Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eth.exe

Overview

General Information

Sample name:eth.exe
Analysis ID:1585411
MD5:87c3dd67bfa3009d89f7b45b01d705b8
SHA1:7eb74405565dd5971298b2a2c8de9116d08db2d5
SHA256:92722d28951672263b79cd30eb975d770cfd5bd5ff53344fd329546fb950f155
Tags:CoinMinerexeuser-aachum
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • eth.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\eth.exe" MD5: 87C3DD67BFA3009D89F7B45B01D705B8)
    • powershell.exe (PID: 6968 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4420 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7120 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 3740 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6604 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 428 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6312 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6216 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 6220 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
        • MpCmdRun.exe (PID: 7104 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
          • conhost.exe (PID: 2844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • sc.exe (PID: 4480 cmdline: C:\Windows\system32\sc.exe delete "ARIBLEUL" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6176 cmdline: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5572 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6624 cmdline: C:\Windows\system32\sc.exe start "ARIBLEUL" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • lrgkmixyjzta.exe (PID: 6604 cmdline: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe MD5: 87C3DD67BFA3009D89F7B45B01D705B8)
    • powershell.exe (PID: 1020 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3228 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6880 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 6392 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2652 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5088 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4268 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2080 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 2076 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • dialer.exe (PID: 4856 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 4852 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000034.00000002.3112146916.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000034.00000002.3112146916.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x37eb98:$a1: mining.set_target
      • 0x370e20:$a2: XMRIG_HOSTNAME
      • 0x373748:$a3: Usage: xmrig [OPTIONS]
      • 0x370df8:$a4: XMRIG_VERSION

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      52.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        52.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x37ef98:$a1: mining.set_target
        • 0x371220:$a2: XMRIG_HOSTNAME
        • 0x373b48:$a3: Usage: xmrig [OPTIONS]
        • 0x3711f8:$a4: XMRIG_VERSION
        52.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
        • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
        52.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
        • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
        • 0x3cd180:$s3: \\.\WinRing0_
        • 0x376148:$s4: pool_wallet
        • 0x3705f0:$s5: cryptonight
        • 0x370600:$s5: cryptonight
        • 0x370610:$s5: cryptonight
        • 0x370620:$s5: cryptonight
        • 0x370638:$s5: cryptonight
        • 0x370648:$s5: cryptonight
        • 0x370658:$s5: cryptonight
        • 0x370670:$s5: cryptonight
        • 0x370680:$s5: cryptonight
        • 0x370698:$s5: cryptonight
        • 0x3706b0:$s5: cryptonight
        • 0x3706c0:$s5: cryptonight
        • 0x3706d0:$s5: cryptonight
        • 0x3706e0:$s5: cryptonight
        • 0x3706f8:$s5: cryptonight
        • 0x370710:$s5: cryptonight
        • 0x370720:$s5: cryptonight
        • 0x370730:$s5: cryptonight

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\eth.exe", ParentImage: C:\Users\user\Desktop\eth.exe, ParentProcessId: 6932, ParentProcessName: eth.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6968, ProcessName: powershell.exe
        Sigma detected: Communication To Uncommon Destination Ports
        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 192.248.189.11, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\System32\dialer.exe, Initiated: true, ProcessId: 4852, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
        Sigma detected: Powershell Defender Exclusion
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\eth.exe", ParentImage: C:\Users\user\Desktop\eth.exe, ParentProcessId: 6932, ParentProcessName: eth.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6968, ProcessName: powershell.exe
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 6220, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
        Sigma detected: New Service Creation Using Sc.EXE
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\eth.exe", ParentImage: C:\Users\user\Desktop\eth.exe, ParentProcessId: 6932, ParentProcessName: eth.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto", ProcessId: 6176, ProcessName: sc.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\eth.exe", ParentImage: C:\Users\user\Desktop\eth.exe, ParentProcessId: 6932, ParentProcessName: eth.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6968, ProcessName: powershell.exe

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Sigma detected: Stop EventLog
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\eth.exe", ParentImage: C:\Users\user\Desktop\eth.exe, ParentProcessId: 6932, ParentProcessName: eth.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 5572, ProcessName: sc.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-01-07T16:07:29.137106+010020362892Crypto Currency Mining Activity Detected192.168.2.4501491.1.1.153UDP
        2025-01-07T16:07:42.569300+010020362892Crypto Currency Mining Activity Detected192.168.2.4623931.1.1.153UDP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-01-07T16:07:13.389477+010028269302Crypto Currency Mining Activity Detected192.168.2.449736192.248.189.118888TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeReversingLabs: Detection: 68%
        Multi AV Scanner detection for submitted file
        Source: eth.exeReversingLabs: Detection: 68%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

        Bitcoin Miner

        barindex
        Yara detected Xmrig cryptocurrency miner
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 52.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000034.00000002.3112146916.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Detected Stratum mining protocol
        Source: global trafficTCP traffic: 192.168.2.4:49736 -> 192.248.189.11:8888 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"41ifakragknzbfdnfjzm9djd14pwku6q6adt7y7qtnq4avfwe1bmj8fhgsqtqkv82rxtobqika7ud71ufhvqkmuttjpziaw","pass":"newbies","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
        Found strings related to Crypto-Mining
        Source: dialer.exeString found in binary or memory: cryptonight-monerov7
        Source: eth.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: lrgkmixyjzta.exe, 0000001B.00000003.1967971796.000001A730760000.00000004.00000001.00020000.00000000.sdmp
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC64DCE0 FindFirstFileExW,22_2_00000225DC64DCE0
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6ADCE0 FindFirstFileExW,22_2_00000225DC6ADCE0
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AEDCE0 FindFirstFileExW,28_2_00000202C0AEDCE0
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0B4DCE0 FindFirstFileExW,28_2_00000202C0B4DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A66130DCE0 FindFirstFileExW,31_2_000002A66130DCE0
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDEDCE0 FindFirstFileExW,32_2_000002BAAEDEDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A879CDCE0 FindFirstFileExW,51_2_0000026A879CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_00000179537ADCE0 FindFirstFileExW,53_2_00000179537ADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D56DCE0 FindFirstFileExW,54_2_000002295D56DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025306E6DCE0 FindFirstFileExW,55_2_0000025306E6DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001845B3ADCE0 FindFirstFileExW,56_2_000001845B3ADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000001ADECD4DCE0 FindFirstFileExW,57_2_000001ADECD4DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D55907DCE0 FindFirstFileExW,58_2_000001D55907DCE0
        Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:62393 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:50149 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49736 -> 192.248.189.11:8888
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: pool.hashvault.pro
        Source: lsass.exe, 0000001C.00000003.1974438872.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRoot
        Source: lsass.exe, 0000001C.00000000.1936129494.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
        Source: lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
        Source: lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
        Source: lsass.exe, 0000001C.00000003.1974438872.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
        Source: lsass.exe, 0000001C.00000000.1936129494.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
        Source: lrgkmixyjzta.exe, 0000001B.00000003.1967971796.000001A730760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
        Source: lrgkmixyjzta.exe, 0000001B.00000003.1967971796.000001A730760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
        Source: lrgkmixyjzta.exe, 0000001B.00000003.1967971796.000001A730760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
        Source: lrgkmixyjzta.exe, 0000001B.00000003.1967971796.000001A730760000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
        Source: lsass.exe, 0000001C.00000000.1936129494.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
        Source: lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
        Source: lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
        Source: lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
        Source: lsass.exe, 0000001C.00000000.1936129494.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
        Source: lsass.exe, 0000001C.00000003.1974438872.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
        Source: lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
        Source: lsass.exe, 0000001C.00000000.1936129494.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
        Source: lsass.exe, 0000001C.00000003.1974438872.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
        Source: lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: lsass.exe, 0000001C.00000000.1935133370.00000202C0200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: lsass.exe, 0000001C.00000000.1936129494.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000003.1974438872.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: lsass.exe, 0000001C.00000003.1974438872.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
        Source: lsass.exe, 0000001C.00000000.1936129494.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
        Source: lsass.exe, 0000001C.00000000.1936129494.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.
        Source: lsass.exe, 0000001C.00000003.1974438872.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
        Source: lsass.exe, 0000001C.00000000.1936129494.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
        Source: lsass.exe, 0000001C.00000003.1974438872.00000202C037F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 52.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 52.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
        Source: 52.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
        Source: 00000034.00000002.3112146916.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,17_2_00000001400010C0
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6428C8 NtEnumerateValueKey,NtEnumerateValueKey,22_2_00000225DC6428C8
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AE202C NtQuerySystemInformation,StrCmpNIW,28_2_00000202C0AE202C
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AE253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,28_2_00000202C0AE253C
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDE28C8 NtEnumerateValueKey,NtEnumerateValueKey,32_2_000002BAAEDE28C8
        Source: C:\Windows\System32\dialer.exeCode function: 49_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,49_2_00000001400010C0
        Source: C:\Windows\System32\dialer.exeCode function: 50_2_0000000140001394 NtManageHotPatch,50_2_0000000140001394
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeFile created: C:\Windows\TEMP\xwbhmivgxwst.sysJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_zwk4350t.00w.ps1
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000226C17_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400014D817_2_00000001400014D8
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000256017_2_0000000140002560
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC611F2C22_2_00000225DC611F2C
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC61D0E022_2_00000225DC61D0E0
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6238A822_2_00000225DC6238A8
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC642B2C22_2_00000225DC642B2C
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC64DCE022_2_00000225DC64DCE0
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6544A822_2_00000225DC6544A8
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC671F2C22_2_00000225DC671F2C
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC67D0E022_2_00000225DC67D0E0
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6838A822_2_00000225DC6838A8
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6A2B2C22_2_00000225DC6A2B2C
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6ADCE022_2_00000225DC6ADCE0
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6B44A822_2_00000225DC6B44A8
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AB1F2C28_2_00000202C0AB1F2C
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AC38A828_2_00000202C0AC38A8
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0ABD0E028_2_00000202C0ABD0E0
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AE2B2C28_2_00000202C0AE2B2C
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AF44A828_2_00000202C0AF44A8
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AEDCE028_2_00000202C0AEDCE0
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0B42B2C28_2_00000202C0B42B2C
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0B544A828_2_00000202C0B544A8
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0B4DCE028_2_00000202C0B4DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A6612D1F2C31_2_000002A6612D1F2C
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A6612DD0E031_2_000002A6612DD0E0
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A6612E38A831_2_000002A6612E38A8
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A661302B2C31_2_000002A661302B2C
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A66131AEC531_2_000002A66131AEC5
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A66130DCE031_2_000002A66130DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A6613144A831_2_000002A6613144A8
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDB1F2C32_2_000002BAAEDB1F2C
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDBD0E032_2_000002BAAEDBD0E0
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDC38A832_2_000002BAAEDC38A8
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDE2B2C32_2_000002BAAEDE2B2C
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDEDCE032_2_000002BAAEDEDCE0
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDF44A832_2_000002BAAEDF44A8
        Source: C:\Windows\System32\dialer.exeCode function: 49_2_000000014000226C49_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 49_2_00000001400014D849_2_00000001400014D8
        Source: C:\Windows\System32\dialer.exeCode function: 49_2_000000014000256049_2_0000000140002560
        Source: C:\Windows\System32\dialer.exeCode function: 50_2_000000014000324050_2_0000000140003240
        Source: C:\Windows\System32\dialer.exeCode function: 50_2_00000001400027D050_2_00000001400027D0
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A8799D0E051_2_0000026A8799D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A879A38A851_2_0000026A879A38A8
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A87991F2C51_2_0000026A87991F2C
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A879CDCE051_2_0000026A879CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A879D44A851_2_0000026A879D44A8
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A879C2B2C51_2_0000026A879C2B2C
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_00000179537838A853_2_00000179537838A8
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001795377D0E053_2_000001795377D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000017953771F2C53_2_0000017953771F2C
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_00000179537B44A853_2_00000179537B44A8
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_00000179537ADCE053_2_00000179537ADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_00000179537A2B2C53_2_00000179537A2B2C
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D53D0E054_2_000002295D53D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D5438A854_2_000002295D5438A8
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D531F2C54_2_000002295D531F2C
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D56DCE054_2_000002295D56DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D5744A854_2_000002295D5744A8
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D562B2C54_2_000002295D562B2C
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000253067D1F2C55_2_00000253067D1F2C
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000253067DD0E055_2_00000253067DD0E0
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000253067E38A855_2_00000253067E38A8
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025306E62B2C55_2_0000025306E62B2C
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025306E6DCE055_2_0000025306E6DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025306E744A855_2_0000025306E744A8
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001845B3B44A856_2_000001845B3B44A8
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001845B3ADCE056_2_000001845B3ADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001845B3A2B2C56_2_000001845B3A2B2C
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000001ADECD4DCE057_2_000001ADECD4DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000001ADECD544A857_2_000001ADECD544A8
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000001ADECD42B2C57_2_000001ADECD42B2C
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D5590538A858_2_000001D5590538A8
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D55904D0E058_2_000001D55904D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D559041F2C58_2_000001D559041F2C
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D5590844A858_2_000001D5590844A8
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D55907DCE058_2_000001D55907DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D559072B2C58_2_000001D559072B2C
        Source: Joe Sandbox ViewDropped File: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe 92722D28951672263B79CD30EB975D770CFD5BD5FF53344FD329546FB950F155
        Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\xwbhmivgxwst.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
        Source: 52.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 52.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
        Source: 52.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
        Source: 00000034.00000002.3112146916.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: classification engineClassification label: mal100.evad.mine.winEXE@70/73@2/1
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,17_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 49_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,49_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,17_2_00000001400019C4
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,17_2_000000014000226C
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2080:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5928:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3180:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:480:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2844:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4852:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6948:120:WilError_03
        Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\tdtnwhboinhjvqzo
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5452:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4480:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5220:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zgeuayus.cjp.ps1Jump to behavior
        Source: eth.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Users\user\Desktop\eth.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: eth.exeReversingLabs: Detection: 68%
        Source: C:\Users\user\Desktop\eth.exeFile read: C:\Users\user\Desktop\eth.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\eth.exe "C:\Users\user\Desktop\eth.exe"
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ARIBLEUL"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "ARIBLEUL"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\lsass.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ARIBLEUL"Jump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"Jump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Users\user\Desktop\eth.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: eth.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: eth.exeStatic file information: File size 5468672 > 1048576
        Source: eth.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x52a800
        Source: eth.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: lrgkmixyjzta.exe, 0000001B.00000003.1967971796.000001A730760000.00000004.00000001.00020000.00000000.sdmp
        Source: C:\Windows\System32\dialer.exeCode function: 52_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,52_2_00000001408460F0
        Source: eth.exeStatic PE information: section name: .00cfg
        Source: lrgkmixyjzta.exe.0.drStatic PE information: section name: .00cfg
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC62ACDD push rcx; retf 003Fh22_2_00000225DC62ACDE
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC65C6DD push rcx; retf 003Fh22_2_00000225DC65C6DE
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC68ACDD push rcx; retf 003Fh22_2_00000225DC68ACDE
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6BC6DD push rcx; retf 003Fh22_2_00000225DC6BC6DE
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0ACACDD push rcx; retf 003Fh28_2_00000202C0ACACDE
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AFC6DD push rcx; retf 003Fh28_2_00000202C0AFC6DE
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0B5C6DD push rcx; retf 003Fh28_2_00000202C0B5C6DE
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A6612EACDD push rcx; retf 003Fh31_2_000002A6612EACDE
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A66131C6DD push rcx; retf 003Fh31_2_000002A66131C6DE
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDCACDD push rcx; retf 003Fh32_2_000002BAAEDCACDE
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDFC6DD push rcx; retf 003Fh32_2_000002BAAEDFC6DE
        Source: C:\Windows\System32\dialer.exeCode function: 50_2_0000000140001394 push qword ptr [0000000140009004h]; ret 50_2_0000000140001403
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A879AACDD push rcx; retf 003Fh51_2_0000026A879AACDE
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_000001795378ACDD push rcx; retf 003Fh53_2_000001795378ACDE
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_00000179537BC6DD push rcx; retf 003Fh53_2_00000179537BC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D54ACDD push rcx; retf 003Fh54_2_000002295D54ACDE
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D57C6DD push rcx; retf 003Fh54_2_000002295D57C6DE
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000253067EACDD push rcx; retf 003Fh55_2_00000253067EACDE
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025306E7C6DD push rcx; retf 003Fh55_2_0000025306E7C6DE
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001845B3BC6DD push rcx; retf 003Fh56_2_000001845B3BC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000001ADECD5C6DD push rcx; retf 003Fh57_2_000001ADECD5C6DE
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D55905ACDD push rcx; retf 003Fh58_2_000001D55905ACDE
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D55908C6DD push rcx; retf 003Fh58_2_000001D55908C6DE

