB869F3AF450399A3A1EB8CFC4F18C125FA4D83749DE38CD958B40
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: malloc
                                                                                                                                          • String ID: X
                                                                                                                                          • API String ID: 2803490479-3081909835
                                                                                                                                          • Opcode ID: 954f3e60ac22a0164332870d1af20d99b01dc15cbae893ab9263c6fd20abe241
                                                                                                                                          • Instruction ID: 03aa7ddfb520b6f23ee5394375c5d4b88d09d0ef85018062d385f97ca1f5de20
                                                                                                                                          • Opcode Fuzzy Hash: 954f3e60ac22a0164332870d1af20d99b01dc15cbae893ab9263c6fd20abe241
                                                                                                                                          • Instruction Fuzzy Hash: 3671A332106B8487D7A7CF6AE44079E77E8F348B94F12852AEB9A43790DF38D559CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3333918170.000001F95C700000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F95C700000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_1f95c700000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                          • Opcode ID: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction ID: f24bec93db34aaa7a73a144815b673675fa989a5162f949002b2c669c5c98187
                                                                                                                                          • Opcode Fuzzy Hash: 88289986f9ffe6edc648fa77a415d0491739a420f0f8400cd95d764a84c61761
                                                                                                                                          • Instruction Fuzzy Hash: 6631D431648A418BDF1EEA1CF8C16B8B3D0F755314B20026ED587D7187EA39E803CB85
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: malloc
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2803490479-0
                                                                                                                                          • Opcode ID: 980fb9e1d4df5c01db13537fe2d87ee938b67c443b914f2420d5be5b7a1b2b4d
                                                                                                                                          • Instruction ID: 73f813260b3a99a6df67f7a2f834371fb8fea02c8dcec4733d69e86dcb6db410
                                                                                                                                          • Opcode Fuzzy Hash: 980fb9e1d4df5c01db13537fe2d87ee938b67c443b914f2420d5be5b7a1b2b4d
                                                                                                                                          • Instruction Fuzzy Hash: F421B772320A4886FBF7CB15D4503AE63A4E74CBD8F26A128EA0D47796DF35CA858300
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: free
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                          • Opcode ID: 098f93fbeb42c69fd8f32277914b2ae68ecf3252c39681ab5271f7009817d335
                                                                                                                                          • Instruction ID: 0a03297a77ecdba31d11b4f7a20f53efe35493dba5e5a446ec0584fdd327e906
                                                                                                                                          • Opcode Fuzzy Hash: 098f93fbeb42c69fd8f32277914b2ae68ecf3252c39681ab5271f7009817d335
                                                                                                                                          • Instruction Fuzzy Hash: 43213276301A0886DB65CF1AD18520EB3B1F788FD0B068122EF5D47B18DF32D9A4C340
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$Token$CloseHandle$Freememset$LookupOpenVirtuallstrcpy$File$AccountAdjustCreateCurrentErrorGlobalInformationLastPrivilegePrivilegesProcess32Value$AllocClassDeviceDriveEnumFirstImageInfoLogicalMemoryModulesNameNextPriorityQuerySessionSizeSnapshotStringsToolhelp32__chkstklstrcatlstrlenwcsncmp
                                                                                                                                          • String ID: H$SeDebugPrivilege$unknown
                                                                                                                                          • API String ID: 976869081-3969872153
                                                                                                                                          • Opcode ID: 6a6d9660973f71720e87b200dc9c58f4d9867713f3a693197156d62844a92ba2
                                                                                                                                          • Instruction ID: ab662803f13f216cf9587554947d7041853fde5cbf24b98bf2e2890ab3468709
                                                                                                                                          • Opcode Fuzzy Hash: 6a6d9660973f71720e87b200dc9c58f4d9867713f3a693197156d62844a92ba2
                                                                                                                                          • Instruction Fuzzy Hash: A8226232601B8586EBA2CF61EC547DD73A1FB8DBD8F508215EA5947A98EF38C749C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Freelstrlen$memset$ProcessToken$AdjustCloseCurrentErrorExtendedHandleLastLookupOpenPrivilegePrivilegesTableValuehtonsinet_ntoalstrcpy$Alloc
                                                                                                                                          • String ID: SeDebugPrivilege$System$TCP
                                                                                                                                          • API String ID: 2139412910-32757284
                                                                                                                                          • Opcode ID: 384d3e7db38810127ba93bf50e6bd7a6e267d232edd2a4c281dac7082b692298
                                                                                                                                          • Instruction ID: 7145bea9de9cfa6b5ae00cd6a39de3e2ecb675f5dcbe9c5d5bc2232063b88fed
                                                                                                                                          • Opcode Fuzzy Hash: 384d3e7db38810127ba93bf50e6bd7a6e267d232edd2a4c281dac7082b692298
                                                                                                                                          • Instruction Fuzzy Hash: ABF19176310B8486EBA5DF25E8047DE77A1FB8DB98F508215EA5A47B58DF38C24CCB40
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$lstrcat$AllocCriticalFreeSection$File$CloseHandle$EnterErrorLastProcessReadmemset$CreateLeaveMovememcpy$CurrentDeleteInitializeTerminateWrite
                                                                                                                                          • String ID: .bak$52.74.204.186$C:\Program Files\Windows Mail$ParphaCrashReport64.exe$arphaDump64.dll$h
                                                                                                                                          • API String ID: 2211108363-1112166310
                                                                                                                                          • Opcode ID: f313ddb08190d7dbab8043538d75833c288af8143399ff6012ff730f18fde2a1
                                                                                                                                          • Instruction ID: 6088b806c5e49e4d302fa251c9ee534a615dc6211a463a61944008de05cf0c31
                                                                                                                                          • Opcode Fuzzy Hash: f313ddb08190d7dbab8043538d75833c288af8143399ff6012ff730f18fde2a1
                                                                                                                                          • Instruction Fuzzy Hash: 66D19332610F8686EBA2CF35DC543E92361FB8DB88F14D215EA4A57A64EF38C359C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Alloc$CloseErrorFileHandleLast$Createlstrcatlstrlen$DirectoryPathProcessRemoveSpecWindowsWritememsetwsprintf
                                                                                                                                          • String ID: \rar.exe$h$rar.exe a "%s" %s -m5
                                                                                                                                          • API String ID: 460989278-1571478729
                                                                                                                                          • Opcode ID: d6fa1d8524bb85152559a8366e61b1b4fff8d11480b6a2d1cb8cd4eedd6e302b
                                                                                                                                          • Instruction ID: c03e5a34a069fda9d454a07d238a75463c5969b9b5c5cf97840925747e468bcd
                                                                                                                                          • Opcode Fuzzy Hash: d6fa1d8524bb85152559a8366e61b1b4fff8d11480b6a2d1cb8cd4eedd6e302b
                                                                                                                                          • Instruction Fuzzy Hash: D5D17132310B9586EBA58F22E8587DD73A1FB8DBC4F548225EE5A47B58DF38C248C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: lstrcat$CriticalFileFindSectionmemset$FreeLeaveNextVirtual$CurrentEnterFirstObjectReadSingleSleepThreadWait__chkstklstrlenwcsstr
                                                                                                                                          • String ID: *.*
                                                                                                                                          • API String ID: 491004167-438819550
                                                                                                                                          • Opcode ID: b29965504f393d0c0be59b7089e5a45caf17d60b96d961a43351eaaa3ebd01c0
                                                                                                                                          • Instruction ID: cade8498daad81a5c2802640b1cebf4252c5f7bdf05394be426f7502779f6333
                                                                                                                                          • Opcode Fuzzy Hash: b29965504f393d0c0be59b7089e5a45caf17d60b96d961a43351eaaa3ebd01c0
                                                                                                                                          • Instruction Fuzzy Hash: BC918332311F8486EBA6DF21E8547DD63A1FB8DBC4F548126EE5A47A94EF38C649C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Virtual$AllocEnterFileLeaveRead$Freelstrcat$CloseCreateHandlePointerWritememset
                                                                                                                                          • String ID: C:\Program Files\Windows Mail$\cp.cfg
                                                                                                                                          • API String ID: 1370748441-3904790782
                                                                                                                                          • Opcode ID: 6ecfbc1e04c89c64a0ee336d11aee912bcb92c8e0a2a77cad56ae9ff53fce122
                                                                                                                                          • Instruction ID: 91e17fd98d71c9e8135111786d201d67e54a1e698625a548bfb59b48f32e7dc2
                                                                                                                                          • Opcode Fuzzy Hash: 6ecfbc1e04c89c64a0ee336d11aee912bcb92c8e0a2a77cad56ae9ff53fce122
                                                                                                                                          • Instruction Fuzzy Hash: 2FE1A272711F8582EBA68F29E4547AD63A1FF8ABC4F54C215EA8903B54EF38C758D700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$AllocFree$EnterErrorFileLastRead$CreateLeavehtonslstrcatmemset$CloseDirectoryHandleInitializeWindowsWrite
                                                                                                                                          • String ID: 52.74.204.186$\\.\{F8284233-48F4-4680-ADDD-F8284233}$\system32\drivers\tpdrivers.sys$tpdrivers
                                                                                                                                          • API String ID: 3655753775-389373729
                                                                                                                                          • Opcode ID: db220a0706c505ffdfe986e89b00e689603627b43e6aef5444c71a3e61a513cc
                                                                                                                                          • Instruction ID: 12d95dd8c975c3e344e93b2daa028ff3376d6e0438f722d060c7a57747c014ac
                                                                                                                                          • Opcode Fuzzy Hash: db220a0706c505ffdfe986e89b00e689603627b43e6aef5444c71a3e61a513cc
                                                                                                                                          • Instruction Fuzzy Hash: 7171B731715B5482EBE2DF22F95479A63A1FB8CBC5F10C115EA9A43A64DF3CC65C8700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$AllocCriticalSection$EnterRead$Leavememcpy$CreateCurrentErrorInitializeLastMutexProcessSleepfreelstrcatmallocmemsetwsprintf
                                                                                                                                          • String ID: %s%d$:$Inject Test
                                                                                                                                          • API String ID: 3230380526-1060902658
                                                                                                                                          • Opcode ID: 8dbd244c4dc7ff5931541ce9d241f2be0e44287da5020331176b23af610f2178
                                                                                                                                          • Instruction ID: dfed7ca6f992ea8d7163875ae2deb23361ae0a0e9c0ec7415be465c0bcf352bb
                                                                                                                                          • Opcode Fuzzy Hash: 8dbd244c4dc7ff5931541ce9d241f2be0e44287da5020331176b23af610f2178
                                                                                                                                          • Instruction Fuzzy Hash: 63919131715B4882EB96CF66E8147A96361FB8DFC4F54C224EA8A43B55EF3CC2498740
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$memset$CriticalSection$Alloc$Enum$EnterRead$LeaveValue$CloseInitializeOpen__chkstk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2734444383-0
                                                                                                                                          • Opcode ID: 0595414e30b50002a461e2897ac5610cd8ac295fcac56b89b3caa5011188017e
                                                                                                                                          • Instruction ID: c7a300cf86788d9b2bb3ad5c5f19a5e509c8aa24f0c3c6b9264e97b70b831d55
                                                                                                                                          • Opcode Fuzzy Hash: 0595414e30b50002a461e2897ac5610cd8ac295fcac56b89b3caa5011188017e
                                                                                                                                          • Instruction Fuzzy Hash: 02F17E32310B8086EBB5CF62D998B9E73A5FB89B85F408115DF5A47B59DF38C219CB00
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: %s: %s: WAITING_DNS$ERROR reading from proxy socket$Failed to generate handshake for client$HTTP/1.$Peer hung up$cbail3$chs$cws$error sending h2 preface$http_proxy -> %u$http_proxy fail$lws_http_client_socket_service$problems parsing header$proxy conn dead$proxy read err$read failed
                                                                                                                                          • API String ID: 0-4263491741
                                                                                                                                          • Opcode ID: 78671e27a4717be73cabfba6896136bd0789db9dd6b82e4ebb3e1080ba416978
                                                                                                                                          • Instruction ID: 21a0462fd45df87ee5edc06867fd4a1a877ee659b96ff9b765cf0eaf7c443289
                                                                                                                                          • Opcode Fuzzy Hash: 78671e27a4717be73cabfba6896136bd0789db9dd6b82e4ebb3e1080ba416978
                                                                                                                                          • Instruction Fuzzy Hash: A7D1CF3120478C82FBEA9F2594413F96791AB8CBC8F58D121FE16A76D6DF3AD6498700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: closesocketsetsockopt$ErrorLast$listensocket
                                                                                                                                          • String ID: %s: VH %s: iface %s port %d DOESN'T EXIST$%s: VH %s: iface %s port %d NOT USABLE$ERROR opening socket$Out of mem$_lws_vhost_init_server_af$listen failed with error %d$listen|%s|%s|%d$lws_create_vhost$reuseaddr failed
                                                                                                                                          • API String ID: 3630065070-1684632830
                                                                                                                                          • Opcode ID: 3b880312eee11432debff261864d0151b6d610a403db296dabe4168ddc5b799d
                                                                                                                                          • Instruction ID: 2766f3bb6dc4fce403585f370064895871a90e0ac9ff3b4998f931d318ec6775
                                                                                                                                          • Opcode Fuzzy Hash: 3b880312eee11432debff261864d0151b6d610a403db296dabe4168ddc5b799d
                                                                                                                                          • Instruction Fuzzy Hash: E7D18C72300B8886EB96CB16D4887DD33A1F78CBD8F558226EA2D477A1DF34C699C705
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Service$ErrorLast$CloseHandle$lstrcatmemset$CreateDirectoryManagerOpenStartWindows
                                                                                                                                          • String ID: FSFilter Activity Monitor$FltMgr$\system32\drivers\tpdrivers.sys$tpdrivers
                                                                                                                                          • API String ID: 4233479461-606275738
                                                                                                                                          • Opcode ID: 38649f7966a210fa7a925492f7da8da3f08e55cc04dda45abaec5e3d19128508
                                                                                                                                          • Instruction ID: be4161d35e4edffc8d18653c63b0145683f113417105ade20d90917bd565f143
                                                                                                                                          • Opcode Fuzzy Hash: 38649f7966a210fa7a925492f7da8da3f08e55cc04dda45abaec5e3d19128508
                                                                                                                                          • Instruction Fuzzy Hash: 63318F35604B8482EB928B54F8543DA73A2FB8C7D4F548125EA9E42B68EF3CC34DCB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$CreateProcess32$AllocCloseHandleMemoryNextOpenRemoteThreadVirtualWritelstrcmpi$FirstSnapshotToolhelp32
                                                                                                                                          • String ID: @$winlogon.exe
                                                                                                                                          • API String ID: 2717908072-2705468112
                                                                                                                                          • Opcode ID: 9adab53390aa097aff988e1355229478ff467b453e21ebe2fac670c522015f7e
                                                                                                                                          • Instruction ID: 4f48c20b5f6e5e976debb9c4ef6a3f07c2835b05d0dbc98f6ef438c5d6a82c9a
                                                                                                                                          • Opcode Fuzzy Hash: 9adab53390aa097aff988e1355229478ff467b453e21ebe2fac670c522015f7e
                                                                                                                                          • Instruction Fuzzy Hash: 65517431345B8986EBE68F12B8547967395EB8EBC4F588128EA4D47754FF3CC24D8B04
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: File$AttributesCreatePointerVirtualWritelstrcat$AllocCloseCountFreeHandleTickmemset
                                                                                                                                          • String ID: C:\Program Files\Windows Mail$\temp.key
                                                                                                                                          • API String ID: 573267298-229217837