        Persistence and Installation Behavior

        barindex
        Installs new ROOT certificates
        Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Sample is not signed and drops a device driver
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeFile created: C:\Windows\TEMP\xwbhmivgxwst.sysJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeFile created: C:\Windows\Temp\xwbhmivgxwst.sysJump to dropped file
        Source: C:\Users\user\Desktop\eth.exeFile created: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeJump to dropped file
        Source: C:\Users\user\Desktop\eth.exeFile created: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeJump to dropped file
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeFile created: C:\Windows\Temp\xwbhmivgxwst.sysJump to dropped file
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hooks files or directories query functions (used to hide files and directories)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
        Hooks processes query functions (used to hide processes)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
        Hooks registry keys query functions (used to hide registry keys)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Modifies the prolog of user mode functions (user mode inline hooks)
        Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
        Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Contains functionality to compare user and computer (likely to detect sandboxes)
        Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,17_2_00000001400010C0
        Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,49_2_00000001400010C0
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4984Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4859Jump to behavior
        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 4080Jump to behavior
        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 5919Jump to behavior
        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9907Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6548
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2966
        Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9869Jump to behavior
        Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1332Jump to behavior
        Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 459Jump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeDropped PE file which has not been started: C:\Windows\Temp\xwbhmivgxwst.sysJump to dropped file
        Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_31-14869
        Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_17-480
        Source: C:\Windows\System32\winlogon.exeAPI coverage: 6.8 %
        Source: C:\Windows\System32\lsass.exeAPI coverage: 4.0 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
        Source: C:\Windows\System32\dialer.exeAPI coverage: 0.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 5.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160Thread sleep count: 4984 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160Thread sleep count: 4859 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5416Thread sleep time: -8301034833169293s >= -30000sJump to behavior
        Source: C:\Windows\System32\dialer.exe TID: 6248Thread sleep count: 32 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 6024Thread sleep count: 4080 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 6024Thread sleep time: -4080000s >= -30000sJump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 6024Thread sleep count: 5919 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 6024Thread sleep time: -5919000s >= -30000sJump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 7112Thread sleep count: 9907 > 30Jump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 7112Thread sleep time: -9907000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7156Thread sleep count: 6548 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6168Thread sleep count: 2966 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200Thread sleep time: -4611686018427385s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 7100Thread sleep count: 243 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7100Thread sleep time: -243000s >= -30000sJump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 4420Thread sleep count: 9869 > 30Jump to behavior
        Source: C:\Windows\System32\dwm.exe TID: 4420Thread sleep time: -9869000s >= -30000sJump to behavior
        Source: C:\Windows\System32\dialer.exe TID: 2212Thread sleep count: 1332 > 30Jump to behavior
        Source: C:\Windows\System32\dialer.exe TID: 2212Thread sleep time: -133200s >= -30000sJump to behavior
        Source: C:\Windows\System32\dialer.exe TID: 3196Thread sleep count: 459 > 30Jump to behavior
        Source: C:\Windows\System32\dialer.exe TID: 3196Thread sleep time: -45900s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 2568Thread sleep count: 253 > 30
        Source: C:\Windows\System32\svchost.exe TID: 2568Thread sleep time: -253000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 3228Thread sleep count: 254 > 30
        Source: C:\Windows\System32\svchost.exe TID: 3228Thread sleep time: -254000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 3104Thread sleep count: 254 > 30
        Source: C:\Windows\System32\svchost.exe TID: 3104Thread sleep time: -254000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 2652Thread sleep count: 250 > 30
        Source: C:\Windows\System32\svchost.exe TID: 2652Thread sleep time: -250000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 1360Thread sleep count: 200 > 30
        Source: C:\Windows\System32\svchost.exe TID: 1360Thread sleep time: -200000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 1188Thread sleep count: 254 > 30
        Source: C:\Windows\System32\svchost.exe TID: 1188Thread sleep time: -254000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 5088Thread sleep count: 228 > 30
        Source: C:\Windows\System32\svchost.exe TID: 5088Thread sleep time: -228000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 5288Thread sleep count: 248 > 30
        Source: C:\Windows\System32\svchost.exe TID: 5288Thread sleep time: -248000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 4480Thread sleep count: 232 > 30
        Source: C:\Windows\System32\svchost.exe TID: 4480Thread sleep time: -232000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 2108Thread sleep count: 235 > 30
        Source: C:\Windows\System32\svchost.exe TID: 2108Thread sleep time: -235000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 2196Thread sleep count: 246 > 30
        Source: C:\Windows\System32\svchost.exe TID: 2196Thread sleep time: -246000s >= -30000s
        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
        Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
        Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC64DCE0 FindFirstFileExW,22_2_00000225DC64DCE0
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6ADCE0 FindFirstFileExW,22_2_00000225DC6ADCE0
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AEDCE0 FindFirstFileExW,28_2_00000202C0AEDCE0
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0B4DCE0 FindFirstFileExW,28_2_00000202C0B4DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A66130DCE0 FindFirstFileExW,31_2_000002A66130DCE0
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDEDCE0 FindFirstFileExW,32_2_000002BAAEDEDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A879CDCE0 FindFirstFileExW,51_2_0000026A879CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_00000179537ADCE0 FindFirstFileExW,53_2_00000179537ADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D56DCE0 FindFirstFileExW,54_2_000002295D56DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025306E6DCE0 FindFirstFileExW,55_2_0000025306E6DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001845B3ADCE0 FindFirstFileExW,56_2_000001845B3ADCE0
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000001ADECD4DCE0 FindFirstFileExW,57_2_000001ADECD4DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D55907DCE0 FindFirstFileExW,58_2_000001D55907DCE0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
        Source: lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
        Source: lsass.exe, 0000001C.00000002.3133512040.00000202C0379000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
        Source: lsass.exe, 0000001C.00000000.1934061914.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
        Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_17-413
        Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_49-477
        Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_52-91
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00000225DC647D90
        Source: C:\Windows\System32\dialer.exeCode function: 52_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,52_2_00000001408460F0
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400017EC GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,17_2_00000001400017EC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00000225DC647D90
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00000225DC64D2A4
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00000225DC6A7D90
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00000225DC6AD2A4
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00000202C0AED2A4
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0AE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00000202C0AE7D90
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0B4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00000202C0B4D2A4
        Source: C:\Windows\System32\lsass.exeCode function: 28_2_00000202C0B47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00000202C0B47D90
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A66130D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000002A66130D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002A661307D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000002A661307D90
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000002BAAEDE7D90
        Source: C:\Windows\System32\dwm.exeCode function: 32_2_000002BAAEDED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000002BAAEDED2A4
        Source: C:\Windows\System32\dialer.exeCode function: 50_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,50_2_0000000140001160
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A879CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_0000026A879CD2A4
        Source: C:\Windows\System32\svchost.exeCode function: 51_2_0000026A879C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_0000026A879C7D90
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_00000179537A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_00000179537A7D90
        Source: C:\Windows\System32\svchost.exeCode function: 53_2_00000179537AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_00000179537AD2A4
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D56D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,54_2_000002295D56D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002295D567D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,54_2_000002295D567D90
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025306E6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,55_2_0000025306E6D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 55_2_0000025306E67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,55_2_0000025306E67D90
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001845B3AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_000001845B3AD2A4
        Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001845B3A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_000001845B3A7D90
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000001ADECD47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,57_2_000001ADECD47D90
        Source: C:\Windows\System32\svchost.exeCode function: 57_2_000001ADECD4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,57_2_000001ADECD4D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D55907D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,58_2_000001D55907D2A4
        Source: C:\Windows\System32\svchost.exeCode function: 58_2_000001D559077D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,58_2_000001D559077D90