                                                                                                                                          • Opcode ID: 56780571c3b5b24d83ae8df9fa4e23bd7118c424518018f72ede47bea234dd3e
                                                                                                                                          • Instruction ID: 39fad07a16c8704c8e09e2da5d2261186e7f98d000fc3352d74f7c3f3773f4dc
                                                                                                                                          • Opcode Fuzzy Hash: 56780571c3b5b24d83ae8df9fa4e23bd7118c424518018f72ede47bea234dd3e
                                                                                                                                          • Instruction Fuzzy Hash: 9E619172614F9982EBA18F25E808BDA7761FB89BC4F50C211EA9657B54EF3CC709C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$MemoryProcessWrite$Protect$AddressErrorFreeHandleLastModuleProcmemcpy
                                                                                                                                          • String ID: @$ZwCreateThreadEx$h$ntdll.dll
                                                                                                                                          • API String ID: 2541485474-1855171776
                                                                                                                                          • Opcode ID: 396edaa950aea8bb2834e9a8a087e273c859751424a80b509f85d4148d5affe0
                                                                                                                                          • Instruction ID: b914b1c6b4854bd9bbe5246b375c866756148f1a68b4d635330a0ff3f8bed5ac
                                                                                                                                          • Opcode Fuzzy Hash: 396edaa950aea8bb2834e9a8a087e273c859751424a80b509f85d4148d5affe0
                                                                                                                                          • Instruction Fuzzy Hash: 3881E232714B848AF766CF69A8447AD3A61F74A7C8F444319EE9957B88DF38C30AC750
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CapsDevice$BlockInput$Virtualkeybd_event
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4019288356-0
                                                                                                                                          • Opcode ID: 80f6854fd55cfec3db650c4c49a6fd06f20ce82fbc0cb067e63b0ba8c2a67ee0
                                                                                                                                          • Instruction ID: 51607d66c44d631e5514e6cc14082b91fee79f825fdabc4b9e198b8b7d56ef02
                                                                                                                                          • Opcode Fuzzy Hash: 80f6854fd55cfec3db650c4c49a6fd06f20ce82fbc0cb067e63b0ba8c2a67ee0
                                                                                                                                          • Instruction Fuzzy Hash: 8861EB326147C887E397DB31A8487AA73A5FB8E7C5F54C211FA4A03664EF39D689C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: strchr
                                                                                                                                          • String ID: %s: ended on e %d$%s: malformed ip address$lws_create_vhost$lws_parse_numeric_address
                                                                                                                                          • API String ID: 2830005266-2525933588
                                                                                                                                          • Opcode ID: 70010e423fb3755efd61014bceaeae7baf17920ebf1afdbeec04516e640b8e02
                                                                                                                                          • Instruction ID: d636d15f552ec0f279111f20eb57849166517b3c99d00c477bd79e5d42a6d3a3
                                                                                                                                          • Opcode Fuzzy Hash: 70010e423fb3755efd61014bceaeae7baf17920ebf1afdbeec04516e640b8e02
                                                                                                                                          • Instruction Fuzzy Hash: 05A14632B0468C45FAE38A2894043EA7A51E74A7E8F64C311FAA7277F5CE36C74D8701
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017423
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134EB
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800134FD
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013510
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013527
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013556
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013568
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001357B
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013592
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135C1
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800135D3
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135E6
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135FD
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001362C
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 000000018001363E
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013654
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001744D
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001749D
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800174C7
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800174EF
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017519
                                                                                                                                          • DisconnectNamedPipe.KERNEL32 ref: 0000000180017546
                                                                                                                                          • CloseHandle.KERNEL32 ref: 0000000180017555
                                                                                                                                          • DeleteCriticalSection.KERNEL32 ref: 0000000180017563
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017574
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017615
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001763F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017655
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001767F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017695
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013678
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013691
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800136A7
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800136CB
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800136E4
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800136FA
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013726
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 000000018001373F
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013755
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013779
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013792
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800137A8
                                                                                                                                            • Part of subcall function 0000000180016BC0: IsBadReadPtr.KERNEL32 ref: 0000000180016BE3
                                                                                                                                            • Part of subcall function 0000000180016BC0: EnterCriticalSection.KERNEL32(?,?,00000038,00000001800171A6), ref: 0000000180016BFE
                                                                                                                                            • Part of subcall function 0000000180016BC0: LeaveCriticalSection.KERNEL32(?,?,00000038,00000001800171A6), ref: 0000000180016C21
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800176BF
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Virtual$Free$EnterRead$Leave$Alloc$lstrcat$CloseDeleteDisconnectHandleInitializeNamedPipememcpymemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4255235403-0
                                                                                                                                          • Opcode ID: 487ab0318e1d18530209ff1e23f5e332d75461c33a839119e161c17338c97bb7
                                                                                                                                          • Instruction ID: babdb363706aaf13186cd58188e906dd6551b25749ad794e3c97fd5ce7c8e0dc
                                                                                                                                          • Opcode Fuzzy Hash: 487ab0318e1d18530209ff1e23f5e332d75461c33a839119e161c17338c97bb7
                                                                                                                                          • Instruction Fuzzy Hash: 9D911836705F4486EBA6DF66E95036973A1FB8DFC0F08C114EA8A43B56DF38D2588700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalFreeSection$AllocCreateEnterErrorLastLeaveReadThreadbindhtonlhtonsinet_addrlistenmemsetsetsockoptsocket
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1206800484-0
                                                                                                                                          • Opcode ID: 3b4ce19dcc75c1c8cdbd46baa2501b7c779ff89514a24e43775d64ba7dc00e07
                                                                                                                                          • Instruction ID: 8c37b3e26c9d2b08fb46051b3eba7674f5bc302b0b96bdb988dfcbce2372576e
                                                                                                                                          • Opcode Fuzzy Hash: 3b4ce19dcc75c1c8cdbd46baa2501b7c779ff89514a24e43775d64ba7dc00e07
                                                                                                                                          • Instruction Fuzzy Hash: 19516C36305B5486EBA68F21E8543DD73B1FB8CF85F548125EA4A43B94EF38C659DB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _stricmp$_atoi64
                                                                                                                                          • String ID: Basic realm="lwsws"$Unable to find plugin '%s'$close$http action CALLBACK bind$http_action HTTP$index.html$keep-alive$lws_http_action$no mount hit
                                                                                                                                          • API String ID: 3615839938-539034854
                                                                                                                                          • Opcode ID: 42451850e58ed0897b44b1e692b0d652687ccba59d4a3584232ad48d43f11056
                                                                                                                                          • Instruction ID: c85f8a637d88cc95b17b7b12485c421cb72b9085f7fd7bb2a0c8fa8c61fd7d62
                                                                                                                                          • Opcode Fuzzy Hash: 42451850e58ed0897b44b1e692b0d652687ccba59d4a3584232ad48d43f11056
                                                                                                                                          • Instruction Fuzzy Hash: DB22B472300B8996EBA69F22D4803DD27A5FB49BCCF458836EE4957799EF34C609D304
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a76960f33f7b699ea47f10996dbc376ab567cd27cc47711776d389580683e5e3
                                                                                                                                          • Instruction ID: 60423ae12fd94438baa3cf898bd68c6d21163082e13b3844440245a4f48370d1
                                                                                                                                          • Opcode Fuzzy Hash: a76960f33f7b699ea47f10996dbc376ab567cd27cc47711776d389580683e5e3
                                                                                                                                          • Instruction Fuzzy Hash: 22B1D231649A8D8AFB9BD768F9403E42391F70D7D1F91C126F49987690DE2C8B8F9306
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtual$freemalloc$GroupLocalMembersSleepUser
                                                                                                                                          • String ID: Administrators
                                                                                                                                          • API String ID: 2980277588-3395160503
                                                                                                                                          • Opcode ID: da3a28424a5a67998ed531bb1b5f40b6d27e172e32b39df16f7556483a8c1416
                                                                                                                                          • Instruction ID: 7f64238c5f2db27e2cb8eceb7629a4ddaca5bd09597119c914e0740545c426d3
                                                                                                                                          • Opcode Fuzzy Hash: da3a28424a5a67998ed531bb1b5f40b6d27e172e32b39df16f7556483a8c1416
                                                                                                                                          • Instruction Fuzzy Hash: D4517F32B00B048AEB56DF75D8543ED33A1FB8DB89F14C125EE4A56B58DE38C659C740
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FileFreeVirtual$CreateErrorLastPointerSizeWritefreemalloc
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 287149550-0
                                                                                                                                          • Opcode ID: 0223230c3a5642bc6ac120d5f3bc129a0fc1910174e513a298f1f88523c3db28
                                                                                                                                          • Instruction ID: 80e45b664543585f4643f9112c24d8a843cc9f14f2b8051dce630e8d098ad42e
                                                                                                                                          • Opcode Fuzzy Hash: 0223230c3a5642bc6ac120d5f3bc129a0fc1910174e513a298f1f88523c3db28
                                                                                                                                          • Instruction Fuzzy Hash: AA618072311B8486EB65CF22E95479A73A5FB8CFD4F108215EE9A07B54DF38C259C700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset$lstrlen$DeviceDiskDriveFreeInformationQuerySpaceTypeVolume
                                                                                                                                          • String ID: :$\
                                                                                                                                          • API String ID: 2115141164-1166558509
                                                                                                                                          • Opcode ID: 2477ab74630cff7d9f10f7953b90637281b9d5ed11b09ba90bcaab8a2ec660d9
                                                                                                                                          • Instruction ID: 08b8c3128405f4ed23382147f1039dffd5c43d6198621a424984a10230734bc2
                                                                                                                                          • Opcode Fuzzy Hash: 2477ab74630cff7d9f10f7953b90637281b9d5ed11b09ba90bcaab8a2ec660d9
                                                                                                                                          • Instruction Fuzzy Hash: 76515E32214B8487EB71CF25E8447DE7761F78AB89F505111EB8A47A68EF38D74ACB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLastProcessToken$AdjustAllocCloseCurrentHandleLookupOpenPrivilegePrivilegesValueVirtualmemcpy
                                                                                                                                          • String ID: SeDebugPrivilege
                                                                                                                                          • API String ID: 941393880-2896544425
                                                                                                                                          • Opcode ID: 13ad378ceb3cf1b95ba2275f286f3521988d44e0188879ad38e1d67537cb33ea
                                                                                                                                          • Instruction ID: ea4f92aae033d01013d5b6c73fd74f6cf41a10a7a00df61154ea5ed3773aceec
                                                                                                                                          • Opcode Fuzzy Hash: 13ad378ceb3cf1b95ba2275f286f3521988d44e0188879ad38e1d67537cb33ea
                                                                                                                                          • Instruction Fuzzy Hash: 0E318271214B4486E796DF26F84478A77A1FB8CBD4F148225BE56437A5DF3CC649CB00
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002624A
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180026274
                                                                                                                                          • OpenClipboard.USER32 ref: 0000000180026302
                                                                                                                                          • GlobalAlloc.KERNEL32 ref: 000000018002631A
                                                                                                                                          • GlobalLock.KERNEL32 ref: 000000018002632B
                                                                                                                                          • GlobalUnlock.KERNEL32 ref: 0000000180026349
                                                                                                                                          • SetClipboardData.USER32 ref: 0000000180026357
                                                                                                                                          • CloseClipboard.USER32 ref: 000000018002635D
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180026373
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002639D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$Free$ClipboardEnterGlobalRead$Leave$CloseDataInitializeLockOpenUnlock
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1362927461-0
                                                                                                                                          • Opcode ID: 14aff5e7281eb0515db2efaaa05bc0cffdcae11165ae12660c773d397ca1b196
                                                                                                                                          • Instruction ID: d64dd42c3dc8fb4412f7557b5568284cb69eb52a1192a69af238dbfe421c115e
                                                                                                                                          • Opcode Fuzzy Hash: 14aff5e7281eb0515db2efaaa05bc0cffdcae11165ae12660c773d397ca1b196
                                                                                                                                          • Instruction Fuzzy Hash: AF416031715B4486EBA9DF22EA5436D63A1FB8DFC1F44C114EA9A43F54EF38D2698700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExceptionFilterPresentProcessUnhandled$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtualmemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2775880128-0
                                                                                                                                          • Opcode ID: e54aba6c139d99624c5fc929576f719923c2ee98f6e17d40784d5d8f2ef1c0b0
                                                                                                                                          • Instruction ID: 4765e8045a5846deb9287ac6894a5dec6d9a063d7bfc4cb050589aecf0a9d8b0
                                                                                                                                          • Opcode Fuzzy Hash: e54aba6c139d99624c5fc929576f719923c2ee98f6e17d40784d5d8f2ef1c0b0
                                                                                                                                          • Instruction Fuzzy Hash: D8416332A14B8586E750CF64EC503EE3371F799748F519229EB9D47A55EF78C298C700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: OpenService$CloseErrorHandleLastManager
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2659350385-0
                                                                                                                                          • Opcode ID: d1f9e974718dfdc27abd3533510aa15af3a5deb6cf2be6aac275e286971032ce
                                                                                                                                          • Instruction ID: 287740d799c7e1e53cdf3a8a1bbdcd1450047062a2d3c82c89dea545571af17d
                                                                                                                                          • Opcode Fuzzy Hash: d1f9e974718dfdc27abd3533510aa15af3a5deb6cf2be6aac275e286971032ce
                                                                                                                                          • Instruction Fuzzy Hash: A5215135714B4882FBC68B66B95436953A2EB8CFD0F149521FE1A43B15EE7CC68D9B00
                                                                                                                                          APIs
                                                                                                                                          • memset.NTDLL ref: 000000018001D449
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D482
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D4AC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D504
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D52E