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Adds a directory exclusion to Windows Defender
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Allocates memory in foreign processes
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 2BAAED80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 225DC670000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 202C0B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A661330000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 2BAAEDB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B370000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B5645B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2108B980000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 29166940000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19E29CC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: 87D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60DB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 233A75D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1FE0C900000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CBB1650000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1E8C4120000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 27F238C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 14D106C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 24C26EB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C318F60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17662060000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F3A7050000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1B32B4E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1B32B510000 protect: page execute and read and writeJump to behavior
        Contains functionality to inject code into remote processes
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,17_2_0000000140001C88
        Creates a thread in another existing process (thread injection)
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC61273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC67273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C0B1273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6133273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AEDB273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8799273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5377273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D53273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 67D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B37273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: EBFD273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5904273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: A9E7273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 7316273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 4E86273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 473C273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6F9D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 83BC273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D3F7273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A415273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BDF3273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C026273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C9F3273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 645B273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7B2A273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4F6273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2AB4273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4ADB273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 25DA273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F535273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F0D6273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FFB273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C257273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8B98273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6694273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 13EF273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8D57273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 69B4273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CC74273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5DA7273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F389273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3B8273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 40E4273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A653273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 29CC273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7B15273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 621A273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F48273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8B4B273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 683D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 87D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2E26273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6C5E273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D593273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FC65273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7874273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 33B4273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8D0A273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AB4C273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2A64273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6CF3273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 641A273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4935273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 60DB273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E7B273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F7C273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E815273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5234273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9DA9273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 602E273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A75D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C90273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B165273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C412273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 238C273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 106C273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 26EB273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 18F6273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6206273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A705273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2B4E273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2B51273CJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAED80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC670000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0B10000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661330000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B980000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29166940000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E29CC0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 87D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 233A75D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1FE0C900000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CBB1650000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1E8C4120000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 27F238C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 14D106C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 24C26EB0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C318F60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17662060000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F3A7050000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1B32B4E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1B32B510000 value starts with: 4D5AJump to behavior
        Injects code into the Windows Explorer (explorer.exe)
        Source: C:\Windows\System32\dialer.exeMemory written: PID: 2580 base: 87D0000 value: 4DJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\eth.exeThread register set: target process: 6220Jump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeThread register set: target process: 2076Jump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeThread register set: target process: 4856Jump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeThread register set: target process: 4852Jump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAED80000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 14BC5D10000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC670000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0B10000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A661330000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDB0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B980000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29166940000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E29CC0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 87D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DB0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 233A75D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1FE0C900000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CBB1650000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1E8C4120000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 27F238C0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 14D106C0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 24C26EB0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C318F60000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17662060000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F3A7050000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1B32B4E0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1B32B510000Jump to behavior
        Source: C:\Users\user\Desktop\eth.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,17_2_0000000140001B54
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,17_2_0000000140001B54
        Source: winlogon.exe, 00000016.00000000.1928964747.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3131905362.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: winlogon.exe, 00000016.00000000.1928964747.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3131905362.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: winlogon.exe, 00000016.00000000.1928964747.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3131905362.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: winlogon.exe, 00000016.00000000.1928964747.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3131905362.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6236F0 cpuid 22_2_00000225DC6236F0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,17_2_0000000140001B54
        Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC647960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,22_2_00000225DC647960
        Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Disable or Modify Tools        		1
        Credential API Hooking        		1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Native API        		11
        Windows Service        		1
        Access Token Manipulation        		1
        Obfuscated Files or Information        		LSASS Memory1
        File and Directory Discovery        		Remote Desktop Protocol1
        Credential API Hooking        		1
        Non-Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Service Execution        		Logon Script (Windows)11
        Windows Service        		1
        Install Root Certificate        		Security Account Manager24
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
        Process Injection        		1
        DLL Side-Loading        		NTDS341
        Security Software Discovery        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        File Deletion        		LSA Secrets2
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
        Rootkit        		Cached Domain Credentials131
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Masquerading        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Modify Registry        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt131
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd713
        Process Injection        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
        Hidden Files and Directories        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585411 Sample: eth.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 61 pool.hashvault.pro 2->61 91 Malicious sample detected (through community Yara rule) 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 Yara detected Xmrig cryptocurrency miner 2->95 97 9 other signatures 2->97 10 eth.exe 1 2 2->10         started        14 lrgkmixyjzta.exe 1 2->14         started        signatures3 process4 file5 57 C:\ProgramData\...\lrgkmixyjzta.exe, PE32+ 10->57 dropped 99 Modifies the context of a thread in another process (thread injection) 10->99 101 Adds a directory exclusion to Windows Defender 10->101 16 dialer.exe 1 10->16         started        19 powershell.exe 23 10->19         started        21 sc.exe 1 10->21         started        30 9 other processes 10->30 59 C:\Windows\Temp\xwbhmivgxwst.sys, PE32+ 14->59 dropped 103 Multi AV Scanner detection for dropped file 14->103 105 Sample is not signed and drops a device driver 14->105 23 dialer.exe 14->23         started        25 powershell.exe 14->25         started        27 dialer.exe 14->27         started        32 7 other processes 14->32 signatures6 process7 dnsIp8 65 Contains functionality to inject code into remote processes 16->65 67 Writes to foreign memory regions 16->67 69 Allocates memory in foreign processes 16->69 71 Contains functionality to compare user and computer (likely to detect sandboxes) 16->71 34 lsass.exe 16->34 injected 37 winlogon.exe 16->37 injected 45 2 other processes 16->45 73 Loading BitLocker PowerShell Module 19->73 39 conhost.exe 19->39         started        75 Adds a directory exclusion to Windows Defender 21->75 41 conhost.exe 21->41         started        77 Injects code into the Windows Explorer (explorer.exe) 23->77 79 Creates a thread in another existing process (thread injection) 23->79 81 Injects a PE file into a foreign processes 23->81 47 11 other processes 23->47 43 conhost.exe 25->43         started        63 pool.hashvault.pro 192.248.189.11, 49736, 8888 AS-CHOOPAUS France 27->63 83 Query firmware table information (likely to detect VMs) 27->83 49 10 other processes 30->49 51 7 other processes 32->51 signatures9 85 Detected Stratum mining protocol 63->85 process10 signatures11 87 Installs new ROOT certificates 34->87 89 Writes to foreign memory regions 34->89 53 MpCmdRun.exe 1 34->53         started        process12 process13 55 conhost.exe 53->55         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        eth.exe68%ReversingLabsWin64.Infostealer.Tinba

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe68%ReversingLabsWin64.Infostealer.Tinba
        C:\Windows\Temp\xwbhmivgxwst.sys5%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://ocsp.msocsp.0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        pool.hashvault.pro
        		192.248.189.11
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://ocsp.msocsp.lsass.exe, 0000001C.00000000.1936129494.00000202C03C5000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          192.248.189.11
          		pool.hashvault.proFrance
          		20473AS-CHOOPAUSfalse

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1585411
          Start date and time:2025-01-07 16:06:05 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 12m 13s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:48
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:15
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:eth.exe
          Detection:MAL
          Classification:mal100.evad.mine.winEXE@70/73@2/1
          EGA Information:
          • Successful, ratio: 88.2%
          HCA Information:Failed
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): SIHClient.exe, WmiPrvSE.exe
          • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target eth.exe, PID 6932 because it is empty
          • Execution Graph export aborted for target lrgkmixyjzta.exe, PID 6604 because it is empty
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          • VT rate limit hit for: eth.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          10:07:17API Interceptor1x Sleep call for process: eth.exe modified
          10:07:18API Interceptor43x Sleep call for process: powershell.exe modified
          10:07:25API Interceptor1x Sleep call for process: MpCmdRun.exe modified
          10:07:56API Interceptor338861x Sleep call for process: winlogon.exe modified
          10:07:57API Interceptor254981x Sleep call for process: lsass.exe modified
          10:07:58API Interceptor2631x Sleep call for process: svchost.exe modified
          10:08:00API Interceptor318147x Sleep call for process: dwm.exe modified
          10:08:04API Interceptor1239x Sleep call for process: dialer.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          pool.hashvault.proZppxPm0ASs.exeGet hashmaliciousXmrigBrowse
          • 5.188.137.200
          file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
          • 5.188.137.200
          file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
          • 37.203.243.102
          file.exeGet hashmaliciousXmrigBrowse
          • 5.188.137.200
          file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
          • 5.188.137.200
          file.exeGet hashmaliciousXmrigBrowse
          • 37.203.243.102
          file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
          • 37.203.243.102
          file.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
          • 37.203.243.102
          file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
          • 5.188.137.200
          lokigod.exeGet hashmaliciousXmrigBrowse
          • 37.203.243.102

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          AS-CHOOPAUScZO.exeGet hashmaliciousUnknownBrowse
          • 108.61.189.74
          Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
          • 149.253.168.94
          momo.arm7.elfGet hashmaliciousMiraiBrowse
          • 137.220.48.181
          z0r0.x86.elfGet hashmaliciousMiraiBrowse
          • 45.32.45.161
          1.elfGet hashmaliciousUnknownBrowse
          • 185.103.202.108
          3.elfGet hashmaliciousUnknownBrowse
          • 108.61.224.55
          8n26gvrXUM.exeGet hashmaliciousUnknownBrowse
          • 144.202.34.112
          8n26gvrXUM.exeGet hashmaliciousUnknownBrowse
          • 144.202.34.112
          Setup.exe.7zGet hashmaliciousUnknownBrowse
          • 207.246.91.177
          Hilix.x86.elfGet hashmaliciousMiraiBrowse
          • 45.63.53.202

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeSolara.exeGet hashmaliciousUnknownBrowse
            C:\Windows\Temp\xwbhmivgxwst.sysfile.exeGet hashmaliciousXmrigBrowse
              hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
                5fr5gthkjdg71.exeGet hashmaliciousQuasar, R77 RootKitBrowse
                  aAcx14Rjtw.exeGet hashmaliciousXmrigBrowse
                    SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                      0Ty.png.exeGet hashmaliciousXmrigBrowse
                        Qhx6a6VLAH.exeGet hashmaliciousXmrigBrowse
                          88aext0k.exeGet hashmaliciousXmrigBrowse
                            gaozw40v.exeGet hashmaliciousXmrigBrowse
                              c2.exeGet hashmaliciousXmrigBrowse