                                                                                                                                          • ShellExecuteW.SHELL32 ref: 000000018001D55A
                                                                                                                                          • ShellExecuteW.SHELL32 ref: 000000018001D589
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$ExecuteLeaveShell$Initializememset
                                                                                                                                          • String ID: open
                                                                                                                                          • API String ID: 3986399138-2758837156
                                                                                                                                          • Opcode ID: df41ce004a0aaed4cbd927262bd2ebd9c58ead5be3ffc2416f51e3800e93ca49
                                                                                                                                          • Instruction ID: 1b8a6c642bf93aa42689e3d3a50d3f6becf4bfffa3bac452e60f994c4d2ec9e9
                                                                                                                                          • Opcode Fuzzy Hash: df41ce004a0aaed4cbd927262bd2ebd9c58ead5be3ffc2416f51e3800e93ca49
                                                                                                                                          • Instruction Fuzzy Hash: 7D418032304B4886EBA5DF62E59479A73A1FB8CBC4F448115EB8A43F54DF39D259CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorFreeLastOpenServiceVirtual$CloseHandleManager
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3563172158-0
                                                                                                                                          • Opcode ID: ce12c43ad3cf74fd47867ee24130c725be5bd76402bb544879ce041abdb63390
                                                                                                                                          • Instruction ID: d853d0b98551e1dd37f12d62e368e99fc344b7ef29ec276600ea8822682d95be
                                                                                                                                          • Opcode Fuzzy Hash: ce12c43ad3cf74fd47867ee24130c725be5bd76402bb544879ce041abdb63390
                                                                                                                                          • Instruction Fuzzy Hash: D6217234755B4942FBD69B63AC243AA53A2AF4CFD0F148424AE1B43B55EE3CC64D9700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Free$InitializeStringVirtual$AllocCreateInitInstanceSecurityVariant
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1458724981-0
                                                                                                                                          • Opcode ID: a98515b45f30c999fd584888f1fb30ce494dfbb6bf43997bf48997d6c69b94f9
                                                                                                                                          • Instruction ID: 549c418005b411b6b48b9dc52a4b3670d67e6df93f8f4fd9b1b4d3b19c29d487
                                                                                                                                          • Opcode Fuzzy Hash: a98515b45f30c999fd584888f1fb30ce494dfbb6bf43997bf48997d6c69b94f9
                                                                                                                                          • Instruction Fuzzy Hash: 06816D32614B9486EB52CF66E84879E77B5FB8CF94F118216EE4947B58DF38C249CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ClipboardGlobal$AllocCloseDataErrorLastLockOpenSleepUnlock
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3499886738-0
                                                                                                                                          • Opcode ID: 4b723c17ec104936dfe9111a579a009fbd450c761b1b8f465c76b1695d4f4b3d
                                                                                                                                          • Instruction ID: 80f6778766f7b10afb52bff45b6d567137dcc008b4616613c89e7630be8ac35f
                                                                                                                                          • Opcode Fuzzy Hash: 4b723c17ec104936dfe9111a579a009fbd450c761b1b8f465c76b1695d4f4b3d
                                                                                                                                          • Instruction Fuzzy Hash: BC21A136324A5483DAA69B61F88436D63A1FB8DFC0F549124FA5743B58EF38C9998B00
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024504
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002452E
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180024545
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002463C
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024666
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002468B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800246B5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800246DA
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D3D
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D50
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D66
                                                                                                                                            • Part of subcall function 0000000180014D20: DeleteCriticalSection.KERNEL32 ref: 0000000180014D8D
                                                                                                                                            • Part of subcall function 0000000180014D20: VirtualFree.KERNEL32 ref: 0000000180014DBA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 948184506-0
                                                                                                                                          • Opcode ID: 596298e50b01ed8f643993e2f4d92b6ac2ecaa8b621bb896cb70dc7b0923128e
                                                                                                                                          • Instruction ID: 64ae41a8cee7ab66ca288a66ccfc0691979ea804a72ad088179f8830a55565e0
                                                                                                                                          • Opcode Fuzzy Hash: 596298e50b01ed8f643993e2f4d92b6ac2ecaa8b621bb896cb70dc7b0923128e
                                                                                                                                          • Instruction Fuzzy Hash: 7C612D36601F4486EBA6DF62E85479A73A5FB4CB80F55C125EE8A43B24EF38D258C740
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025394
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800253BE
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 00000001800253D5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800254C1
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800254EB
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025510
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002553A
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002555F
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D3D
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D50
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D66
                                                                                                                                            • Part of subcall function 0000000180014D20: DeleteCriticalSection.KERNEL32 ref: 0000000180014D8D
                                                                                                                                            • Part of subcall function 0000000180014D20: VirtualFree.KERNEL32 ref: 0000000180014DBA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 948184506-0
                                                                                                                                          • Opcode ID: a2f3d28db6f5c7a542f089183b464a35e1dffb07d7f729c69724856baa88be71
                                                                                                                                          • Instruction ID: e1ed2f7b30fdbbafaf83607e2b920250547d7d04a51b70330a41ad624c924d4a
                                                                                                                                          • Opcode Fuzzy Hash: a2f3d28db6f5c7a542f089183b464a35e1dffb07d7f729c69724856baa88be71
                                                                                                                                          • Instruction Fuzzy Hash: D6614E36601F4486EBA6DF22E85479A73A5FB8CB81F44C125EE8A43B14EF38D258D744
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800255E4
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002560E
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180025625
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800256FB
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025725
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002574A
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025774
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180025799
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D3D
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D50
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D66
                                                                                                                                            • Part of subcall function 0000000180014D20: DeleteCriticalSection.KERNEL32 ref: 0000000180014D8D
                                                                                                                                            • Part of subcall function 0000000180014D20: VirtualFree.KERNEL32 ref: 0000000180014DBA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 948184506-0
                                                                                                                                          • Opcode ID: c4c301c77432ef5703f60f68f188faa43b288a4f8a8c10df986e60a82f244a90
                                                                                                                                          • Instruction ID: a098d769e738cf4516be0d4c0e9b8bb2eaeea588b20fa9ae2b6ee3b858d7c8c5
                                                                                                                                          • Opcode Fuzzy Hash: c4c301c77432ef5703f60f68f188faa43b288a4f8a8c10df986e60a82f244a90
                                                                                                                                          • Instruction Fuzzy Hash: EB514F36711F4486EBA6CF22E85479A73A5FB8CB81F44C125EE8A43B14DF38D2588744
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024754
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002477E
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180024795
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002486B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024895
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800248BA
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800248E4
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024909
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D3D
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D50
                                                                                                                                            • Part of subcall function 0000000180014D20: CloseHandle.KERNEL32 ref: 0000000180014D66
                                                                                                                                            • Part of subcall function 0000000180014D20: DeleteCriticalSection.KERNEL32 ref: 0000000180014D8D
                                                                                                                                            • Part of subcall function 0000000180014D20: VirtualFree.KERNEL32 ref: 0000000180014DBA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$CriticalSection$Alloc$CloseEnterHandleRead$Leave$DeleteInitialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 948184506-0
                                                                                                                                          • Opcode ID: 80f34942a8f8c4bc9a5d5aa5a2718efda92b851cc4559cc26846c331e5552837
                                                                                                                                          • Instruction ID: 72a2896740c9137efb1b418fa442e73962727cb62168e6376ed2afb5ae8d32a4
                                                                                                                                          • Opcode Fuzzy Hash: 80f34942a8f8c4bc9a5d5aa5a2718efda92b851cc4559cc26846c331e5552837
                                                                                                                                          • Instruction Fuzzy Hash: 6C516E36711F4486EBA6CF62E85479A73A5FB8CB80F45C124EE8A43B14DF38D258C740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: wctomb_s
                                                                                                                                          • String ID: 0
                                                                                                                                          • API String ID: 2215178078-4108050209
                                                                                                                                          • Opcode ID: 1492f7c15eab4061bc7f6a32edb82fc2110c3162b8146593b7aa99b753d1092c
                                                                                                                                          • Instruction ID: b78a43dfde99f40485895c579130c87ca7fca1f2de56ca6245298c2957896ae2
                                                                                                                                          • Opcode Fuzzy Hash: 1492f7c15eab4061bc7f6a32edb82fc2110c3162b8146593b7aa99b753d1092c
                                                                                                                                          • Instruction Fuzzy Hash: 76D1B372204F8886DBA68F28C84079C77A2F349BD8F749215EF6947798DF35CA89C750
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno
                                                                                                                                          • String ID: gfffffff
                                                                                                                                          • API String ID: 2918714741-1523873471
                                                                                                                                          • Opcode ID: 50460a0e52648f72767fa19e63171c8a82114c62844ae90395d0efa7ecbc3a04
                                                                                                                                          • Instruction ID: d8f414e0bef8b82fe1a4a168c370e8312f43b1049c0ea29667bfe1c97a47490c
                                                                                                                                          • Opcode Fuzzy Hash: 50460a0e52648f72767fa19e63171c8a82114c62844ae90395d0efa7ecbc3a04
                                                                                                                                          • Instruction Fuzzy Hash: D39115B37057C986EBA28F29E9513EA7792A7657C0F148022EB994B7C1DF3CC259C701
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _readmemmove
                                                                                                                                          • String ID: #
                                                                                                                                          • API String ID: 2793665766-1885708031
                                                                                                                                          • Opcode ID: 987fd676393602e5fbf9a4f4c9d3c45c4ce8d85387bfab112573a77dbf0a2f81
                                                                                                                                          • Instruction ID: 204fe7763e42409cfe4ae1be45cc68f9e315ee3c51830df5655797995f9cd38c
                                                                                                                                          • Opcode Fuzzy Hash: 987fd676393602e5fbf9a4f4c9d3c45c4ce8d85387bfab112573a77dbf0a2f81
                                                                                                                                          • Instruction Fuzzy Hash: CB411C33224F9895FBF28A65A580BFEA691F3C87C8F069111FE4903684DF74D68C8B45
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 000000018001442D
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 000000018001445F
                                                                                                                                            • Part of subcall function 0000000180014410: InitializeCriticalSection.KERNEL32 ref: 0000000180014474
                                                                                                                                            • Part of subcall function 0000000180014410: IsBadReadPtr.KERNEL32 ref: 0000000180014490
                                                                                                                                            • Part of subcall function 0000000180014410: EnterCriticalSection.KERNEL32 ref: 00000001800144A3
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 00000001800144BA
                                                                                                                                            • Part of subcall function 0000000180014410: LeaveCriticalSection.KERNEL32 ref: 00000001800144E9
                                                                                                                                            • Part of subcall function 0000000180014410: IsBadReadPtr.KERNEL32 ref: 00000001800144FE
                                                                                                                                            • Part of subcall function 0000000180014410: EnterCriticalSection.KERNEL32 ref: 0000000180014511
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 0000000180014528
                                                                                                                                            • Part of subcall function 0000000180014410: LeaveCriticalSection.KERNEL32 ref: 0000000180014557
                                                                                                                                            • Part of subcall function 0000000180014410: IsBadReadPtr.KERNEL32 ref: 000000018001456C
                                                                                                                                            • Part of subcall function 0000000180014410: EnterCriticalSection.KERNEL32 ref: 000000018001457F
                                                                                                                                            • Part of subcall function 0000000180014410: VirtualAlloc.KERNEL32 ref: 0000000180014596
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180023503
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180023548
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002357E
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002358F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$Leave$Free$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4189992183-0
                                                                                                                                          • Opcode ID: a25cbe2398620dd5aade8412fca36b0dba362fd9746facf50c7945402be94b72
                                                                                                                                          • Instruction ID: b7787bbd8a325aeebdcde614afb160aa7d11d0e3a8624fbc1606faf4384ac525
                                                                                                                                          • Opcode Fuzzy Hash: a25cbe2398620dd5aade8412fca36b0dba362fd9746facf50c7945402be94b72
                                                                                                                                          • Instruction Fuzzy Hash: 6931C572301B8486EB878F26E95439977A1BF4DFD4F08C125EE5A87B45DF28C569C700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Leave$EnterRead$AllocVirtual$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3051317124-0
                                                                                                                                          • Opcode ID: 6ebc8dea4b0ea736fefb6cc6a4b904e09ee724be14cbd8c2d79b4aff0744f4dc
                                                                                                                                          • Instruction ID: 8d79aea406c2d95edea1836f54f9f7be0f00163c332968c48641294727d518e6
                                                                                                                                          • Opcode Fuzzy Hash: 6ebc8dea4b0ea736fefb6cc6a4b904e09ee724be14cbd8c2d79b4aff0744f4dc
                                                                                                                                          • Instruction Fuzzy Hash: 9AF1F972200F4986EB9A8F21E8153A973A5FB5CFC4F58C525EE5A477A4EF38D658C300
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _unlink$_close_open$_write$Sleeprename
                                                                                                                                          • String ID: # Netscape HTTP Cookie File$%s.LCK$%s.tmp$nsc_regen
                                                                                                                                          • API String ID: 3831667237-754349171
                                                                                                                                          • Opcode ID: 5ad480a65cf6fe72315309d2af5a2d32d7a8d9a5e723e02816f8326c51347cc7
                                                                                                                                          • Instruction ID: 3a75f7037613c534b31f398f9f7e10cfc46e488a0411f9bffbb7e4ffe011920f