                                Created / dropped Files

                                C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe

                                Download File
                                Process:C:\Users\user\Desktop\eth.exe
                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):5468672
                                Entropy (8bit):6.523912582824609
                                Encrypted:false
                                SSDEEP:98304:CKloGqNsn3EQMZrDn2aOzO5wzv80/rvVioLICFIJV6MGG/ZclhOP9fjSmlNi/LbP:Rloly39MBD2BiwPDV/IkIJV6AZcL49fy
                                MD5:87C3DD67BFA3009D89F7B45B01D705B8
                                SHA1:7EB74405565DD5971298B2A2C8DE9116D08DB2D5
                                SHA-256:92722D28951672263B79CD30EB975D770CFD5BD5FF53344FD329546FB950F155
                                SHA-512:C79F10712BB505D3645C9FDF8EF11BD787AB327FC2F176302DE71B5D4A886026E46E40338A5DB964E4B42BD152F3279FDA8F2F842F99876BEE1B0783D2F74E0E
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 68%
                                Joe Sandbox View:
                                • Filename: Solara.exe, Detection: malicious, Browse
                                Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d....;.f.........."...........R.....@..........@..............................S...........`.....................................................<.............S...............S.x...............................(.......8...........x...`............................text...F........................... ..`.rdata..l$.......&..................@..@.data.....R.......R.................@....pdata........S......jS.............@..@.00cfg........S......lS.............@..@.tls..........S......nS.............@....reloc..x.....S......pS.............@..B................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

                                Download File
                                Process:C:\Windows\System32\lsass.exe
                                File Type:very short file (no magic)
                                Category:modified
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3::
                                MD5:93B885ADFE0DA089CDF634904FD59F71
                                SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
                                SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
                                SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
                                Malicious:false
                                Preview:.

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1940658735648508
                                Encrypted:false
                                SSDEEP:3:Nlllulbnolz:NllUc
                                MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                Malicious:false
                                Preview:@...e................................................@..........

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4v4nr00.zgr.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s0mgegk2.kfu.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wmmg44fn.nmj.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zgeuayus.cjp.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                Download File
                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:modified
                                Size (bytes):4926
                                Entropy (8bit):3.2425628739997023
                                Encrypted:false
                                SSDEEP:48:FaqdF79/0+AAHdKoqKFxcxkF3/waqdF7DC++AAHdKoqKFxcxkFpiI:cEi+AAsoJjykzEDN+AAsoJjykTX
                                MD5:D3B377342C4AF259DD672A6994B9DE63
                                SHA1:2701EAB95EFB7A969EBFB51B3689D4DA6C8356D6
                                SHA-256:91F677DA8A1ABE95374C43164301713D844B0D6FF4F9334EC2AC1CA5857761B8
                                SHA-512:619913125D4679FA6554B1E49B99A4C82293F3CA79C4F229817AA69B0820541A4718AEBCAC4B54011352F785253865A14BAB822592A90D3D239A97B560C6E3D5
                                Malicious:false
                                Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.4. .. 2.0.2.3. .1.2.:.0.3.:.4.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1510207563435464
                                Encrypted:false
                                SSDEEP:3:Nlllul2lllllZ:NllUClll
                                MD5:4D98AF7F487E62A9C1D44B02674BAB7E
                                SHA1:1B492B2208949EB7F18C32F309C296B4258DBA65
                                SHA-256:1E3ED9CE6343DA27C6759A0F05D6DD0B92B3A9C63B6492A2DA4E4F371D9F56DA
                                SHA-512:60EC859B84836E865E767FE858E70ACEC6F0FB8077B2E51D6CB4095533433B791C9A16396D69279C7F896DF003A1ED6656087B43EFA16523DA4026317CBB49E6
                                Malicious:false
                                Preview:@...e.................................:..............@..........

                                C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):3.166995278585688
                                Encrypted:false
                                SSDEEP:384:qhe6UHi2uepX7xasnPC3FzFtpFDhFPFyF842I:qVUHiapX7xadptrDT9W84L
                                MD5:507F9FB866AB4A59017529ADE7385B48
                                SHA1:05DB2F7338E14B72BF10A4963B5B8F6E2C02360E
                                SHA-256:359EC68745A692354123545A4718F84D17003A77ECC99F79DA777C64A28F3F8E
                                SHA-512:36476351E6C80D7C9A35638EADC4D4579E609F2B5484F17AF66C9CA7BFF90D143667910B320643E17A14268CDA0C327CA6A2016C4723E1D2A16BC5C388CAAAB1
                                Malicious:false
                                Preview:ElfChnk.........1...............1...........p.......!94......................................................................0(g................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):2.010692427789071
                                Encrypted:false
                                SSDEEP:384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
                                MD5:26C4C5213F3C6B727417EF07207AC1E0
                                SHA1:1815CC405C8B70939C252390E2A1AEC87EFF45F2
                                SHA-256:767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
                                SHA-512:0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
                                Malicious:false
                                Preview:ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):66960
                                Entropy (8bit):4.1651297600396635
                                Encrypted:false
                                SSDEEP:384:8VdVehfVaVtVbVHVyV5V+VSVBVNVEVrVBVeVPVpVCVigVgVpVeVNVkVUVAVJVgVt:3hfXWdLt
                                MD5:F16AE92A8BE7B64559581C00E2E3A836
                                SHA1:A40F8C14A8A54BFD17E0ED1425A68C7CE23252DE
                                SHA-256:5A4758FF83482AF594D282A50FB17746CDAAFA797593621426873550BE3250AB
                                SHA-512:F8F4F5C04764BDC8A6A6199EABFC798922A8AE33A690C1EB15233B85D6A13F9E8B41E0D68F1966D6C2F765481E713E87E27100DF2DD009C080285B832C663B71
                                Malicious:false
                                Preview:ElfChnk.............................................f.........................................................................0%................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............Q}...a............&...............................................................@.......X...a.!.....E..........@Q}...a....&O....bT'O........P........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....O.p....**...................a..........