                                                                                                                                          • Opcode Fuzzy Hash: 5ad480a65cf6fe72315309d2af5a2d32d7a8d9a5e723e02816f8326c51347cc7
                                                                                                                                          • Instruction Fuzzy Hash: 8D41C632204B4882F792EF21E8907D97361F7897C8F658026FA994B696CF79CA09C740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Startupmemset
                                                                                                                                          • String ID: Failed to create default vhost$Failed to init cookiejar$NSC$OOM$OOM allocating %d fds$context$fds table$info->ka_interval can't be 0 if ka_time used$lws_create_context$lws_free$mux$prot_init$system$unknown$wsi$wsicli$wsisrv
                                                                                                                                          • API String ID: 1873301828-3289243303
                                                                                                                                          • Opcode ID: 16ff8c9513e61e8d05d3a42471cc09235c13313f4bf578ebfff565fe686a6f90
                                                                                                                                          • Instruction ID: 3b559553d32f2118d47c1827e12155a903dd1219b53e8335ef171119bd7a8236
                                                                                                                                          • Opcode Fuzzy Hash: 16ff8c9513e61e8d05d3a42471cc09235c13313f4bf578ebfff565fe686a6f90
                                                                                                                                          • Instruction Fuzzy Hash: 29325F36605B8985EB96CF21F8803EA73A5F748B88F458136EE9D47394EF38D258C750
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: String$AllocFree$CreateInstanceUninitialize$Initialize
                                                                                                                                          • String ID: Block All Outbound$Block all outbound traffic$BlockAllGroup$i33L
                                                                                                                                          • API String ID: 2562062002-1644180588
                                                                                                                                          • Opcode ID: 8deb0ea224b165b1f84c5336fa06fe8aa485b50349956e7146a47af700a7992b
                                                                                                                                          • Instruction ID: 24ee4ad5e576ebab54034bfc9a1020dbb273c5f654aeecea88066f1c8707723b
                                                                                                                                          • Opcode Fuzzy Hash: 8deb0ea224b165b1f84c5336fa06fe8aa485b50349956e7146a47af700a7992b
                                                                                                                                          • Instruction Fuzzy Hash: 9951D276600B448AEB41DF76D84439C37B1F788B88F208526EE5E57B28DF38C659C741
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$Current$Terminate$memsetwsprintf$ObjectSessionSingleWait
                                                                                                                                          • String ID: \\.\Pipe\%d_Local_%d$\\.\Pipe\%d_pipe%d
                                                                                                                                          • API String ID: 1631145905-82101934
                                                                                                                                          • Opcode ID: ab10d55d452ab6b41233c7c6c5d6ad339ec73cd5f29839cb69e3900e23e60465
                                                                                                                                          • Instruction ID: 2ca27b65026b01a0e2614ebc2938c806b5a8a65987fe76e9e7616e4d15ed07f3
                                                                                                                                          • Opcode Fuzzy Hash: ab10d55d452ab6b41233c7c6c5d6ad339ec73cd5f29839cb69e3900e23e60465
                                                                                                                                          • Instruction Fuzzy Hash: 4B318675304B8982EBA29B21EC543DA63A2FB8CFC5F14C115E95A43664EE3CC74DD710
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _stricmp$atoistrchrstrncmpstrstr
                                                                                                                                          • String ID: %s: assert: NULL ah$%s: assert: len %ld$%s: bad wsi role 0x%x$h2c$h2n$lws_handshake_server$websocket
                                                                                                                                          • API String ID: 772635384-2030653601
                                                                                                                                          • Opcode ID: 3e545e06de1398776efe2b32ebf9aaed83d313d5bc47e434b252dda6cce64d6b
                                                                                                                                          • Instruction ID: d49f17e4c13066866941a8c03b63ad3af1a2a4addf82eecd73d35d4d049f7a5d
                                                                                                                                          • Opcode Fuzzy Hash: 3e545e06de1398776efe2b32ebf9aaed83d313d5bc47e434b252dda6cce64d6b
                                                                                                                                          • Instruction Fuzzy Hash: 74E1B131304B8951FAE69B269A803EE6352AB8D7C8F46C421FE1947792EF38C659D304
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Object$DeleteFreeVirtual$CloseHandleSelect$BlockEventInputReleaseSingleWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3967251967-0
                                                                                                                                          • Opcode ID: 3a07132e1f9d7ba23aabf59264424579120ae970d8e9deebab850e7ccb55037e
                                                                                                                                          • Instruction ID: 294975e9c67eb738fc8a76c6dfbd6f8425bfb77a95e6eb5f1d41b0cb1a161822
                                                                                                                                          • Opcode Fuzzy Hash: 3a07132e1f9d7ba23aabf59264424579120ae970d8e9deebab850e7ccb55037e
                                                                                                                                          • Instruction Fuzzy Hash: 8E414836201F5481EB96DF62E9503A93366FF88FC4F18C125EE5A47B58DF38C65A8301
                                                                                                                                          APIs
                                                                                                                                          • IsBadReadPtr.KERNEL32 ref: 000000018001725A
                                                                                                                                            • Part of subcall function 0000000180028120: VirtualAlloc.KERNEL32(?,?,00000000,0000000180026D58), ref: 0000000180028137
                                                                                                                                            • Part of subcall function 0000000180028120: InitializeCriticalSection.KERNEL32(?,?,00000000,0000000180026D58), ref: 0000000180028165
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • memset.NTDLL ref: 0000000180017295
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 000000018001729A
                                                                                                                                          • wsprintfW.USER32 ref: 00000001800172B6
                                                                                                                                          • WaitForSingleObject.KERNEL32 ref: 00000001800172D3
                                                                                                                                          • WaitForSingleObject.KERNEL32 ref: 000000018001731B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001733A
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180017364
                                                                                                                                          • DisconnectNamedPipe.KERNEL32 ref: 000000018001737B
                                                                                                                                          • CloseHandle.KERNEL32 ref: 000000018001738A
                                                                                                                                          • DeleteCriticalSection.KERNEL32 ref: 0000000180017398
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800173A9
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Read$EnterFree$InitializeLeaveObjectSingleWait$CloseCurrentDeleteDisconnectHandleNamedPipeProcessmemsetwsprintf
                                                                                                                                          • String ID: \\.\Pipe\%d_Local_%d
                                                                                                                                          • API String ID: 2297721380-251893267
                                                                                                                                          • Opcode ID: 36990aca3978a3dea961cae16a781325bd347a7ac9c8a3c5f6a009e8abbcbd45
                                                                                                                                          • Instruction ID: df745b0456b80d04bc256779a35986cf992e6c2ed35c23266841cb860a50cde9
                                                                                                                                          • Opcode Fuzzy Hash: 36990aca3978a3dea961cae16a781325bd347a7ac9c8a3c5f6a009e8abbcbd45
                                                                                                                                          • Instruction Fuzzy Hash: 10415E35300A4582EBA69B62E8543AE63A1FF8CFC4F54C121EE6A47A95DF3CC7499700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _atoi64_stricmpstrncmp
                                                                                                                                          • String ID: Banning service on CLOSED_REMOTE$Illegal transfer-encoding$LWS_H2S_IDLE$Pseudoheader checks$client done$dyntable resize last in headers$hpack incomplete$trailers
                                                                                                                                          • API String ID: 3622546912-2715351296
                                                                                                                                          • Opcode ID: 850a7d48c15578104734be1d17ab6fe13f68133994dd60894492c7c8482764ff
                                                                                                                                          • Instruction ID: 2738031c5a13f8d2a9113236ef16879ec5afd259850b3dca8db5443b4f1c11f3
                                                                                                                                          • Opcode Fuzzy Hash: 850a7d48c15578104734be1d17ab6fe13f68133994dd60894492c7c8482764ff
                                                                                                                                          • Instruction Fuzzy Hash: DDA15031205A88C9FBE29B25C4953ED2791E788BC8F29C431FE4D5B396DF26C74A8711
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _time64randsrand
                                                                                                                                          • String ID: !"#$$%&'$()*+$,-./$0123$4567$89:;$<=>?
                                                                                                                                          • API String ID: 1363323005-2655883160
                                                                                                                                          • Opcode ID: 495eb2bc3968464ad3b4467f9e3bb0dc08ae24cb2b23406463a58bd7f9b74657
                                                                                                                                          • Instruction ID: c51e40b0117ec8def28ddec8a1b2912ad07eefb3fc6356cac202c9ea0a687b5c
                                                                                                                                          • Opcode Fuzzy Hash: 495eb2bc3968464ad3b4467f9e3bb0dc08ae24cb2b23406463a58bd7f9b74657
                                                                                                                                          • Instruction Fuzzy Hash: 4A118476B107908EE705CF61A88429D7BB0F308B88F944628DE5A27B0CCB34D241CF51
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID: ($client stash$free$lws_client_connect_via_info
                                                                                                                                          • API String ID: 3510742995-2507652003
                                                                                                                                          • Opcode ID: 9fb5c97349f956897b386c71c7d51adbd1a5d1a1ce7cacacf1f16eb9e8c103cd
                                                                                                                                          • Instruction ID: fece761c7d5914db26e48d005023e2e74e12c3d64d436247abcb8b77079efcde
                                                                                                                                          • Opcode Fuzzy Hash: 9fb5c97349f956897b386c71c7d51adbd1a5d1a1ce7cacacf1f16eb9e8c103cd
                                                                                                                                          • Instruction Fuzzy Hash: 12D1A472A04B9846EB978B2599403AA2790F75ABF4F599321EE7E037D1DF38C5968300
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeavefreemallocmemcpymemset$Initialize
                                                                                                                                          • String ID: 1216$52.74.204.186
                                                                                                                                          • API String ID: 532055762-2187397507
                                                                                                                                          • Opcode ID: 4ce7d3970b924012d0fbf1c1f527a2620021745c6c51cf997aeaa958acbe5b0c
                                                                                                                                          • Instruction ID: 582e9a51cf9fe368b1d6b2089614ae23831cbc2162aea492bb2fd5e535a51b7f
                                                                                                                                          • Opcode Fuzzy Hash: 4ce7d3970b924012d0fbf1c1f527a2620021745c6c51cf997aeaa958acbe5b0c
                                                                                                                                          • Instruction Fuzzy Hash: DC517431A14B4486E7A29B26E9443E973A1FF9DBC4F14D214EE9A43B55EF38D3898700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$EventLeave$CloseEnterHandleObjectReadSingleSleepWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1497552152-0
                                                                                                                                          • Opcode ID: 3e701f299464fa1840a3c59915c173aa47d40fd4326d99a42f10eb8f84c94787
                                                                                                                                          • Instruction ID: b6fb680b84b29870d8408f0db8a669e560a49f39b75c397a2ccc2e4b14d49071
                                                                                                                                          • Opcode Fuzzy Hash: 3e701f299464fa1840a3c59915c173aa47d40fd4326d99a42f10eb8f84c94787
                                                                                                                                          • Instruction Fuzzy Hash: 95410D32305F45C6EB9A9F22D8503A823A0FB4CFC4F588520FE5A4B764DF38C6998300
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Service$CloseDatabaseFreeHandleOpenVirtual$ChangeConfigLockManagerQuerySleepStatusUnlock
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3731607402-0
                                                                                                                                          • Opcode ID: a9eb4e77f0189a9487206b475b1535da776a34eb102c6930cb2e8e0098df8897
                                                                                                                                          • Instruction ID: 5d8b5e5c2509a2156ec9f6ed001428137373d39bb2af93de72171ddb575701ec
                                                                                                                                          • Opcode Fuzzy Hash: a9eb4e77f0189a9487206b475b1535da776a34eb102c6930cb2e8e0098df8897
                                                                                                                                          • Instruction Fuzzy Hash: 52418235301B4482E7AADF12A824B9A73A9FB8DFD0F65C114EE5603714DF39C649D740
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Desktop$Thread$CloseInformationObjectUsermemset$CurrentInputOpenlstrcmpi
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2480204736-0
                                                                                                                                          • Opcode ID: a7e5f87c476b32af149d3a23a836e4c12a9df15ddd786ef6baeaf1639c8a2ace
                                                                                                                                          • Instruction ID: eb276260ccc1891881afc150e594b9866f0886d6e094768467674585afdc8472
                                                                                                                                          • Opcode Fuzzy Hash: a7e5f87c476b32af149d3a23a836e4c12a9df15ddd786ef6baeaf1639c8a2ace
                                                                                                                                          • Instruction Fuzzy Hash: B4215E35314B8496EB65DB11F8587DA73A2FB8CB84F949226EA5A43B54EF3CC309C740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: getaddrinfo
                                                                                                                                          • String ID: DNS NXDOMAIN$GET$MQTT$POST$PUT$UDP$YZ[\X]^_RAW$client_connect2
                                                                                                                                          • API String ID: 300660673-2214405465
                                                                                                                                          • Opcode ID: 0880df214e9cd3c2f1cf25e5b96380e1b1ca444558782d537dd0fee6feb36dbb
                                                                                                                                          • Instruction ID: 68e36fe551a056b0132e3184e2ed47a50fea2595561cf4aa0b5d9e6023a6a639
                                                                                                                                          • Opcode Fuzzy Hash: 0880df214e9cd3c2f1cf25e5b96380e1b1ca444558782d537dd0fee6feb36dbb
                                                                                                                                          • Instruction Fuzzy Hash: C5C1D532214ACC86EBE38B1194907F83790F34ABCCF8AD136FB4646685DF249649C71A
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _mktime64atoi
                                                                                                                                          • String ID: VUUU$anfebmaraprnayjunjulaugsepoctnovdec
                                                                                                                                          • API String ID: 4184807649-2104782412
                                                                                                                                          • Opcode ID: 1c10f032e27ea18b77686cd2d84d617b20476ae09abb30765c8792ea9fbc2fa6
                                                                                                                                          • Instruction ID: c2613ff36e010a457e46afe763ee94a76d49c71e9ebcce3f3232a4706abe0a77
                                                                                                                                          • Opcode Fuzzy Hash: 1c10f032e27ea18b77686cd2d84d617b20476ae09abb30765c8792ea9fbc2fa6
                                                                                                                                          • Instruction Fuzzy Hash: 9C5139726086488FE7A6DB209540BED77D1E35D7D0F549722F69A821C1EF26CB9CCB02
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: malloc$free$Timetime
                                                                                                                                          • String ID: <$d$d
                                                                                                                                          • API String ID: 3424428123-2034941416
                                                                                                                                          • Opcode ID: 67633af4dfc8252cf45609dabaea5b26b53f42197f8e2474752b99a928027a60
                                                                                                                                          • Instruction ID: 466f5aad14050bf64cc8956bdc065fa340445efa7d208640b60abaa076653a21
                                                                                                                                          • Opcode Fuzzy Hash: 67633af4dfc8252cf45609dabaea5b26b53f42197f8e2474752b99a928027a60
                                                                                                                                          • Instruction Fuzzy Hash: F6713E72102B84C6EB96CF21D58439E37E8F748B88F59C528DB982B764DF74C5A8D720
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseHandle$CreateDirectoryProcessSystemlstrcatmemset
                                                                                                                                          • String ID: WinSta0\Winlogon$\cmd.exe$h
                                                                                                                                          • API String ID: 3110162951-1128999311
                                                                                                                                          • Opcode ID: 377d92c3c3f7588309b3223c4e866e91415498e2d0b57ba55e9f7e9773e501a6
                                                                                                                                          • Instruction ID: 8a8f30963343f0c1642ff8c9ad02eeefcd5bb9c44978aec2e11ef53a48a7f9e7
                                                                                                                                          • Opcode Fuzzy Hash: 377d92c3c3f7588309b3223c4e866e91415498e2d0b57ba55e9f7e9773e501a6
                                                                                                                                          • Instruction Fuzzy Hash: DB319233958BC582E762CB50E8543DA77A0F7DA784F54C226A6C942A65EF78C298CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Event$EventsWait$Multiplememset$CloseCreateEnumNetworkObjectSelectSingle
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4111286588-0
                                                                                                                                          • Opcode ID: cb05e26348fc5fa680f74ac7f4703aa7f24feaffb504ccfcfa995c813edf2173
                                                                                                                                          • Instruction ID: 546d487ed4a885a0f1727a2aab1a2d449dd24cc8967c8d5c63f42d9527891ca4
                                                                                                                                          • Opcode Fuzzy Hash: cb05e26348fc5fa680f74ac7f4703aa7f24feaffb504ccfcfa995c813edf2173
                                                                                                                                          • Instruction Fuzzy Hash: 43618F32201B848AE7A2CF25D8407DE73A5F7497D8F558215EA9D47BA8DF34C759CB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _strnicmp
                                                                                                                                          • String ID: %s: malformatted protocol list$%s: malformed or absent conn hdr$%s: pcol name too long$%s: protocol list too long$NULL protocol at lws_read$lws_process_ws_upgrade$upgrade$ws upg pcol$ws upgrade default pcol
                                                                                                                                          • API String ID: 2635805826-3436673557
                                                                                                                                          • Opcode ID: 4ff8d91c8aa0005156a51a5dfb16b6fc1044c44ad5f8a3d9a3d1f04027fe3cda
                                                                                                                                          • Instruction ID: 20cb35c50caca3f10adfcea1c45ea1a57c874502099cf0df93d652b848d7663d
                                                                                                                                          • Opcode Fuzzy Hash: 4ff8d91c8aa0005156a51a5dfb16b6fc1044c44ad5f8a3d9a3d1f04027fe3cda
                                                                                                                                          • Instruction Fuzzy Hash: 35517172301A8881FBA79B55F4503D96350F78C7C8F848126FA485B6A6EF6ECB5DCB40
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalReadSectionVirtual$AllocEnterErrorExitFreeLastLeaveThreadTimesendtime
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3122330297-0
                                                                                                                                          • Opcode ID: 51404108585b7ff1db373e89b646bf7e8d42d759f0de1be0177d3c4d76274544
                                                                                                                                          • Instruction ID: f7eac1dd2de70b53d53e3eab7ec8ea87249c30c15c0ef925b5336bb8e0fd8ac6
                                                                                                                                          • Opcode Fuzzy Hash: 51404108585b7ff1db373e89b646bf7e8d42d759f0de1be0177d3c4d76274544
                                                                                                                                          • Instruction Fuzzy Hash: C7418032300A4487E7968F26E95439E73A1FB49FC4F14C129EB5A8B754DF38DA59CB01
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset$Windowlstrlen$Process32$ClassCloseCreateFirstHandleNameNextProcessSnapshotTextThreadToolhelp32Visible
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4082481662-0
                                                                                                                                          • Opcode ID: f3f6308184de1336c682d88350a7a94f45cac4e12ff12976c06c3bffbcc68aeb
                                                                                                                                          • Instruction ID: d0f507396e64800563df14b166d5fa831775ab325477c94ed690f18abff4640a
                                                                                                                                          • Opcode Fuzzy Hash: f3f6308184de1336c682d88350a7a94f45cac4e12ff12976c06c3bffbcc68aeb
                                                                                                                                          • Instruction Fuzzy Hash: 05411776310A849ADB71DF26DD447EA2361FB89B99F409111DE0E8BE58EF39C358CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Service$Control$CloseHandleOpen$ManagerQuerySleepStartStatus
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2453229493-0
                                                                                                                                          • Opcode ID: 2273a004fea410f7597165bb23289446dcc16b9a87cf60cf92e4a93607a0279b
                                                                                                                                          • Instruction ID: a827f19ee3d39340aa7ff37006d083c65898c79fdd008705067775172c250e71
                                                                                                                                          • Opcode Fuzzy Hash: 2273a004fea410f7597165bb23289446dcc16b9a87cf60cf92e4a93607a0279b
                                                                                                                                          • Instruction Fuzzy Hash: C431A77160574482E6E68B56A92839B73A1FB8CBD1F25C521EA4A03754EE7CC74C8B00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitVariant
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1927566239-0
                                                                                                                                          • Opcode ID: 948343c06ea8565a1ec3a8f72c563dc0c748cdd4bbb0149151ad3a0c17d1f3f7
                                                                                                                                          • Instruction ID: df31702713cfb229a575d7950fa945f7c7faf68abf407ff6d34f975fbd772260
                                                                                                                                          • Opcode Fuzzy Hash: 948343c06ea8565a1ec3a8f72c563dc0c748cdd4bbb0149151ad3a0c17d1f3f7
                                                                                                                                          • Instruction Fuzzy Hash: B3C10576701B448AEB62CF79D4847AD23B1FB88B98F118516EE0E57B28DF38C649C740
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 0$localeconv
                                                                                                                                          • API String ID: 0-1694054256
                                                                                                                                          • Opcode ID: 62c991d504baceb27228d7619c59d8f6b300d3d360e6c3cc75c69b9d69c5f280
                                                                                                                                          • Instruction ID: e29cbc192d5b5fa776c4183e2a42224c504630d66b273c1672e9d2f84518f776
                                                                                                                                          • Opcode Fuzzy Hash: 62c991d504baceb27228d7619c59d8f6b300d3d360e6c3cc75c69b9d69c5f280
                                                                                                                                          • Instruction Fuzzy Hash: F6C1A172205B8486E7A18F25E85039C37A6F709FD5F248219EBED07B95DF39C6A9C700
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0000000180012020
                                                                                                                                          • ProcessIdToSessionId.KERNEL32 ref: 0000000180012030
                                                                                                                                            • Part of subcall function 0000000180026CA0: VirtualAlloc.KERNEL32 ref: 0000000180026CBE
                                                                                                                                            • Part of subcall function 0000000180026CA0: GetCurrentProcessId.KERNEL32 ref: 0000000180026D39
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180012096
                                                                                                                                          • InitializeCriticalSection.KERNEL32 ref: 00000001800120A8
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 00000001800120CD
                                                                                                                                          • InitializeCriticalSection.KERNEL32 ref: 00000001800120DF
                                                                                                                                          • CreateThread.KERNEL32 ref: 0000000180012117
                                                                                                                                          • WaitForSingleObject.KERNEL32 ref: 000000018001212D
                                                                                                                                          • CloseHandle.KERNEL32 ref: 0000000180012136
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocCriticalSectionVirtual$EnterInitializeProcessRead$CurrentLeave$CloseCreateHandleObjectSessionSingleThreadWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1571644542-0
                                                                                                                                          • Opcode ID: dcf58f8bd94f4b4f5eefa7d45e8e40f62b7c11d8478bf447f9b59908b2d98ac2
                                                                                                                                          • Instruction ID: c803f1937374879516fc36001848ea71169e9560d2ca95881579869001e17f0a
                                                                                                                                          • Opcode Fuzzy Hash: dcf58f8bd94f4b4f5eefa7d45e8e40f62b7c11d8478bf447f9b59908b2d98ac2
                                                                                                                                          • Instruction Fuzzy Hash: 11313D32215B8482E796DF21F814399B7A5FB8CBD0F548219FA9647B94EF38C658CB40
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180028683
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 00000001800286CF
                                                                                                                                          • IsBadReadPtr.KERNEL32 ref: 0000000180028711
                                                                                                                                          • EnterCriticalSection.KERNEL32 ref: 0000000180028729
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180028740
                                                                                                                                          • LeaveCriticalSection.KERNEL32 ref: 0000000180028764
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180028789
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800287B3
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800287C9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800287F3
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 46fff95910c23406eb469c503979ea30ae88de5af3fad95f670b18fa206ae6df
                                                                                                                                          • Instruction ID: d0ad719fa565a145eaef6b7726f9e7cff3c3b88db48e1dcf6b865918ce14aec4
                                                                                                                                          • Opcode Fuzzy Hash: 46fff95910c23406eb469c503979ea30ae88de5af3fad95f670b18fa206ae6df
                                                                                                                                          • Instruction Fuzzy Hash: 51517C35315B4482EB9A9F26E9543AA63A1FF8CFC1F54C024EF8A43B54DF38D6198700
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: lstrcat$DeleteErrorFileLastmemset
                                                                                                                                          • String ID: C:\Program Files\Windows Mail$\temp.key
                                                                                                                                          • API String ID: 3002015462-229217837
                                                                                                                                          • Opcode ID: 75718442f7fc29e2b7bc083eea7b4b405c17fcc48b4aa1abb5b1d73d3bcafe19
                                                                                                                                          • Instruction ID: 418552250ced0e4a5d951a15a9e44788c617947f6cb3901df8409ae19f2d7500
                                                                                                                                          • Opcode Fuzzy Hash: 75718442f7fc29e2b7bc083eea7b4b405c17fcc48b4aa1abb5b1d73d3bcafe19
                                                                                                                                          • Instruction Fuzzy Hash: 8D113D32608B89D6D7618F55F84439AB3A5FBDD7C4F508216F69A42A68EF7CC24CCB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: strnlenwcsnlen
                                                                                                                                          • String ID: (null)$(null)$0
                                                                                                                                          • API String ID: 3725369605-212571832
                                                                                                                                          • Opcode ID: 67498eb6120f9a87af12e93a27b0a3bfdbad7a3d9dcff1efb83aa52a075b076c
                                                                                                                                          • Instruction ID: 66fce8290cce2b71c14474b78f598dfd8bd286b4286ac5328ae3c4fc44f0a64c
                                                                                                                                          • Opcode Fuzzy Hash: 67498eb6120f9a87af12e93a27b0a3bfdbad7a3d9dcff1efb83aa52a075b076c
                                                                                                                                          • Instruction Fuzzy Hash: AAA1D372214F4885EBA68F28D8407EC77A2F359BD8F749105FE6947684DF35CA8AC740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memchrmemcpy
                                                                                                                                          • String ID: %s: failed to get c '%s'$%s:no cookiejar$lws_cookie_attach_cookies
                                                                                                                                          • API String ID: 3039221550-101748955
                                                                                                                                          • Opcode ID: 2240d8001afbd33d5b716c548b6dd03b428f2b485bf9da117c7a8488b072aaa3
                                                                                                                                          • Instruction ID: 78b98571fa2367f6c2707e6fa4df3d7cfaf4dd4838afe4a07a99c5f21938646c
                                                                                                                                          • Opcode Fuzzy Hash: 2240d8001afbd33d5b716c548b6dd03b428f2b485bf9da117c7a8488b072aaa3
                                                                                                                                          • Instruction Fuzzy Hash: B771D132604B8889FBA28B65D450BE927A0FB5D7D8F48D216FE58277D5DF39C289C301
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: closesocket
                                                                                                                                          • String ID: __lws_close_free_wsi_final$client_reset$failed to get ah$free$lws_free
                                                                                                                                          • API String ID: 2781271927-1207365477
                                                                                                                                          • Opcode ID: 25f6bb898b64ce15532d64514156a68591c670a9a80de1def1c087238b177e9a
                                                                                                                                          • Instruction ID: b11989734cbcc3ef02deb52aac5978c09b8d5929b6a9c59948ee33c9b6b24a02
                                                                                                                                          • Opcode Fuzzy Hash: 25f6bb898b64ce15532d64514156a68591c670a9a80de1def1c087238b177e9a
                                                                                                                                          • Instruction Fuzzy Hash: A8518332300B8891EA9ADB25D6803ED63A5F789BE4F558316BB78077D2DF34D6698304
                                                                                                                                          APIs
                                                                                                                                          • __chkstk.NTDLL ref: 000000018001E01D
                                                                                                                                          • memset.NTDLL ref: 000000018001E048
                                                                                                                                          • memset.NTDLL ref: 000000018001E05A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001E09B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001E0C5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001E197
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001E1C1
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leavememset$Initialize__chkstk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2598321309-0
                                                                                                                                          • Opcode ID: 19803d78e17f30e281bc56e6a6dc2545e298c1294dfc20e4aef617dcccde76fa
                                                                                                                                          • Instruction ID: 0923d7b35471971d6684b23f2a4c2e262b1c464dcb08f8d5d554864809a20f42
                                                                                                                                          • Opcode Fuzzy Hash: 19803d78e17f30e281bc56e6a6dc2545e298c1294dfc20e4aef617dcccde76fa
                                                                                                                                          • Instruction Fuzzy Hash: 5C518F32318A9492EBB5DF22E6443AE7361FBCABC0F448115EB8A43F44DF38D1598B04
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D790
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001D7BA
                                                                                                                                          • CreateThread.KERNEL32 ref: 000000018001D7E8
                                                                                                                                          • IsBadReadPtr.KERNEL32 ref: 000000018001D80C
                                                                                                                                          • EnterCriticalSection.KERNEL32 ref: 000000018001D81F
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018001D836
                                                                                                                                          • LeaveCriticalSection.KERNEL32 ref: 000000018001D85A
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSectionVirtual$Alloc$EnterRead$Leave$Free$CreateInitializeThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1508740679-0
                                                                                                                                          • Opcode ID: 1b3e0e81731cd236f1cdf85c7afb2c4caa27aaabd1b84022f2bb5430b119c807
                                                                                                                                          • Instruction ID: 47bfe805559daebc681f189077da3042b76b9ee6a1aecc8a2dd6721ab6eacd7f