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.427628037831841
                                Encrypted:false
                                SSDEEP:384:8hTm5mcgXmNQCmomTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmvMv:8+aD6CL49mVpgwQFQ
                                MD5:406A9BF828169B544BE6EBB3931EAC98
                                SHA1:F2E6096F0B3151CDF00BE845608CE7ED4887B3B0
                                SHA-256:242E9B526D549D05E921955E42C9F73B7FD401AA21A05EAE4B05B882A2867791
                                SHA-512:32A33B1A8F89CB84578AAD9B96D6322A2BF9AEB01661260DAE8FF291DA833F8883E6F28FDD25C6913EDD6304780C23726038A4A68AED104AD73A3EAD261749D7
                                Malicious:false
                                Preview:ElfChnk..!.......!.......!.......!...................s......................................................................6c..................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.350617287024624
                                Encrypted:false
                                SSDEEP:48:MMWNWwrP+AQNRBEZWTENO4bnB+zMgq+ckH58ykH5bOTLHyzdHLP7jM63ckH58yk8:XNVaO8sMa3Z85ZMLGrjjH3Z85Zu
                                MD5:E932F55E67255C655DDE107A6ABDAE31
                                SHA1:B19D1815035248AA199F8B5029CB5AEBFC5A46E0
                                SHA-256:CA5DA7BDBC748EE87D4A1F31E60BCA6B1560C8C729D7CD4541CBAD9E7B60CED3
                                SHA-512:4E8DCE056FC778E18D14E41ED6BCCE251F5BE9A7604C37E7D0D1251C3A9E83901A43550D321722EB4EE627055A92ADEB2AE5380D1794717A964BDC279CDE0551
                                Malicious:false
                                Preview:ElfChnk.....................................p........3.a......................................................................R............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.014860518194814
                                Encrypted:false
                                SSDEEP:1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
                                MD5:4FB8E2CF8B3F20534836684947962DC2
                                SHA1:B263607E627C81DA77DB65DF5AED2F3FD84B83E2
                                SHA-256:DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
                                SHA-512:D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
                                Malicious:false
                                Preview:ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.15655690871689
                                Encrypted:false
                                SSDEEP:768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
                                MD5:2DE60575CB719BF51FAB8A63F696B052
                                SHA1:BD44E6B92412898F185D5565865FEA3778573578
                                SHA-256:7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
                                SHA-512:0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
                                Malicious:false
                                Preview:ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):91264
                                Entropy (8bit):2.480757546477235
                                Encrypted:false
                                SSDEEP:384:Bhdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorRor9orwTorYorDor+Yp:BDCYiODCYi9
                                MD5:E7569D9BE1EF216FA97C08048635CAEE
                                SHA1:79BDA336C0D84D2F390696C6CD04AF0D8CD4CE1C
                                SHA-256:72BC9EDF48B5311A049C0F0E4ADCACBA2D5B8647EE97C424536B657E0C230A0D
                                SHA-512:89B1C827ACD57AEF16EFAD348BA84BD7FAB47E02076A140785C6D5E9BED2F38FBCBC7F9FB3BD2CEAED5F492498B857C8B5E0CF44BF613D384DD5DCB35CB879E7
                                Malicious:false
                                Preview:ElfChnk.....................................8J..pL..G....................................................................... x..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/...........$..U)..............................**...............k...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8524226245257144
                                Encrypted:false
                                SSDEEP:384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
                                MD5:B8E105CC52B7107E2757421373CBA144
                                SHA1:39B61BEA2065C4FBEC143881220B37F3BA50A372
                                SHA-256:B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
                                SHA-512:7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
                                Malicious:false
                                Preview:ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8432997252442703
                                Encrypted:false
                                SSDEEP:384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
                                MD5:39EE3557626C7F112A88A4DE12E904C1
                                SHA1:C307FECC944D746A49EEA6451B7DA7301F03504C
                                SHA-256:2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
                                SHA-512:304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
                                Malicious:false
                                Preview:ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):2.9223892466691472
                                Encrypted:false
                                SSDEEP:384:whqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28t:wbCyhLfIXBS5
                                MD5:93BC7C28E3A7B0EC7634432FFB5F26AE
                                SHA1:388548D6291DA80F672153D1C18E32BDA335AA90
                                SHA-256:D354F4EA745283540D197B6D4C57EFC4F539F7566CFB3A06AEBD1243CD222EE1
                                SHA-512:3235FEA5A58C72DCD680D436AA2652F5221C6AC6F5A53882C7817A8A65E63C13087CD5660839FC7CFA0F62C666014608B91ABB4235EF5F79F68EF5806252F84A
                                Malicious:false
                                Preview:ElfChnk.........F...............F...............P............................................................................*................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):2.838106263184782
                                Encrypted:false
                                SSDEEP:768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
                                MD5:A2D41740C1BAF781019F282E37288DDF
                                SHA1:A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
                                SHA-256:7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
                                SHA-512:E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
                                Malicious:false
                                Preview:ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.634418630947688
                                Encrypted:false
                                SSDEEP:768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
                                MD5:A00BAFFCABB00428EA0512FCECCC55E5
                                SHA1:19F7C942DC26C3FF56D6240158734AFF67D6B93E
                                SHA-256:92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
                                SHA-512:DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
                                Malicious:false
                                Preview:ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):2.0646587531847893
                                Encrypted:false
                                SSDEEP:384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
                                MD5:399CAF70AC6E1E0C918905B719A0B3DD
                                SHA1:62360CD0CA66E23C70E6DE3340698E7C0D789972
                                SHA-256:FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
                                SHA-512:A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
                                Malicious:false
                                Preview:ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.4364303862010575
                                Encrypted:false
                                SSDEEP:384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
                                MD5:2BB73ACC8F7419459C4BF931AB85352C
                                SHA1:F1CE2EB960D3886F76094E2327DD092FC1208C7E
                                SHA-256:1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
                                SHA-512:7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
                                Malicious:false
                                Preview:ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m................*..............%................ ..................&............0......................**......p..........T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):3.0631557320109892
                                Encrypted:false
                                SSDEEP:384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
                                MD5:86AEA3A9CA3E5909FD44812754E52BD6
                                SHA1:F79B583F83F118AC724A5A4206FC439B88BB8C65
                                SHA-256:2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
                                SHA-512:17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
                                Malicious:false
                                Preview:ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):2.4467272005363894
                                Encrypted:false
                                SSDEEP:384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
                                MD5:155681C222D825199B738E8DEC707DC8
                                SHA1:704C800E7313F77A218203554E1428DF2819BC34
                                SHA-256:1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
                                SHA-512:ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
                                Malicious:false
                                Preview:ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):2.156155224835584
                                Encrypted:false
                                SSDEEP:384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
                                MD5:F22AC858C2ACC96E8F189E43FFE46FBD
                                SHA1:540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
                                SHA-256:771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
                                SHA-512:B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
                                Malicious:false
                                Preview:ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.9197999988543422
                                Encrypted:false
                                SSDEEP:384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
                                MD5:6C3F290FC62CFA9C240AEE8DB1DBA277
                                SHA1:CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
                                SHA-256:7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
                                SHA-512:D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
                                Malicious:false
                                Preview:ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 143, DIRTY
                                Category:dropped
                                Size (bytes):76040
                                Entropy (8bit):4.551962368092256
                                Encrypted:false
                                SSDEEP:768:aLjpPv++M48PFVbUa+5mh1LjpPv++M48PFVbUa+5mhyY20sMY3Dp13/n/ydIxm6c:TU
                                MD5:4D4F6AF59A52CCB78A71DFC5DAF68A2E
                                SHA1:935B7735AF4E64296DD2B1E66376FE709C7698F0
                                SHA-256:2A71CB79829455CFD7E0F7444EA144E2044D43A1ED4696A76755473AADC379E8
                                SHA-512:01F9E17815BB4354BA3C07F91BB4B575B20AA4B5A66D5C51CBC5630E06F2CFA17613E9E0D2976DD110A6561543A8FB6B3D44E0BB60D8174EA3FD4B4088921AB0
                                Malicious:false
                                Preview:ElfFile.....................................................................................................................I..ElfChnk......................................$...(..3..V....................................................................>...................H.......................p...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......!............................................$..................................**..X.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):5.718426658668259
                                Encrypted:false
                                SSDEEP:384:Thka5Ka5WsR9o2KbzyzIz7a5NsR9o2KbzyzIzia5zzuzNz0zxzuewKWMK/2a55wt:Tdqlt94xODljQdM
                                MD5:8630011707C7BFBCECC0A9430637802E
                                SHA1:22247A5B6A4C01883BB14E0BD4575A3553F945CB
                                SHA-256:227057F9899098B21709D53114E9DECFFCD28207BFFA178AD6B1E32F9C63EDDF
                                SHA-512:972629871B28EA6D01B8762B28378F8348E592BD465FE7FD1CF6AB5BD62157230AD3BB729F6290F6EDA950AB20598110676D902756E40BA3067ED37831855076
                                Malicious:false
                                Preview:ElfChnk.%......./.......%......./...........(l...n.........................................................................b\.;................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................6..........**..P...%.......'wu~..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9963080376858662
                                Encrypted:false
                                SSDEEP:384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
                                MD5:A51AFE78FA4481FA05EDC1133C92B1D8
                                SHA1:5BA44E7A99EE615E323696742DA6B930E9FF6198
                                SHA-256:44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
                                SHA-512:792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
                                Malicious:false
                                Preview:ElfChnk......................................)..0-....\.....................................................................|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.076996627399968
                                Encrypted:false
                                SSDEEP:384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
                                MD5:A8ADBDC2B39B55444B2C844F7D81EBDE
                                SHA1:F97F40E314C8A2A39953A28CB72C9270D3073418
                                SHA-256:93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
                                SHA-512:922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
                                Malicious:false
                                Preview:ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):3.1990724733406406
                                Encrypted:false
                                SSDEEP:384:OQXhDIEQAGxIHIFIWInIfEITQIAIQIfID8IaxIcI8IfRITGIHUI6IwI2IVIWIfRU:OQXZxGp9x1V
                                MD5:0F0E617491581DFB384EF98D35DA2E6C
                                SHA1:DA44005FFE22D7BAD38C4AC4D6C434FBC11640AA
                                SHA-256:56451C0B5681016F4EF8B38DB1EED8800E5E5C9D3A8D30330FB9797EA295075A
                                SHA-512:9CD491D7DDFBDEEBD2F9E47AF1FC111B0EF3FCA55B497BE30DCE06153741E8B434D8E5393A5C825EF5C23897BDFC57F0C572475D881F4A90837EF53862F625F5
                                Malicious:false
                                Preview:ElfChnk.T...............T..............................3................................................................................................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a..................................**......T.......B..d..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.801423310886069
                                Encrypted:false
                                SSDEEP:384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
                                MD5:9EAAD7982F42DFF47B8EF784DD2EE1CC
                                SHA1:542608204AF6B709B06807E9466F7543C0F08818
                                SHA-256:5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
                                SHA-512:036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
                                Malicious:false
                                Preview:ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):2.996272372482282
                                Encrypted:false
                                SSDEEP:768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
                                MD5:4F68D6AF0C7DB9E98F8B592C9A07811C
                                SHA1:9F519109344DD57150F16B540AAA417483EF44FE
                                SHA-256:44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
                                SHA-512:E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
                                Malicious:false
                                Preview:ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):69752
                                Entropy (8bit):3.7884186796164028
                                Encrypted:false
                                SSDEEP:768:8CqutDBjV8k+ufeUtHpoVWWa07SZRcZv76NcRUjGHzLKvc90XKcZv76NcRkpyLjh:cutDBjV8k+ufPtHpoVW
                                MD5:5FF79DD3DDC727E247F8F01C3ED81386
                                SHA1:EC790C3CA1AA3A5B84B7AB7633005EB438DD9ABE
                                SHA-256:367243D0816079EE47484E505FFBF3D8B3F4240B3589DA488855B6164A8D2B92
                                SHA-512:25536DFE33560A33C930EF205D10914246DC059F5B2149961A749B480E93D01A4BA5D2BEAC12B78AA104BDBC671FDAE4700A5DCD64185CA12A6086036B4CA1B4
                                Malicious:false
                                Preview:ElfChnk.................O.......T...............x.....K.....................................................................3..................0...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..`...O........J...a............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):67336
                                Entropy (8bit):4.71940041863326
                                Encrypted:false
                                SSDEEP:384:DiK2aYKokh+rKvKaKNP6WKkvKWKlpKuyK7YKmKaKHxqKWyK11KUIKqKq9KLjK5yq:D2a6kkN2cTOsKPmi0Xx2a6vNrjzDbRt
                                MD5:C4B2D34EB5ABB3B8FEA8DF7E0155C1D9
                                SHA1:027587361018FB82C2DF92513B161E611582A00A
                                SHA-256:FE62AACE79F3E96A13E54167E3616F884A238A202B2B187D753B9BD267FCBE41
                                SHA-512:51EB742671634A56EF6CBE52B30205521A93D4A9A5825F7EBE4812F90FD72DB84A38DAFC105482E2BAB9722D6D69990027BC24F94520D12688B46A7B9EBDD433
                                Malicious:false
                                Preview:ElfChnk.....................................0.......r.......................................................................[...................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..x................a............^J..............................................................X.......n.....!......................a...6....B..... .....|............................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.u.s.h.N.o.t.i.f.i.c.a.t.i.o.n.s.-.P.l.a.t.f.o.r.m.....D@F.q..RyCM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.P.u.s.h.N.o.t.i.f.i.c.a.t.i.o.n.-.P.l.a.t.f.o.r.m./.O.p.e.r.a.t.i.o.n.a.l.......................................m.i.c.r.o.s.o.f.t...w.i.n.d.o.w.s.c.o

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.7590316238843728
                                Encrypted:false
                                SSDEEP:384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
                                MD5:B074238315662886E2BD70106D08A747
                                SHA1:5ADA158D19401565E76349FCA97489E9FB9BFA36
                                SHA-256:53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
                                SHA-512:9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
                                Malicious:false
                                Preview:ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):3.751139797588402
                                Encrypted:false
                                SSDEEP:1536:5XhaUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:5XwnS
                                MD5:58D7ACB45B8A9FF15488BEBFC8618A3B
                                SHA1:48B4590159B1FF83EB16F576BEA2B35D1B20984B
                                SHA-256:900C00E7CC28A7461A2A9D10DC63DF256023784EEB060ACBED72ED4F88479680
                                SHA-512:997D2CBBAB8DA7AD841FAC39E0E327687B455DE37C0F1C9035E996F73A45933B2AD1549A66C69D3381F765C42B66BF86C4CA36429F881D9EB9D08D9681A4DB04
                                Malicious:false
                                Preview:ElfChnk.........%...............%............E..`G...&.#....................................................................S..................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):2.3069197485541766
                                Encrypted:false
                                SSDEEP:768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
                                MD5:E6E4C860CE7DD1BB499D6A082B461B90
                                SHA1:11330861B23B1D29D777D9BD10619A07B6A6A9C0
                                SHA-256:C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
                                SHA-512:7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
                                Malicious:false
                                Preview:ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&........................................................................l..............]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2680
                                Entropy (8bit):3.836709359872013
                                Encrypted:false
                                SSDEEP:48:M8pWXTCKOrCK3QbB69DG0XWsxCKOrCK3Qbkcqr9X8nCKOrCK3Qbkcqry8:WCKOrCKgl69DG0zCKOrCKgbkcG9MnCKA
                                MD5:0238826BA70D6108ABE6CA9619F49964
                                SHA1:BE9E6329D8C59B4F289D9416F903474E7D1EDBDE
                                SHA-256:7BEA773E8641A1F6C393C16F863C5A6BEAF5E9FE4B7BE3A5D0F977B5CB109B20
                                SHA-512:4012A11E147B46923A4EE0F394594DFF13AE2E9DC71D67EA24AD7C91B4CB3C18CF3BB62869C56550222FBB63DDEDFE25A15711CFDE1AADD9B6F778CFA75204B0
                                Malicious:false
                                Preview:ElfChnk.........&...............&...........0...0...`:......................................................................=...................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................**......$........|...a............................................................................L.......b.....!..................|...a..@..^<.....fX............$....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^'...........h.......>...................................4.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.W.i

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.2909571978750325
                                Encrypted:false
                                SSDEEP:384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
                                MD5:B0BF4D9EC91ABBDA5D328631B125A5C0
                                SHA1:E672D69127AE7C1A51046ADAA911871EC0C10ABB
                                SHA-256:8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
                                SHA-512:3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
                                Malicious:false
                                Preview:ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.488768580471203
                                Encrypted:false
                                SSDEEP:1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
                                MD5:E3FB1708C64D250E4D801AFB8688DF35
                                SHA1:8B889F0358683733257411E451A86E3A1D42159D
                                SHA-256:0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
                                SHA-512:2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
                                Malicious:false
                                Preview:ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.4956711829740525
                                Encrypted:false
                                SSDEEP:1536:/cRFkL1TWX0gkB/J7oasEfyk2/vKlqRi/PgTZSXwyvy8fJpfrAW+Cr6SXlUr20Gg:/cRFkL1TWX0gkB/J7oasEfyk2/vKlqkI
                                MD5:483648AF8ADAE95B4E433E0CF2DAB532
                                SHA1:11F45A4F4AEF207ACA1BA945DC74776B8E42D7FE
                                SHA-256:D03501F7A042779B2ABD7282538A4B8B76B877B3C3DE4EC48052C7DB2A2C7BD0
                                SHA-512:92B33BAAF991031F0D2E4FF910469001F2318A8C801198A95E36141E6454A79C6082A5283F2A8BE9571AF98B5DE82F4495EE6CBA4A2CF28BC7122EB11EE5E852
                                Malicious:false
                                Preview:ElfChnk.>...............>..............................r........................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~......................**......>........Q.U..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.494538524021025
                                Encrypted:false
                                SSDEEP:384:ShN7s7o787l7r787a7J7z7+7N17g7Z7Q7g7gY7hZ7D7k7F7r7wm7NP7Y7+7fa7lX:S9HuCg
                                MD5:BE897B2AA935B784922722DE68762A2E
                                SHA1:E28993EA8A27B96F3E497F3DC6216DBEF9FFB6C6
                                SHA-256:BAE02352040C660DCCA8512DAE074F508F38924A1250CFB6AA8201C7F7F32AAD
                                SHA-512:7237A5830647CBACEBB9F29539D6621D475708C5441F0C57C2238566793AED223DFBE84505295641ABB6BF688E96863F40EF3CD36B2BA1CFBC587529CFF0458C
                                Malicious:false
                                Preview:ElfChnk.Y.......g.......Y.......g............%...&.....y......................................................................gO............................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.......................**......Y........................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):2.1499045494600955
                                Encrypted:false
                                SSDEEP:384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
                                MD5:2045FB0D54CA8F456B545859B9F9B0A8
                                SHA1:35854F87588C367DE32A3931E01BC71535E3F400
                                SHA-256:E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
                                SHA-512:013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
                                Malicious:false
                                Preview:ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8164696340947971
                                Encrypted:false
                                SSDEEP:384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
                                MD5:1AB19FA472669F4334C7A9D44E94E1B3
                                SHA1:F71C16706CFA9930045C9A888FDB3EF46CACC5BC
                                SHA-256:549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
                                SHA-512:72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
                                Malicious:false
                                Preview:ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9855903635327656
                                Encrypted:false
                                SSDEEP:384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
                                MD5:7BCA54AC75C7185ADFBB42B1A84F86E3
                                SHA1:AD91EE55A6F9F77AD871ACA9A5B59987CA679968
                                SHA-256:A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
                                SHA-512:79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
                                Malicious:false
                                Preview:ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):3.165454452307923
                                Encrypted:false
                                SSDEEP:384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
                                MD5:B6B6F199DA64422984403D7374F32528
                                SHA1:980D66401DFCCF96ADDDAF22334A5CE735554E7F
                                SHA-256:8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
                                SHA-512:5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
                                Malicious:false
                                Preview:ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):3.8519554794255333
                                Encrypted:false
                                SSDEEP:384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
                                MD5:4140628CA3CEC29C0B506CEEBDF684F6
                                SHA1:A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
                                SHA-256:1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
                                SHA-512:779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
                                Malicious:false
                                Preview:ElfChnk.\...............\.......................0..../........................................................................v................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.1642919553794224
                                Encrypted:false
                                SSDEEP:384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
                                MD5:D7EECF043241FDB9486580582E208603
                                SHA1:045D5672A8E9884B78CD31C52D372375503CBF4F
                                SHA-256:6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
                                SHA-512:6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
                                Malicious:false
                                Preview:ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):75320
                                Entropy (8bit):4.582240375056115
                                Encrypted:false
                                SSDEEP:768:yVIZi8Ns5iLV8gRai8ZijiTEOmGkoeiDpbzc:/+Jao7mce8p8
                                MD5:A37E35724CF81B12C24059D79783EC92
                                SHA1:D510F0BDD0E46C260C2EDE9D8366CC267329F1D7
                                SHA-256:02AFBCE6A997061CE3624D75C4B9CCF1E58E67311A931B5C2B7A144119C0FFCF
                                SHA-512:36BB9811E77FA89B04F55BF0D202325E89A9EB5BEA94268E19C5E4DF2A3D089F2E591822CBA3B7FF91C052F9BD81D2B8840510E023721252D8697DFC6FE50328
                                Malicious:false
                                Preview:ElfChnk.........................................h .....[.....................................................................U..........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..0............................&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.1787699202159383
                                Encrypted:false
                                SSDEEP:384:zhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUmNZUm:zY7L0
                                MD5:2EDA72AC37509327C00215C51D72E3DE
                                SHA1:4FCA8E9A64CDDB271F220FE3B2260EF72CAF594D
                                SHA-256:910D1994582E4C5815C16FE9FF531EB7EEDF814FCBA455062CA34803D569E93B
                                SHA-512:827E97E78EFD2694879761659A910AD4A0B236243A832C101EE1ACAFE11A85321946B62E1CDE8E621C60D4873AC3ADCD51F895E7200FA92F10B2403055821AB3
                                Malicious:false
                                Preview:ElfChnk....................................../..(4....HQ.....................................................................H)................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.20415136005983997
                                Encrypted:false
                                SSDEEP:48:MjW4WrP+MZQNRBEZWTENO4bpBko4aa/6FgVt:6kKNVaO80o4aa/6Fg
                                MD5:54B2872377210D11CB732F0D6B5323D0
                                SHA1:A826E8956AB2BB092386B210F9265F95C7399841
                                SHA-256:D29FF7D64A1EA1953855CC8C82D24E37AFFC311C5A3C303C92D14E8DF383CA9F
                                SHA-512:D388C7E8CAF2A0408BFF66E9C49478318AFA756A55D0EE80D79D2A65C3A12CCA1B58BF209689D77CA0DDF11C080FBD6302365D430CCA76B8D49480022B6EE846
                                Malicious:false
                                Preview:ElfChnk..............................................+a....................................................................0................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**................x...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.6469884746870727
                                Encrypted:false
                                SSDEEP:384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
                                MD5:FC81D9FBA555C6BC7223594B8F6B46DE
                                SHA1:971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
                                SHA-256:9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
                                SHA-512:7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
                                Malicious:false
                                Preview:ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):3.4033535769808703
                                Encrypted:false
                                SSDEEP:768:bUa0NmaOaSamaGaaaWaeNa+aiaaaaa2aGaCayaea+aSayaGamaSaya+aiaSauaya:CNy
                                MD5:485A6ED1650D0D4C3A385EED383A0221
                                SHA1:C5E519631BF65990E50529CDFA3C859EBE2774AE
                                SHA-256:4A312099F2CDE664A5F9BBDD6A9F22D7623C42E4981C8FB06C2FE36E7C5A49A3
                                SHA-512:E6239A3E0ABC27B8FCBE12C906A909F4F0C0E51008510D447E3C9E02A2AF4A57C9188865BBDB8C1F862B5EAB262F772BDD1A94D553583FCAAE73D348D34E9EA4
                                Malicious:false
                                Preview:ElfChnk.........@...............@...............`...v.Ke......................................................................@.................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................**..H...........+8}...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.3132453844344478
                                Encrypted:false
                                SSDEEP:384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
                                MD5:6237EE0458A0478242B975E9BB7AA97D
                                SHA1:6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
                                SHA-256:C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
                                SHA-512:56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
                                Malicious:false
                                Preview:ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.325262033408211
                                Encrypted:false
                                SSDEEP:384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
                                MD5:D13189B45679E53F5744A4D449F8B00F
                                SHA1:ED410CAB42772E329F656B4793B46AC7159CF05B
                                SHA-256:BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
                                SHA-512:83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
                                Malicious:false
                                Preview:ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.7947046118743749
                                Encrypted:false
                                SSDEEP:384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
                                MD5:55E73A924B170FBFFF862E8E195E839A
                                SHA1:3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
                                SHA-256:1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
                                SHA-512:E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
                                Malicious:false
                                Preview:ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:modified
                                Size (bytes):132760
                                Entropy (8bit):4.371021959232567
                                Encrypted:false
                                SSDEEP:384:ZoRhR9RKxhSRumRtRqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8Ru:ZFxA8nPLGbXxA8nPLGblk
                                MD5:3EA3AD07340A672ADEB44580DDDFEA31
                                SHA1:B14645EE1BBC8BFEDA43893885E9D1FACF74F5A2
                                SHA-256:93DDE2B722C4F136EC51B06496356F7B09CA4E614410C515D519FB4AB0D6C5EA
                                SHA-512:FCD819F354F473B9769D0CAD245D9B5DFAE071252850561C584B1B03936E5C7229A330B5A0FEF461D596208AC357D1A12405BB15305E83FBC8987E5CB9248F71
                                Malicious:false
                                Preview:ElfChnk.....................................@...0.....:.....................................................................J..P.....................y.......x..N...........=............................................y..................}y..3...........................................c......xb..f...h.......lc..?.......................h........c......M.......M...F...9c..............................................Qb..............................................A.......i.......................&............x..**..............8....a.........x68................................................................<.......T...-.!................@8....a..p....~N...?................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l......Qb......*...................P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e.......".%.P.r.o.g.r.a.m.D.a.t.a.%.\.M.i.c