                                                                                                                                          • Opcode Fuzzy Hash: 1b3e0e81731cd236f1cdf85c7afb2c4caa27aaabd1b84022f2bb5430b119c807
                                                                                                                                          • Instruction Fuzzy Hash: A041A332211B848AEB95CF22E95439EB7A5FB8CBD4F148125EF4A43B54DF38C569CB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$Alloc$InfoUserlstrcmpi
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2840552451-0
                                                                                                                                          • Opcode ID: 60893066e3bbf6b45f4eeb8daf225cdee7bfb0fcc925a5af3644fbef4d97a442
                                                                                                                                          • Instruction ID: c1d67c104191be5984c5444be8733811377b2fe01a978be8abee619fd7df6acf
                                                                                                                                          • Opcode Fuzzy Hash: 60893066e3bbf6b45f4eeb8daf225cdee7bfb0fcc925a5af3644fbef4d97a442
                                                                                                                                          • Instruction Fuzzy Hash: 31413131715A4486EBB6CF26E84479EA3A1FB8DBC4F048118EE8A43B54DF3DD64D8B00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseCreateFileHandle__doserrno_errno
                                                                                                                                          • String ID: :
                                                                                                                                          • API String ID: 3226408381-336475711
                                                                                                                                          • Opcode ID: d8f6f999a0288e3d3718b893e4e6263fed8d78bffeb59cf0f3621bcd21b7dd4a
                                                                                                                                          • Instruction ID: 41fd35c3217f5f7fbe6db79c11ede0f5e5b19f733a9a86a3fa6781e28d94cc8d
                                                                                                                                          • Opcode Fuzzy Hash: d8f6f999a0288e3d3718b893e4e6263fed8d78bffeb59cf0f3621bcd21b7dd4a
                                                                                                                                          • Instruction Fuzzy Hash: B141B1B2A0878486E7A29F2599013DD6362F7597E4F24C315F7B443AC2EF74D6E88780
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Library$AddressAllocFreeLoadProcVirtual
                                                                                                                                          • String ID: SetProcessDPIAware$user32.dll
                                                                                                                                          • API String ID: 3041263384-1137607222
                                                                                                                                          • Opcode ID: 2d5c190feabc2370d29f15f15ffb36fb6660cf0171777757c6844a959bed01c6
                                                                                                                                          • Instruction ID: 9723d36197fd1670b71a0407276ede353324b63a1e3ef1b57012246c70083299
                                                                                                                                          • Opcode Fuzzy Hash: 2d5c190feabc2370d29f15f15ffb36fb6660cf0171777757c6844a959bed01c6
                                                                                                                                          • Instruction Fuzzy Hash: 4E513835252F8895EB939F20E8953D933A9FB0DB84F948636E94D06364EF78825DC350
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtualmemcpymemset$FileOperation
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 467530429-0
                                                                                                                                          • Opcode ID: 14cb9642c533215b7a2e2bfcfdb6d7d7cadd70b785f3dc976475013d93c55a53
                                                                                                                                          • Instruction ID: 44e6a9c3418865c4a63161637f115ce8dfda5ddef16edb2867b74c34f4f1e956
                                                                                                                                          • Opcode Fuzzy Hash: 14cb9642c533215b7a2e2bfcfdb6d7d7cadd70b785f3dc976475013d93c55a53
                                                                                                                                          • Instruction Fuzzy Hash: C8316F32214B8586DB61CF12F58078FB7A5FB89B84F148515EB9D03B59DF39D22ACB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseHandle$CreateErrorLastProcessSuspendThreadTokenWith
                                                                                                                                          • String ID: h
                                                                                                                                          • API String ID: 1678065097-2439710439
                                                                                                                                          • Opcode ID: 34fa300228c636eaa0f0248c957d63175a617a8d2a4f03bc85cdcff5c74062eb
                                                                                                                                          • Instruction ID: 0b407ff62ca030b67dc5b43d4f4e9c4a1a1ed4b4a811e6081f2b678ded490bba
                                                                                                                                          • Opcode Fuzzy Hash: 34fa300228c636eaa0f0248c957d63175a617a8d2a4f03bc85cdcff5c74062eb
                                                                                                                                          • Instruction Fuzzy Hash: 24313A72A18B8482E751CB51E88439AB3A5FB98BD0F219225EA9943B15DFB9C5D48B00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: OpenService$CloseErrorHandleLastManager
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2659350385-0
                                                                                                                                          • Opcode ID: be0d97674b5d01ddbad740662ad065086e858ccad381bdd0b1a3b9729ee50c89
                                                                                                                                          • Instruction ID: f5b59a7219b1aa454e630b03aab21a206dfaa257efd4a395db7c560de30d249d
                                                                                                                                          • Opcode Fuzzy Hash: be0d97674b5d01ddbad740662ad065086e858ccad381bdd0b1a3b9729ee50c89
                                                                                                                                          • Instruction Fuzzy Hash: BE018035754B4982FBC68B66B9543A81392AF4CBD0F188534AE2A06711FE7CC68C9B00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DirectoryErrorFreeLastSystemVirtuallstrcatmemset
                                                                                                                                          • String ID: \svchost.exe -k netsvcs
                                                                                                                                          • API String ID: 1196864501-2993138014
                                                                                                                                          • Opcode ID: 4899bdc5faaa1a50a6070bd62f2c10f6be7ce4c39736347503a2d79e50c34c7c
                                                                                                                                          • Instruction ID: bf08d159dd9659f3a19140611c4c7124a30601a6af789706eab7547f6c6d8f60
                                                                                                                                          • Opcode Fuzzy Hash: 4899bdc5faaa1a50a6070bd62f2c10f6be7ce4c39736347503a2d79e50c34c7c
                                                                                                                                          • Instruction Fuzzy Hash: 13014031210A4981EBA1DF25E8687DA6361FB88B95F008315EAAD436E9EF3CC34DC740
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Alloc$CriticalFreeInitializeSection
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2852478515-0
                                                                                                                                          • Opcode ID: 2ca86a1fc827d6d4b782268000abc3b1b2f9c80ad164c5e90495c9a43af317c5
                                                                                                                                          • Instruction ID: dd16bfbde7feb7ae91535c2faddd39ebd3f018d23720757d002fea19e12ee229
                                                                                                                                          • Opcode Fuzzy Hash: 2ca86a1fc827d6d4b782268000abc3b1b2f9c80ad164c5e90495c9a43af317c5
                                                                                                                                          • Instruction Fuzzy Hash: FE61E835201F4895EB96CF25E8807D933A9FB0CB84F94853AEA9D07764EF38C669C350
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: %s: wsi not bound to vhost$<html><head><meta charset=utf-8 http-equiv="Content-Language" content="en"/><link rel="stylesheet" type="text/css" href="/error.css"/></head><body><h1>%u</h1>%s</body></html>$lws_return_http_status$pending status body$text/html
                                                                                                                                          • API String ID: 0-3335276413
                                                                                                                                          • Opcode ID: e762419415749a66cd9e4173b8542a7493df9f9a23a6f186c0f9cf70f49c93aa
                                                                                                                                          • Instruction ID: fe26ec063cbc48624dde9099db830e2e49edf84b6a2075d819abc6d1f601589e
                                                                                                                                          • Opcode Fuzzy Hash: e762419415749a66cd9e4173b8542a7493df9f9a23a6f186c0f9cf70f49c93aa
                                                                                                                                          • Instruction Fuzzy Hash: D3A18132204BC885EBB68B21E4807EA67A4F7497C8F558125FF9947786DF38C789C708
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memset
                                                                                                                                          • String ID: default$lws_free$lws_protocol_init_vhost$protocol %s failed init$raw
                                                                                                                                          • API String ID: 2221118986-224536676
                                                                                                                                          • Opcode ID: 3ca2b0dda705691ad3dfa99d16c899407311fd09951ce103c95fd508c95c4fdf
                                                                                                                                          • Instruction ID: bb88fd17a4a82a0250628e9086b80fc0fd5949db7b3dec8f3339b0b26ad1c6ff
                                                                                                                                          • Opcode Fuzzy Hash: 3ca2b0dda705691ad3dfa99d16c899407311fd09951ce103c95fd508c95c4fdf
                                                                                                                                          • Instruction Fuzzy Hash: 94919C72200FC881EBAA8F11D4857E977A0F78ABC9F56901AEF9903744DF34D619C744
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID: %s: unsized dyn table$Dropping header content before limit!$free$hpack dyn$lws_dynamic_token_insert
                                                                                                                                          • API String ID: 3510742995-1106822923
                                                                                                                                          • Opcode ID: 38f18722d6c724cb663955093bc12d04a2b663f3068941b29b270f5aa37d76bc
                                                                                                                                          • Instruction ID: bb91e4a8d91757a7ccfd4bf5a3e3487ec1026b5a65b1bcbcf4cd1204f063ae3c
                                                                                                                                          • Opcode Fuzzy Hash: 38f18722d6c724cb663955093bc12d04a2b663f3068941b29b270f5aa37d76bc
                                                                                                                                          • Instruction Fuzzy Hash: 7A71AE36320A8881D795DF2AE4407BD73A6FB88FD8F018026BE4943759EF36C989D340
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocFree$InfoUserlstrcmpi
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4244901044-0
                                                                                                                                          • Opcode ID: 4bb39a4d54623631dae1162540759efd2fad283e37046eba1ed0997ae9d8ff27
                                                                                                                                          • Instruction ID: 50fc7e5707614e6f3dac0ce4ac0a634bc86221c2fd229e1be9eb41f0f341c50a
                                                                                                                                          • Opcode Fuzzy Hash: 4bb39a4d54623631dae1162540759efd2fad283e37046eba1ed0997ae9d8ff27
                                                                                                                                          • Instruction Fuzzy Hash: 0A31747131074842EB66CF26E8447AAA7A1AB4DFD1F148038ED4A47798DF7CC64DCB00
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ObjectSingleWaitmemcpy$Eventmemset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2578485326-0
                                                                                                                                          • Opcode ID: 4b7ccff7cc8b725b09c582a996c9dbd6aeb28199792e257624d1a1754784ee10
                                                                                                                                          • Instruction ID: 56f86bbc58855b6075aee45e924c73265a62f824d3d0b1669c699fedc53ac016
                                                                                                                                          • Opcode Fuzzy Hash: 4b7ccff7cc8b725b09c582a996c9dbd6aeb28199792e257624d1a1754784ee10
                                                                                                                                          • Instruction Fuzzy Hash: B431E931304A0882E6A3D776F8807DB6360EB8C7D5F558411FFDA836A5EE78C6899300
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: free
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                          • Opcode ID: 086ef2399a2b39805725e1e66e9ffec4bc1c65bc9c079221ec383ecf087ce0d7
                                                                                                                                          • Instruction ID: 4532e7ad88e92783144c61f4f6d2900ac89e9450762ef15b38e3950c58b5259e
                                                                                                                                          • Opcode Fuzzy Hash: 086ef2399a2b39805725e1e66e9ffec4bc1c65bc9c079221ec383ecf087ce0d7
                                                                                                                                          • Instruction Fuzzy Hash: 6551D576202F4881EB828B59E5803987365F74CFD4F68D426EA9D03764DFB5C6AAC320
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                          • Opcode ID: e678b758875d27a0bf091b5624fc88a162c43534257f2b693664699c7e9877e8
                                                                                                                                          • Instruction ID: 8b8ca0ed71f779e7386428d5087bdfdb25684bd4f02d6e02136788054c443d58
                                                                                                                                          • Opcode Fuzzy Hash: e678b758875d27a0bf091b5624fc88a162c43534257f2b693664699c7e9877e8
                                                                                                                                          • Instruction Fuzzy Hash: D4F03031201B0881EB968B28A8453996362AB8DBE1F649715E57A456E4DF3DC28DD740
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3510742995-0
                                                                                                                                          • Opcode ID: b36940c9134db9debb5434aae0f74bffe43cbb9a5314d30aa24a6dee75e394a3
                                                                                                                                          • Instruction ID: 46dd7e174bbb0176d8158cd44d0f918e6d490295a3558a5e7a1ed015a6db4e3d
                                                                                                                                          • Opcode Fuzzy Hash: b36940c9134db9debb5434aae0f74bffe43cbb9a5314d30aa24a6dee75e394a3
                                                                                                                                          • Instruction Fuzzy Hash: DE619C32205B888AEBA2CF25E84479973A4FB4CBD4F69C425EE8D43794EF74C649C740
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800242F3
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002431D
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180024334
                                                                                                                                          • InitializeCriticalSection.KERNEL32 ref: 00000001800243BE
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180024443
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002446D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$InitializeLeave
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2124124174-0
                                                                                                                                          • Opcode ID: ce30a7c37a809ab6b36126a6c5df061884de53dfa42c463ff1a9a8109802fa83
                                                                                                                                          • Instruction ID: 1a4552423636e67eab2c1520faff09b05bbcc1213573510507159075cfaa0eb2
                                                                                                                                          • Opcode Fuzzy Hash: ce30a7c37a809ab6b36126a6c5df061884de53dfa42c463ff1a9a8109802fa83
                                                                                                                                          • Instruction Fuzzy Hash: 5F513C32611F4486EBA5DF12F85879A73A9FB8CB84F558125EE8E43B14DF38D258C740
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: strchr
                                                                                                                                          • String ID: http://$http_proxy needs to be ads:port$lws_set_proxy$proxy auth too long
                                                                                                                                          • API String ID: 2830005266-175238664
                                                                                                                                          • Opcode ID: d1ab9b85537000d759f710dae04c861439685c4e7ab67b200bb48c131c9f798f
                                                                                                                                          • Instruction ID: 252963013e37880a5f6833a7ab8bea35b96ab233e80dd34d852d668b7bae1ba6
                                                                                                                                          • Opcode Fuzzy Hash: d1ab9b85537000d759f710dae04c861439685c4e7ab67b200bb48c131c9f798f
                                                                                                                                          • Instruction Fuzzy Hash: 7331F631704B8885EBA6DB21E5403EA6351A74ABC4F54C121FE5D17B9BEF29C31EC345
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015706
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015730
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015BA8
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180015BD2
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initialize
                                                                                                                                          • String ID: 52.74.204.186
                                                                                                                                          • API String ID: 696443088-4271030103
                                                                                                                                          • Opcode ID: 7078d51f2a842d056aef008d8b9e0584b22a38109fb0f17c7c38043e1d6e8ae5
                                                                                                                                          • Instruction ID: 5cda13590cf398a7562659c65d185bc26be6142773128daa7fa494d5a847475a
                                                                                                                                          • Opcode Fuzzy Hash: 7078d51f2a842d056aef008d8b9e0584b22a38109fb0f17c7c38043e1d6e8ae5
                                                                                                                                          • Instruction Fuzzy Hash: 93316F36705B4082EBA5DF12E55875AA3A5FB89BC1F11C115EF8607BA4DF39C289DB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID: %s: OOM$%s: buflist reached sanity limit$%s: corrupt list points to self$lws_buflist_append_segment