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.273338343434408
                                Encrypted:false
                                SSDEEP:384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
                                MD5:C37372EB51AEDB4552CB839C7294403A
                                SHA1:7B7C408D72B084CE36AA6B623AC6B907FD21D569
                                SHA-256:C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
                                SHA-512:69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
                                Malicious:false
                                Preview:ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.231195890775603
                                Encrypted:false
                                SSDEEP:384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
                                MD5:3365A34953FD7B16667108A049B64DA5
                                SHA1:C72421A58E063D64072152344B266F8306A78702
                                SHA-256:AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
                                SHA-512:A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
                                Malicious:false
                                Preview:ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.350444748296741
                                Encrypted:false
                                SSDEEP:384:0h+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBwK:0OqabeGTnbuSxhI
                                MD5:4E9A87276B0FB95B4BC0A98A7B895974
                                SHA1:44F2E62751B968F6229493433E1089C5631929EF
                                SHA-256:F7C71EB6D743C8E8765C6F362FC52F54D4095A1E69EC6E7AFB5D947E7A6EE0E1
                                SHA-512:A68C79CE01DE32A99FA8123A375111A0D9074126122E8D0E449241892F12BD9EBB0E7C34FC4150D3CA7B98C9E1B1EC84A1DD81F46BCE6BDFAB8DE76C7DF5766A
                                Malicious:false
                                Preview:ElfChnk.....................................H...x.....^-.....................................................................'.c............................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):4.421206160086997
                                Encrypted:false
                                SSDEEP:384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
                                MD5:67CAD90771EBC0BD20736201D89C1586
                                SHA1:EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
                                SHA-256:7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
                                SHA-512:27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
                                Malicious:false
                                Preview:ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\Security.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):68120
                                Entropy (8bit):4.328254917259213
                                Encrypted:false
                                SSDEEP:384:gmFRKAmFRK1oDonS6cWNfoLSbdsLSvnQYoxMtg6Wo9MtxLo9MtMozonuoxNo/VoM:L8ha1ZGg6UP21Z
                                MD5:EB7D0865C6EE4B11324B7DE39824B770
                                SHA1:4F8B8B95D6551FAE41EEA0ADDA3BCD2AC8781314
                                SHA-256:8F55DDB60B0DB009450396953E2084458535B52EB649EBFC20C157410B1EE41E
                                SHA-512:01A57BB031063DB036369A0050D1FBD280DC3FFB112F52EABE63466408FC02A0AD7974A05E6E436F5729EBDF4DE592ECB2A4332A819BD3680D2D777A5B98ECA6
                                Malicious:false
                                Preview:ElfChnk.................U.......U...................,........................................................................!).....................s...h...............N...=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................................................&...................................................................................**......U........~..a.........Wt.&........Wt...wX..9Ck?5.?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                C:\Windows\System32\winevt\Logs\Setup.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):68432
                                Entropy (8bit):0.47924256224344863
                                Encrypted:false
                                SSDEEP:96:FKNVaO80oze8yhO2aU8k28KNVaO80oze8yhO2aU8k2:F8V7lhhx98V7lhhx
                                MD5:C1F55AE781515BBD646ED7DC06296BB9
                                SHA1:C2228B6411688F0B48CBEF08679D3885EAB07F9B
                                SHA-256:BF25E51B59265D0A7A8CD68846E0639CDDA5F90798B1C86E6641FCC3B5BA24C9
                                SHA-512:3FE61630CFC6E3BF1F81125DFD077D7CA1F9318C4F07000B4FA0FB6CEEA598411B2851D7070D78F1F16A8BD4829E320472E810AED21315AC108B0632A7336DA6
                                Malicious:false
                                Preview:ElfChnk.........................................P....RCi.....................................................................K.v............................................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**...............8...a............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                C:\Windows\System32\winevt\Logs\System.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):80688
                                Entropy (8bit):4.40564925224036
                                Encrypted:false
                                SSDEEP:768:Xi3UUi3U1ZVnLmLQXHmtpJnqiNHpzoQpsi3UIHJ:cUTUF4MHmcshUMJ
                                MD5:6877BA22FEC0F90D25F7D41CA6E1CD98
                                SHA1:C1D51E214FC05F9F371E140ABA1EE5E39C0C6217
                                SHA-256:386E3A196FD4B8E5FD5D64C578581BCAADC978CB79597F545A94733515ECBC51
                                SHA-512:16038F486536E21A025119C81B45E7513E6B7AC1DA399AB4DD6D16A3FDFA188468F7BB9402ED20532314F58C05980DCC0EA4E0103B713D6176115ED845533A5E
                                Malicious:false
                                Preview:ElfChnk.................p.......z...............@..."c&!......................................................................3J....................s...h...................=...................................................N...............................Y...............w.......0.......................E...................................W...........).......M...3...:...........................................................................................................................&...................**......p........~..a.........i.e&........i.e.t.Q...H.C.A;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):86776
                                Entropy (8bit):3.8542547203882838
                                Encrypted:false
                                SSDEEP:1536:cjSBXq/VIUJx0UPbJDjSBXq/VIUJx0UPbJCPY3c9Nw0zEkkpVqV/CeBd:0
                                MD5:4CD0D2E3D5B9BA0279392C9C87526ACB
                                SHA1:09DD3BB76D146A664C98F077BD4C98CC02069942
                                SHA-256:0E5FFFAC86DF5DFDE04F5CD4D54C9D68D57A6CEE74E6AC511F112F22ADEFDB72
                                SHA-512:26496B95616379403D5D82D70B267D228FAAE2D9695420E8AC54167572D7C8BDAF83E83CF77F6D7FF731EB72E9F2D75CBCF6C6276635F64C1CD0FF3C5BD0F9D7
                                Malicious:false
                                Preview:ElfChnk.................y....................M...R..J.{`....................................................................z. .............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............................................&.......................................................................**......y........Z...a.........B.&........B...._j..d.:Ad........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                C:\Windows\Temp\__PSScriptPolicyTest_1pr5cj04.l1n.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Windows\Temp\__PSScriptPolicyTest_huzfhhft.rzh.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Windows\Temp\__PSScriptPolicyTest_wra4dlgy.l3h.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Windows\Temp\__PSScriptPolicyTest_zwk4350t.00w.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Windows\Temp\xwbhmivgxwst.sys

                                Download File
                                Process:C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):14544
                                Entropy (8bit):6.2660301556221185
                                Encrypted:false
                                SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                MD5:0C0195C48B6B8582FA6F6373032118DA
                                SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 5%
                                Joe Sandbox View:
                                • Filename: file.exe, Detection: malicious, Browse
                                • Filename: hiwA7Blv7C.exe, Detection: malicious, Browse
                                • Filename: 5fr5gthkjdg71.exe, Detection: malicious, Browse
                                • Filename: aAcx14Rjtw.exe, Detection: malicious, Browse
                                • Filename: SharcHack.exe, Detection: malicious, Browse
                                • Filename: 0Ty.png.exe, Detection: malicious, Browse
                                • Filename: Qhx6a6VLAH.exe, Detection: malicious, Browse
                                • Filename: 88aext0k.exe, Detection: malicious, Browse
                                • Filename: gaozw40v.exe, Detection: malicious, Browse
                                • Filename: c2.exe, Detection: malicious, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                Entropy (8bit):6.523912582824609
                                TrID:
                                • Win64 Executable GUI (202006/5) 92.65%
                                • Win64 Executable (generic) (12005/4) 5.51%
                                • Generic Win/DOS Executable (2004/3) 0.92%
                                • DOS Executable Generic (2002/1) 0.92%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:eth.exe
                                File size:5'468'672 bytes
                                MD5:87c3dd67bfa3009d89f7b45b01d705b8
                                SHA1:7eb74405565dd5971298b2a2c8de9116d08db2d5
                                SHA256:92722d28951672263b79cd30eb975d770cfd5bd5ff53344fd329546fb950f155
                                SHA512:c79f10712bb505d3645c9fdf8ef11bd787ab327fc2f176302de71b5d4a886026e46e40338a5db964e4b42bd152f3279fda8f2f842f99876bee1b0783d2f74e0e
                                SSDEEP:98304:CKloGqNsn3EQMZrDn2aOzO5wzv80/rvVioLICFIJV6MGG/ZclhOP9fjSmlNi/LbP:Rloly39MBD2BiwPDV/IkIJV6AZcL49fy
                                TLSH:AB462349B655CC54CE4B0F396BBA06432FCF312E722982236919D43279E79FD9431B8E
                                File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d....;.f.........."...........R.....@..........@..............................S...........`........................................

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0x140001140
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x140000000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x66C13BAB [Sun Aug 18 00:09:15 2024 UTC]
                                TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:203d63d5d9a088e2d84cef737227986b

                                Entrypoint Preview

                                Instruction
                                dec eax
                                sub esp, 28h
                                dec eax
                                mov eax, dword ptr [00009ED5h]
                                mov dword ptr [eax], 00000001h
                                call 00007F80492D7E3Fh
                                nop
                                nop
                                nop
                                dec eax
                                add esp, 28h
                                ret
                                nop
                                inc ecx
                                push edi
                                inc ecx
                                push esi
                                push esi
                                push edi
                                push ebx
                                dec eax
                                sub esp, 20h
                                dec eax
                                mov eax, dword ptr [00000030h]
                                dec eax
                                mov edi, dword ptr [eax+08h]
                                dec eax
                                mov esi, dword ptr [00009EC9h]
                                xor eax, eax
                                dec eax
                                cmpxchg dword ptr [esi], edi
                                sete bl
                                je 00007F80492D7E60h
                                dec eax
                                cmp edi, eax
                                je 00007F80492D7E5Bh
                                dec esp
                                mov esi, dword ptr [0000BE19h]
                                nop word ptr [eax+eax+00000000h]
                                mov ecx, 000003E8h
                                inc ecx
                                call esi
                                xor eax, eax
                                dec eax
                                cmpxchg dword ptr [esi], edi
                                sete bl
                                je 00007F80492D7E37h
                                dec eax
                                cmp edi, eax
                                jne 00007F80492D7E19h
                                dec eax
                                mov edi, dword ptr [00009E90h]
                                mov eax, dword ptr [edi]
                                cmp eax, 01h
                                jne 00007F80492D7E3Eh
                                mov ecx, 0000001Fh
                                call 00007F80492E1114h
                                jmp 00007F80492D7E59h
                                cmp dword ptr [edi], 00000000h
                                je 00007F80492D7E3Bh
                                mov byte ptr [00537531h], 00000001h
                                jmp 00007F80492D7E4Bh
                                mov dword ptr [edi], 00000001h
                                dec eax
                                mov ecx, dword ptr [00009E7Ah]
                                dec eax
                                mov edx, dword ptr [00009E7Bh]
                                call 00007F80492E110Bh
                                mov eax, dword ptr [edi]
                                cmp eax, 01h
                                jne 00007F80492D7E4Bh
                                dec eax
                                mov ecx, dword ptr [00009E50h]

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xccd80x3c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x53a0000x18c.pdata
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x53d0000x78.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0xb0a00x28.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb4100x138.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0xce780x160.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x96460x98002016b4628b04d8404a43e3a6c174a1ceFalse0.48599403782894735data6.153915068032215IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0xb0000x246c0x260059ede9823295acb981c0f7c2db87cb17False0.45703125data4.64969711782766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0xe0000x52bd980x52a800892f3acf1c4bc4e2b92f37ececa0a867unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .pdata0x53a0000x18c0x20022903d6a75fb037eb233443c429b6c17False0.505859375data3.182672211819592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .00cfg0x53b0000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .tls0x53c0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .reloc0x53d0000x780x2007b813d4cf20ea86d13c0c697436c2c04False0.236328125data1.435244403940088IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Imports

                                DLLImport
                                msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2025-01-07T16:07:13.389477+01002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.449736192.248.189.118888TCP
                                2025-01-07T16:07:29.137106+01002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.4501491.1.1.153UDP
                                2025-01-07T16:07:42.569300+01002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.4623931.1.1.153UDP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 7, 2025 16:07:29.147337914 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:07:29.153028011 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:07:29.154211044 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:07:29.154361010 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:07:29.159152031 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:07:29.793107986 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:07:29.848526001 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:07:33.153652906 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:07:33.233155966 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:07:36.992294073 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:07:37.123852968 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:07:58.804905891 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:07:58.936358929 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:08:21.190074921 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:08:21.326930046 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:08:29.424727917 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:08:29.639435053 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:08:45.293616056 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:08:45.380273104 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:09:01.120662928 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:09:01.183177948 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:09:04.796760082 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:09:04.936391115 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:09:12.283585072 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:09:12.327009916 CET497368888192.168.2.4192.248.189.11
                                Jan 7, 2025 16:09:16.106683016 CET888849736192.248.189.11192.168.2.4
                                Jan 7, 2025 16:09:16.327037096 CET497368888192.168.2.4192.248.189.11

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 7, 2025 16:07:29.137105942 CET5014953192.168.2.41.1.1.1
                                Jan 7, 2025 16:07:29.144459963 CET53501491.1.1.1192.168.2.4
                                Jan 7, 2025 16:07:42.569299936 CET6239353192.168.2.41.1.1.1
                                Jan 7, 2025 16:07:42.576822996 CET53623931.1.1.1192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 7, 2025 16:07:29.137105942 CET192.168.2.41.1.1.10x33cfStandard query (0)pool.hashvault.proA (IP address)IN (0x0001)false
                                Jan 7, 2025 16:07:42.569299936 CET192.168.2.41.1.1.10xab7eStandard query (0)pool.hashvault.proA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 7, 2025 16:07:29.144459963 CET1.1.1.1192.168.2.40x33cfNo error (0)pool.hashvault.pro192.248.189.11A (IP address)IN (0x0001)false
                                Jan 7, 2025 16:07:29.144459963 CET1.1.1.1192.168.2.40x33cfNo error (0)pool.hashvault.pro80.240.16.67A (IP address)IN (0x0001)false
                                Jan 7, 2025 16:07:42.576822996 CET1.1.1.1192.168.2.40xab7eNo error (0)pool.hashvault.pro80.240.16.67A (IP address)IN (0x0001)false
                                Jan 7, 2025 16:07:42.576822996 CET1.1.1.1192.168.2.40xab7eNo error (0)pool.hashvault.pro192.248.189.11A (IP address)IN (0x0001)false