                                                                                                                                          • API String ID: 3510742995-575834517
                                                                                                                                          • Opcode ID: 79284cf2320dce2018f6e97d572864547c67ef809e1d40b3a32f6d216f6ca7e6
                                                                                                                                          • Instruction ID: 4b9f86e74c2c964e6e36c752caefe5a3740dee5ce4422127799d0d10c5e21769
                                                                                                                                          • Opcode Fuzzy Hash: 79284cf2320dce2018f6e97d572864547c67ef809e1d40b3a32f6d216f6ca7e6
                                                                                                                                          • Instruction Fuzzy Hash: 2521A132204F8881FAA68B15E8803E977A1F74DBD8F568116FA5D077A6DF38C68DC344
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2918714741-0
                                                                                                                                          • Opcode ID: 867c813408c47003856487d9d7ddf2f299c27c866921b7c00dbaf6564a6c8a9b
                                                                                                                                          • Instruction ID: 2552c33322c8c3ba54c5fd4790869664e60f7750ed47400c7edee610d249c408
                                                                                                                                          • Opcode Fuzzy Hash: 867c813408c47003856487d9d7ddf2f299c27c866921b7c00dbaf6564a6c8a9b
                                                                                                                                          • Instruction Fuzzy Hash: D211363260478480EAD1AB25B5403DE5392E3887D8F29A224FBBA0B7C5CF38C5C78704
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: %s: WSAPoll failed: count %d, err %d: %d$_lws_plat_service_tsi
                                                                                                                                          • API String ID: 0-2420814896
                                                                                                                                          • Opcode ID: 74adf9df8c06806404fa061e618759ccf63e20c0546f0dd375249f3605fd535d
                                                                                                                                          • Instruction ID: b55d5f2b5d4eff2fa94cd21e447625c3e30541992c22a958acd5a53cfe757ead
                                                                                                                                          • Opcode Fuzzy Hash: 74adf9df8c06806404fa061e618759ccf63e20c0546f0dd375249f3605fd535d
                                                                                                                                          • Instruction Fuzzy Hash: 6581F073200A8883EBA68B15A4403EE7295F74C7C8F55C125FF595B795EF39D646CB00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _time64memset
                                                                                                                                          • String ID: %s: calling service$__lws_header_table_reset
                                                                                                                                          • API String ID: 899224009-1639372703
                                                                                                                                          • Opcode ID: a9f15bdc1dc03cd649ae2c0efe04c1451751ae562199952308a362106ea05dd7
                                                                                                                                          • Instruction ID: 5e82bdfe920b9ab013f9826534e472695fa2a594b32c4a3153a1c9bd49f4ed2a
                                                                                                                                          • Opcode Fuzzy Hash: a9f15bdc1dc03cd649ae2c0efe04c1451751ae562199952308a362106ea05dd7
                                                                                                                                          • Instruction Fuzzy Hash: F631A132A04BC482E796CF21D5803ED6764F799F88F199236AF581B269EF30D3A5C314
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3510742995-0
                                                                                                                                          • Opcode ID: d42d265467519c93c7dd951c29be45eba968ee9a7fe8673b8b37004fd25c35d6
                                                                                                                                          • Instruction ID: d4dacb9b5bf7a5b83de5f42d58e9740fdd28e5af92b2877f69c7988f04a7870b
                                                                                                                                          • Opcode Fuzzy Hash: d42d265467519c93c7dd951c29be45eba968ee9a7fe8673b8b37004fd25c35d6
                                                                                                                                          • Instruction Fuzzy Hash: 2141C13261478886EB96CF218450BEA27A0FB5DBC8F44D112FE4967685EF39C749C302
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B4AB
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B4D5
                                                                                                                                          • memset.NTDLL ref: 000000018001B4F6
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B546
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B570
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$Free$EnterRead$Leave$Initializememset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3460648485-0
                                                                                                                                          • Opcode ID: 3c6ebeff4e04c1c6b57bce02760e90bbf3a7ae38a370be6e0e926dec6ce5aaa2
                                                                                                                                          • Instruction ID: 87dde599cd748b8c32ebc84dd2c552ad12c09ebbabe043a8493efcfea12d56ee
                                                                                                                                          • Opcode Fuzzy Hash: 3c6ebeff4e04c1c6b57bce02760e90bbf3a7ae38a370be6e0e926dec6ce5aaa2
                                                                                                                                          • Instruction Fuzzy Hash: 9E315E32311E9486EB65DF67E9543AAA361FB8DBC1F448024DF8A47F54DF38C2598B00
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: strcmp
                                                                                                                                          • String ID: can't find role '%s'$lws_role_call_adoption_bind$raw-proxy
                                                                                                                                          • API String ID: 1004003707-2670016624
                                                                                                                                          • Opcode ID: ddc2dee7fed4307f6de14917132bf2b0f3b232720b966688f40a1457e8129b7c
                                                                                                                                          • Instruction ID: 856c33a7f91d113fa80138d5a6edae469c5f059fe421a065bee95859f9defa15
                                                                                                                                          • Opcode Fuzzy Hash: ddc2dee7fed4307f6de14917132bf2b0f3b232720b966688f40a1457e8129b7c
                                                                                                                                          • Instruction Fuzzy Hash: 06614671304B8D41EEA68B1698917E97BA1F749FC8F19D029FE8947395DE38C20AD344
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: atoi
                                                                                                                                          • String ID: http$https$wss
                                                                                                                                          • API String ID: 657269090-1519134247
                                                                                                                                          • Opcode ID: 701d953922a376634be604cd511beec6f9bc88c6d0ba1ed9f7566711d4f08381
                                                                                                                                          • Instruction ID: be4ecfb893a0eccff37447a91141d411b24d30939406da6c691932dec41fcb09
                                                                                                                                          • Opcode Fuzzy Hash: 701d953922a376634be604cd511beec6f9bc88c6d0ba1ed9f7566711d4f08381
                                                                                                                                          • Instruction Fuzzy Hash: FC519072508ACC44EBF34F2494113FA3BE1A31ABC8F5AC052E7D5463D6DE6A865E8311
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpystrncmptolower
                                                                                                                                          • String ID: transfer-encoding
                                                                                                                                          • API String ID: 1825611792-1470906230
                                                                                                                                          • Opcode ID: c539f7db85004bbdaa11fa9888ce0fed88215ddef03d4659c1c778ac67b775c8
                                                                                                                                          • Instruction ID: b97529d15c7033a20ce9e5b24556692f0e3a2daee8d10b7a8aa24fb646eaf914
                                                                                                                                          • Opcode Fuzzy Hash: c539f7db85004bbdaa11fa9888ce0fed88215ddef03d4659c1c778ac67b775c8
                                                                                                                                          • Instruction Fuzzy Hash: 6B41A072304A8885EB568E26E4503A93BA1E359BD4F14C111FF4E5738ADF3EC259A701
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno$__pctype_funcfree
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2006978261-0
                                                                                                                                          • Opcode ID: 33940d6e5fc8a6375603b3a7ba23e2abfb58298483cfd1f6bf6a832e02cc6377
                                                                                                                                          • Instruction ID: b4b0e41c05156b32ca972ba8fb8b71cd992a7ca077e43592f321546519cbf2a4
                                                                                                                                          • Opcode Fuzzy Hash: 33940d6e5fc8a6375603b3a7ba23e2abfb58298483cfd1f6bf6a832e02cc6377
                                                                                                                                          • Instruction Fuzzy Hash: 93412F761087D48DE6A3CB54D8903EE77A6E7497C6F388005FBA607795CE38C649DB10
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno$freestrtol
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3444388478-0
                                                                                                                                          • Opcode ID: 7403869242572383e56bd683cb69b1769a801e6b061c76f3d918504b1cdbba2f
                                                                                                                                          • Instruction ID: 8f4a69c81363a754ddd304638c94179cbfff9b1927f4a6e99413924a4c35ebc5
                                                                                                                                          • Opcode Fuzzy Hash: 7403869242572383e56bd683cb69b1769a801e6b061c76f3d918504b1cdbba2f
                                                                                                                                          • Instruction Fuzzy Hash: 2B4172322047888AFBA28F55E8413DE77E2F7997C4F248015FA5947B95CF78D689CB40
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: memcpy
                                                                                                                                          • String ID: Unable to connect$lws_conmon_append_copy_new_dns_results
                                                                                                                                          • API String ID: 3510742995-4193639203
                                                                                                                                          • Opcode ID: cba5df87d3bc34571f15c18130ba281561c34a16ecc347fc48b3718e4e5733a0
                                                                                                                                          • Instruction ID: 62ed0a04fc34075671b1a35ecb37c3fee2d7bdfcd5a5fba08d5d5aed4e27db10
                                                                                                                                          • Opcode Fuzzy Hash: cba5df87d3bc34571f15c18130ba281561c34a16ecc347fc48b3718e4e5733a0
                                                                                                                                          • Instruction Fuzzy Hash: 8A41BF32A01B8482EBA68F15D14039977A1F788BD8F19C225FF5D177A9EF35CA94C740
                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 000000018002F0A4
                                                                                                                                          • ProcessIdToSessionId.KERNEL32 ref: 000000018002F0B1
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002F164
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002F18E
                                                                                                                                            • Part of subcall function 0000000180016F60: GetCurrentProcessId.KERNEL32 ref: 0000000180016FDB
                                                                                                                                            • Part of subcall function 0000000180016F60: ProcessIdToSessionId.KERNEL32 ref: 0000000180016FEB
                                                                                                                                            • Part of subcall function 0000000180016F60: CreateToolhelp32Snapshot.KERNEL32 ref: 0000000180017014
                                                                                                                                            • Part of subcall function 0000000180016F60: GetProcessHeap.KERNEL32 ref: 0000000180017023
                                                                                                                                            • Part of subcall function 0000000180016F60: HeapAlloc.KERNEL32 ref: 0000000180017036
                                                                                                                                            • Part of subcall function 0000000180016F60: CloseHandle.KERNEL32 ref: 0000000180017047
                                                                                                                                            • Part of subcall function 0000000180016F60: WTSGetActiveConsoleSessionId.KERNEL32 ref: 0000000180017056
                                                                                                                                            • Part of subcall function 0000000180016F60: VirtualFree.KERNEL32 ref: 00000001800171B6
                                                                                                                                            • Part of subcall function 0000000180016F60: VirtualFree.KERNEL32 ref: 00000001800171E0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$Process$Free$EnterReadSession$CurrentHeapLeave$ActiveCloseConsoleCreateHandleInitializeSnapshotToolhelp32
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1320018004-0
                                                                                                                                          • Opcode ID: 219dca6d74f5f01e876d51951d5a85646c7e832a6bf75ab04d447e85a6392336
                                                                                                                                          • Instruction ID: ba0eed75bc608429606151e3293df9a5b704ab4f115ec94558a233db70ef6dfe
                                                                                                                                          • Opcode Fuzzy Hash: 219dca6d74f5f01e876d51951d5a85646c7e832a6bf75ab04d447e85a6392336
                                                                                                                                          • Instruction Fuzzy Hash: 11315071220B5482EBA6DF11E9543AD73A1FB8DFC4F549125FA4A43B58DF38C658CB40
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$AllocEvent
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2763048252-0
                                                                                                                                          • Opcode ID: 408b677a78ec5f951b203cb1d68421295c5c1a06c57e89676511e7fcc40283bb
                                                                                                                                          • Instruction ID: ca46a6e6144f43be1c06cafe765a2f507bfaca408efeb33c880b441cc711b9cf
                                                                                                                                          • Opcode Fuzzy Hash: 408b677a78ec5f951b203cb1d68421295c5c1a06c57e89676511e7fcc40283bb
                                                                                                                                          • Instruction Fuzzy Hash: 03319332700E4442EBE68F26A9043AE5791EB8EFD0F19C120FE5A8FB96DE34D5498700
                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00000001800235DD
                                                                                                                                          • ProcessIdToSessionId.KERNEL32 ref: 00000001800235EA
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002367E
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800236A8
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeaveProcess$CurrentInitializeSession
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3327369976-0
                                                                                                                                          • Opcode ID: f98e4ae98b7e11fca3d4a9eee25e402cb3ff29b46a0d4ad6d7052e7fc59a9eec
                                                                                                                                          • Instruction ID: fd99c6a66cd7ea800b156c20b4fee5fc952d6e6d35935e791b67945c2d11420b
                                                                                                                                          • Opcode Fuzzy Hash: f98e4ae98b7e11fca3d4a9eee25e402cb3ff29b46a0d4ad6d7052e7fc59a9eec
                                                                                                                                          • Instruction Fuzzy Hash: 42313C32614B4487DB65DF26E44835EB3A5FB88B80F548225EB8A43B18DF3DD649CB40
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • CreateThread.KERNEL32 ref: 000000018002A782
                                                                                                                                          • CloseHandle.KERNEL32 ref: 000000018002A790
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002A7AC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002A7D6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4031785131-0
                                                                                                                                          • Opcode ID: 46f8680c48a87c550885bc35dd8c9f8526c11e3e393dc63d790dd5bf2b061a43
                                                                                                                                          • Instruction ID: 09a8c634ee0a77ba13094bb06eb91f4e081066f499e8da2bd266085e45850a2b
                                                                                                                                          • Opcode Fuzzy Hash: 46f8680c48a87c550885bc35dd8c9f8526c11e3e393dc63d790dd5bf2b061a43
                                                                                                                                          • Instruction Fuzzy Hash: DF213C35708B5082EB65DF53E95435AA3A1FB8DFD0F548129EF8A43B14DF38C2598B44
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180026188
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800261B2
                                                                                                                                          • CreateThread.KERNEL32 ref: 00000001800261CF
                                                                                                                                          • CloseHandle.KERNEL32 ref: 00000001800261DD
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$CriticalSection$Alloc$EnterRead$FreeLeave$CloseCreateHandleInitializeThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4031785131-0
                                                                                                                                          • Opcode ID: 9906d6a9ce0f7f254b3389b28713ac5881b4f0dc512eb4610b511277353699d5
                                                                                                                                          • Instruction ID: fee17a65687eca907a640ac3992546147f88c45a078b2ee3effaee71f90555ba
                                                                                                                                          • Opcode Fuzzy Hash: 9906d6a9ce0f7f254b3389b28713ac5881b4f0dc512eb4610b511277353699d5
                                                                                                                                          • Instruction Fuzzy Hash: 97116031705B4082EB95CF63E95435AA3A2BF8CBC1F18C125AB4A43B54DF38D2698700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Event$ObjectSingleWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2127046782-0
                                                                                                                                          • Opcode ID: de6cca13531ef7be6a56a105a458a4c89b63c3fe75a489721cd85d5858837fa3
                                                                                                                                          • Instruction ID: 2c01373562b33313cd830499f931160716592ca7e4d13661f1fd562ed2423c3d
                                                                                                                                          • Opcode Fuzzy Hash: de6cca13531ef7be6a56a105a458a4c89b63c3fe75a489721cd85d5858837fa3
                                                                                                                                          • Instruction Fuzzy Hash: F601613271464882DBE38B26E98475E63A1EB8CFD1F598115EA5A47768DE38CA888700
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: (null)$0
                                                                                                                                          • API String ID: 0-38302674
                                                                                                                                          • Opcode ID: abca63399dbdd7ca1ead2dfee145f9cfa62680915ab84428c804b8a6cddf5cc6
                                                                                                                                          • Instruction ID: 4d5c2c8232b3af33984ae3620493541ef960866ed1991a6be4f82b168020b8be
                                                                                                                                          • Opcode Fuzzy Hash: abca63399dbdd7ca1ead2dfee145f9cfa62680915ab84428c804b8a6cddf5cc6
                                                                                                                                          • Instruction Fuzzy Hash: 2CA1D772108B8886E7A6CF28C8507EC37A2F359BD8F349115EEA947784DF35CA89C750
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _errno
                                                                                                                                          • String ID: 0
                                                                                                                                          • API String ID: 2918714741-4108050209
                                                                                                                                          • Opcode ID: 9cb55340de0e0c956073168701fea7522db158bb8432f989bb6f7b05cee61b81
                                                                                                                                          • Instruction ID: f891781a2b9557852fdfb9fbd1eda0dcc53d157cf0ab2b3fbb965be7ad7fb1cd
                                                                                                                                          • Opcode Fuzzy Hash: 9cb55340de0e0c956073168701fea7522db158bb8432f989bb6f7b05cee61b81
                                                                                                                                          • Instruction Fuzzy Hash: 6B91D472218F4886EBA68F24C8407DD77A2F349BD8F749105EEA947784DF31CA8AC750
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: _write$memcpy
                                                                                                                                          • String ID: |
                                                                                                                                          • API String ID: 2496997324-2343686810
                                                                                                                                          • Opcode ID: cf61cce58ca886a15639403763adbc2e92bf79bdf61202eea4e7dfec986bcaf2
                                                                                                                                          • Instruction ID: f5d95356925bf96b949fbac8440fedc852c231d531356daa4554cdaebf1fd592
                                                                                                                                          • Opcode Fuzzy Hash: cf61cce58ca886a15639403763adbc2e92bf79bdf61202eea4e7dfec986bcaf2
                                                                                                                                          • Instruction Fuzzy Hash: 8E41F032305A9845EBE2CE25E584FD96394A70CBE8F4AC220AE6D077C1EF78C6498305
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: __pctype_func
                                                                                                                                          • String ID: fputc$fwrite
                                                                                                                                          • API String ID: 3630429742-4291123875
                                                                                                                                          • Opcode ID: e9c822b156731075839b8dd13e10875af72a52f84741304959ba05d5b208b560
                                                                                                                                          • Instruction ID: 44149378926c2d2e8bc3668b927d6e186dfb69a0892a42676b92b45da591eb46
                                                                                                                                          • Opcode Fuzzy Hash: e9c822b156731075839b8dd13e10875af72a52f84741304959ba05d5b208b560
                                                                                                                                          • Instruction Fuzzy Hash: BA41A47230474885EA839B15EC503D96792AB8C7D5FA88421FAAD473D1EF7EC789C350
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ErrorLastgetpeername
                                                                                                                                          • String ID: getpeername: %s
                                                                                                                                          • API String ID: 2962421750-464625284
                                                                                                                                          • Opcode ID: a69c3c67f136694d744e90525e7a2b9d8621fa00472cafbfdea3fe4c2253d187
                                                                                                                                          • Instruction ID: 8e5b22f6c71745472d771a736240a2f8b38a5d5d456bd51779f5d5866a1b17d5
                                                                                                                                          • Opcode Fuzzy Hash: a69c3c67f136694d744e90525e7a2b9d8621fa00472cafbfdea3fe4c2253d187
                                                                                                                                          • Instruction Fuzzy Hash: 1DF06D3570474882EA829B15F9453EAA361BB8DBC8F588121FE594775ADF39C2488B40
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134EB
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800134FD
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013510
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013527
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013556
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013568
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001357B
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013592
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135C1
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800135D3
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135E6
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135FD
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001362C
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 000000018001363E
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013654
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C7B5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C7DF
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C7F5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C81F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3420869360-0
                                                                                                                                          • Opcode ID: 617031c2d221066431aaff11be6c94ed0690b72a67014eff584da1fe74eb40db
                                                                                                                                          • Instruction ID: 4b1bcc27734f02408279893b6751d45a886e410d29ecad7f0b8f3cb754ffc34a
                                                                                                                                          • Opcode Fuzzy Hash: 617031c2d221066431aaff11be6c94ed0690b72a67014eff584da1fe74eb40db
                                                                                                                                          • Instruction Fuzzy Hash: B6416A32715B4086EBA5CF62E45875AB7A5FB8CFC0F148528EF8A03B18DF39C5498B04
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134EB
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800134FD
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013510
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013527
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013556
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013568
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001357B
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013592
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135C1
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800135D3
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135E6
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800135FD
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001362C
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 000000018001363E
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013654
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002859B
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800285C5
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800285DB
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180028605
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CriticalSection$Virtual$Alloc$EnterRead$Leave$Free$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3420869360-0
                                                                                                                                          • Opcode ID: 23f78063f8314758092a3b7e396099cf00d438552d882076b8ccf9c8bf355a0d
                                                                                                                                          • Instruction ID: 4e4304c5467bf88644f6851a9460645099648ae5db845c2dc60d587a2a73c880
                                                                                                                                          • Opcode Fuzzy Hash: 23f78063f8314758092a3b7e396099cf00d438552d882076b8ccf9c8bf355a0d
                                                                                                                                          • Instruction Fuzzy Hash: 77417936711B5486EBA5DF22E44875AB3A5FB8CFC0F598124EF8A43B18DF39D2458B00
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180028213
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180028258
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002828E
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002829F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 1d1b306bf3c46ccf6e7229351797aac4dc12f87dd746d871babab7f5bc255a71
                                                                                                                                          • Instruction ID: 77ad1e5231ed8a476fbfc46c42ae85b2aca4ea425d337ae87cc9ce4e505ece4b
                                                                                                                                          • Opcode Fuzzy Hash: 1d1b306bf3c46ccf6e7229351797aac4dc12f87dd746d871babab7f5bc255a71
                                                                                                                                          • Instruction Fuzzy Hash: E6316D35712E4481FBD68F62E9543A963A1FF8CFD4F18C124EE1A47B84EF28C6599700
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180021274
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800212B9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800212EF
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180021300
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 5944f9928c617558d6447f66ff93bef18e990b1e2edeae30f48a59bf0b4b3e49
                                                                                                                                          • Instruction ID: 6a34f556e1eb952260192988d07e5359ed630ace43cde530af1f5a91e9e1e4a4
                                                                                                                                          • Opcode Fuzzy Hash: 5944f9928c617558d6447f66ff93bef18e990b1e2edeae30f48a59bf0b4b3e49
                                                                                                                                          • Instruction Fuzzy Hash: E7318E31310A4485EB96DF27E9543A923A1BB8CFD5F088124EE1A87B48EF28C6598740
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 0000000180033094
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800330D9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018003310F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 0000000180033120
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: b8f4db6db1d0367102d5a07de2158188bc80ba2991919440e33211faedfcd802
                                                                                                                                          • Instruction ID: e4aa63813d0d37e329d180b1982be950b0dfcde14e28e818de6d8c70130e72de
                                                                                                                                          • Opcode Fuzzy Hash: b8f4db6db1d0367102d5a07de2158188bc80ba2991919440e33211faedfcd802
                                                                                                                                          • Instruction Fuzzy Hash: 23316231310A4481EBD68F27E99539A63A1FF4CFD4F09C124EE5A47B98DF39C6598700
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018001C1B4
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C1F9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C22F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001C240
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 62c558665775160bff6bd4cbced2f3b4a28216fdecb6bb590b6097234b34c5f5
                                                                                                                                          • Instruction ID: 0111d3a934c151165b550e2593a99b7e0e9a14f01953bedcd4608c31b277a33a
                                                                                                                                          • Opcode Fuzzy Hash: 62c558665775160bff6bd4cbced2f3b4a28216fdecb6bb590b6097234b34c5f5
                                                                                                                                          • Instruction Fuzzy Hash: BC319E31310E4482EB968F67E9547A963A1FF8CFD4F08C124EE1A47B88EF38C6598745
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018001B1D4
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B219
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B24F
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018001B260
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 6a0dbe3a0a406c02cb2e4d729dffdfe30f5f50d64f32219fd7338cec30936ee1
                                                                                                                                          • Instruction ID: 4b2e6c66f327050a27fcd0c51096eb3f8ae716981fc83d70c768d5fe3c7de98f
                                                                                                                                          • Opcode Fuzzy Hash: 6a0dbe3a0a406c02cb2e4d729dffdfe30f5f50d64f32219fd7338cec30936ee1
                                                                                                                                          • Instruction Fuzzy Hash: A2316D31310A4481EB969F67E9547AD63A5FB8CFD4F088124EE1A87B98EF38C6598700
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018002A484
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002A4C9
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002A4FF
                                                                                                                                          • VirtualFree.KERNEL32 ref: 000000018002A510
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: 626f2b7068f63ec094e6a9f92076cad6c8906216c14cb64ffb88a0ffa73d076f
                                                                                                                                          • Instruction ID: efda1176230fd9837f10b735971e29991b7c7a4935e118cfebe42542b14e463d
                                                                                                                                          • Opcode Fuzzy Hash: 626f2b7068f63ec094e6a9f92076cad6c8906216c14cb64ffb88a0ffa73d076f
                                                                                                                                          • Instruction Fuzzy Hash: 6A317131314A4486FB969F27E9543AA63A1FF8DFD4F08C124EE1A47B58EF29C6598700
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32 ref: 000000018003055B
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013347
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 000000018001338F
                                                                                                                                            • Part of subcall function 0000000180013330: InitializeCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133A3
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 00000001800133BC
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133CF
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800133E6
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013415
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013427
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 000000018001343A
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013451
                                                                                                                                            • Part of subcall function 0000000180013330: LeaveCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 0000000180013480
                                                                                                                                            • Part of subcall function 0000000180013330: IsBadReadPtr.KERNEL32 ref: 0000000180013492
                                                                                                                                            • Part of subcall function 0000000180013330: EnterCriticalSection.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134A5
                                                                                                                                            • Part of subcall function 0000000180013330: VirtualAlloc.KERNEL32(?,?,?,0000000180012014), ref: 00000001800134BC
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800305A0
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800305D6
                                                                                                                                          • VirtualFree.KERNEL32 ref: 00000001800305E7
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocCriticalSection$EnterFreeRead$Leave$Initialize
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1953590826-0
                                                                                                                                          • Opcode ID: f5394e92998ff4ba06ab85d94ac86c9fd9ddc821b539b28ef3b02b42b4153c03
                                                                                                                                          • Instruction ID: cea3756b3c5a100aeeaf40825adb8834645a0e8f2fd0e7eedf42260691285d7d
                                                                                                                                          • Opcode Fuzzy Hash: f5394e92998ff4ba06ab85d94ac86c9fd9ddc821b539b28ef3b02b42b4153c03
                                                                                                                                          • Instruction Fuzzy Hash: 98319131315A4481FBD68F63E96439A63A1FF8CFD4F19C124EE1A47B48EF28C6598700
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.3332901676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                          • Associated: 00000005.00000002.3332857706.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3332998963.0000000180068000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333065546.000000018007C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000005.00000002.3333125200.0000000180082000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_180000000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$lstrlen$Alloc$ByteCharMultiWidememset
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2589853381-0
                                                                                                                                          • Opcode ID: 9e973a8c3555f4eb24f0b8ebfcc6161375dadd9c45ee45004ec477c379de15ec
                                                                                                                                          • Instruction ID: 8b0ca1c1598baae50a5236b37b16b711799dbf7ffdf11fe73bb17caf9d3a0f63
                                                                                                                                          • Opcode Fuzzy Hash: 9e973a8c3555f4eb24f0b8ebfcc6161375dadd9c45ee45004ec477c379de15ec
                                                                                                                                          • Instruction Fuzzy Hash: DD11C231300B0442EB998F72E9547A963A2FF8CFC4F18C024EE0A07B58DE39C5498701