                                Code Manipulations

                                User Modules

                                Hook Summary

                                Function NameHook TypeActive in Processes
                                ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                Processes

                                Process: explorer.exe, Module: ntdll.dll
                                Function NameHook TypeNew Data
                                ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                Process: winlogon.exe, Module: ntdll.dll
                                Function NameHook TypeNew Data
                                ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:10:07:17
                                Start date:07/01/2025
                                Path:C:\Users\user\Desktop\eth.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\eth.exe"
                                Imagebase:0x7ff678400000
                                File size:5'468'672 bytes
                                MD5 hash:87C3DD67BFA3009D89F7B45B01D705B8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:1
                                Start time:10:07:17
                                Start date:07/01/2025
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:10:07:17
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:10:07:22
                                Start date:07/01/2025
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                Imagebase:0x7ff7fd8b0000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:10:07:22
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:10:07:22
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:10:07:22
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:10:07:22
                                Start date:07/01/2025
                                Path:C:\Windows\System32\wusa.exe
                                Wow64 process (32bit):false
                                Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                Imagebase:0x7ff6df180000
                                File size:345'088 bytes
                                MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:9
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:10
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:11
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:12
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:13
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop bits
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:14
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:15
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop dosvc
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:16
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:17
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\dialer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\dialer.exe
                                Imagebase:0x7ff70e4b0000
                                File size:39'936 bytes
                                MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:18
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe delete "ARIBLEUL"
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:19
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:20
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:21
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:22
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\winlogon.exe
                                Wow64 process (32bit):false
                                Commandline:winlogon.exe
                                Imagebase:0x7ff7cd660000
                                File size:906'240 bytes
                                MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:23
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop eventlog
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:24
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe start "ARIBLEUL"
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:25
                                Start time:10:07:23
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:26
                                Start time:10:07:24
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:27
                                Start time:10:07:24
                                Start date:07/01/2025
                                Path:C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
                                Wow64 process (32bit):false
                                Commandline:C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
                                Imagebase:0x7ff686590000
                                File size:5'468'672 bytes
                                MD5 hash:87C3DD67BFA3009D89F7B45B01D705B8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 68%, ReversingLabs
                                Has exited:true

                                General

                                Target ID:28
                                Start time:10:07:24
                                Start date:07/01/2025
                                Path:C:\Windows\System32\lsass.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\lsass.exe
                                Imagebase:0x7ff7a2ae0000
                                File size:59'456 bytes
                                MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:29
                                Start time:10:07:24
                                Start date:07/01/2025
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:30
                                Start time:10:07:24
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:31
                                Start time:10:07:25
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:32
                                Start time:10:07:25
                                Start date:07/01/2025
                                Path:C:\Windows\System32\dwm.exe
                                Wow64 process (32bit):false
                                Commandline:"dwm.exe"
                                Imagebase:0x7ff74e710000
                                File size:94'720 bytes
                                MD5 hash:5C27608411832C5B39BA04E33D53536C
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:33
                                Start time:10:07:25
                                Start date:07/01/2025
                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                Imagebase:0x7ff6b08e0000
                                File size:468'120 bytes
                                MD5 hash:B3676839B2EE96983F9ED735CD044159
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:34
                                Start time:10:07:25
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:35
                                Start time:10:07:26
                                Start date:07/01/2025
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                Imagebase:0x7ff7fd8b0000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:36
                                Start time:10:07:26
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:37
                                Start time:10:07:26
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:38
                                Start time:10:07:26
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:39
                                Start time:10:07:26
                                Start date:07/01/2025
                                Path:C:\Windows\System32\wusa.exe
                                Wow64 process (32bit):false
                                Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                Imagebase:0x7ff6df180000
                                File size:345'088 bytes
                                MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:40
                                Start time:10:07:26
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:41
                                Start time:10:07:26
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:42
                                Start time:10:07:27
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:43
                                Start time:10:07:27
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:44
                                Start time:10:07:27
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop bits
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:46
                                Start time:10:07:27
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:47
                                Start time:10:07:27
                                Start date:07/01/2025
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\sc.exe stop dosvc
                                Imagebase:0x7ff794350000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:48
                                Start time:10:07:27
                                Start date:07/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:49
                                Start time:10:07:27
                                Start date:07/01/2025
                                Path:C:\Windows\System32\dialer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\dialer.exe
                                Imagebase:0x7ff70e4b0000
                                File size:39'936 bytes
                                MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:50
                                Start time:10:07:27
                                Start date:07/01/2025
                                Path:C:\Windows\System32\dialer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\dialer.exe
                                Imagebase:0x7ff70e4b0000
                                File size:39'936 bytes
                                MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:51
                                Start time:10:07:27
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:52
                                Start time:10:07:27
                                Start date:07/01/2025
                                Path:C:\Windows\System32\dialer.exe
                                Wow64 process (32bit):false
                                Commandline:dialer.exe
                                Imagebase:0x7ff70e4b0000
                                File size:39'936 bytes
                                MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000034.00000002.3112146916.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000034.00000002.3112146916.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                Has exited:false

                                General

                                Target ID:53
                                Start time:10:07:28
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:54
                                Start time:10:07:28
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:55
                                Start time:10:07:29
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:56
                                Start time:10:07:29
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:57
                                Start time:10:07:31
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:58
                                Start time:10:07:32
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:59
                                Start time:10:07:33
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:60
                                Start time:10:07:34
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:61
                                Start time:10:07:34
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:62
                                Start time:10:07:34
                                Start date:07/01/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                Imagebase:0x7ff6eef20000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Executed Functions

                                  Function 00007FF678401140 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1930119979.00007FF678401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF678400000, based on PE: true
                                  • Associated: 00000000.00000002.1930105744.00007FF678400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1930148578.00007FF67840B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1930163761.00007FF67840E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1930180267.00007FF67840F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1930603621.00007FF678903000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1930688681.00007FF67893A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff678400000_eth.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                  • Instruction ID: fb0a7449f55d34e3818799c88cf429e8b77af7bb9df173c4dcebfc1af51d6b77
                                  • Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                  • Instruction Fuzzy Hash: 16B0923293420984E2042B22984136A2A606B2C741F600060D40C56356EEAD58404B18

                                  Execution Graph

                                  Execution Coverage:45.4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:67%
                                  Total number of Nodes:227
                                  Total number of Limit Nodes:25
                                  execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceExA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 CloseHandle 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap HeapAlloc 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 CloseHandle 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpiA 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap HeapFree GetProcessHeap HeapFree 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a CloseHandle 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 497 14000145b 497->474 498 140001478 WaitForSingleObject 497->498 501 140001471 CloseHandle 497->501 500 140001487 GetExitCodeThread 498->500 498->501 500->501 501->474 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 CloseHandle 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                                  Callgraph

                                  Executed Functions

                                  Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                  • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                  • API String ID: 4177739653-1130149537
                                  • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                  • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                  • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                  • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                  Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                  • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                  • API String ID: 2561231171-3753927220
                                  • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                  • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                  • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                  • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                  Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                  • String ID:
                                  • API String ID: 4084875642-0
                                  • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                  • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                  • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                  • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                  Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                  • String ID:
                                  • API String ID: 3197395349-0
                                  • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                  • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                  • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                  • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                  Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                  • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                    • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                    • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                    • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                    • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                    • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                    • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                    • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                    • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                    • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                    • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                    • Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 000000014000163D
                                    • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                    • Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 0000000140001651
                                  • OpenProcess.KERNEL32 ref: 0000000140001859
                                  • TerminateProcess.KERNEL32 ref: 000000014000186C
                                  • CloseHandle.KERNEL32 ref: 0000000140001875
                                  • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                  • String ID:
                                  • API String ID: 1323846700-0
                                  • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                  • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                  • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                  • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                  Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                  • String ID: .text$C:\Windows\System32\
                                  • API String ID: 2721474350-832442975
                                  • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                  • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                  • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                  • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                  Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                  • String ID: M$\\.\pipe\dialerchildproc64
                                  • API String ID: 2203880229-3489460547
                                  • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                  • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                  • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                  • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                  Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                  • String ID: \\.\pipe\dialercontrol_redirect64
                                  • API String ID: 2071455217-3440882674
                                  • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                  • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                  • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                  • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                  Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess$EnumProcessesSleep
                                  • String ID:
                                  • API String ID: 3676546796-0
                                  • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                  • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                  • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                  • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                  Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb CloseHandle 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Process$CloseHandleOpenWow64
                                  • String ID:
                                  • API String ID: 10462204-0
                                  • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                  • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                  • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                  • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                  Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                  APIs
                                    • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                    • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                    • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                    • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                    • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                    • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                    • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                    • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                    • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                    • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                    • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                    • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                    • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                    • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                    • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                    • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                  • ExitProcess.KERNEL32 ref: 0000000140002263
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                  • String ID:
                                  • API String ID: 3836936051-0
                                  • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                  • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                  • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                  • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                  Non-executed Functions

                                  Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                  • String ID: SOFTWARE$dialerstager$open
                                  • API String ID: 3276259517-3931493855
                                  • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                  • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                  • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                  • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                  Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                  • String ID: @
                                  • API String ID: 3462610200-2766056989
                                  • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                  • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                  • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                  • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                  Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                  • String ID: dialersvc64
                                  • API String ID: 4184240511-3881820561
                                  • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                  • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                  • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                  • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                  Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Delete$CloseEnumOpen
                                  • String ID: SOFTWARE\dialerconfig
                                  • API String ID: 3013565938-461861421
                                  • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                  • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                  • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                  • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                  Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: File$Write$CloseCreateHandle
                                  • String ID: \\.\pipe\dialercontrol_redirect64
                                  • API String ID: 148219782-3440882674
                                  • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                  • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                  • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                  • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                  Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.1992165216.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000011.00000002.1992117071.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992213507.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000011.00000002.1992255681.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: ntdll.dll
                                  • API String ID: 1646373207-2227199552
                                  • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                  • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                  • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                  • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                  Execution Graph

                                  Execution Coverage:1%
                                  Dynamic/Decrypted Code Coverage:94.6%
                                  Signature Coverage:0%
                                  Total number of Nodes:112
                                  Total number of Limit Nodes:18
                                  execution_graph 29689 225dc67273c 29690 225dc67276a 29689->29690 29691 225dc6727c5 VirtualAlloc 29690->29691 29692 225dc6727ec 29690->29692 29691->29692 29693 225dc643ab9 29694 225dc643a06 29693->29694 29695 225dc643a56 VirtualQuery 29694->29695 29696 225dc643a8a VirtualAlloc 29694->29696 29698 225dc643a70 29694->29698 29695->29694 29695->29698 29697 225dc643abb GetLastError 29696->29697 29696->29698 29697->29694 29697->29698 29699 225dc641abc 29704 225dc641628 GetProcessHeap 29699->29704 29701 225dc641ad2 Sleep SleepEx 29702 225dc641acb 29701->29702 29702->29701 29703 225dc641598 StrCmpIW StrCmpW 29702->29703 29703->29702 29705 225dc641648 _invalid_parameter_noinfo 29704->29705 29749 225dc641268 GetProcessHeap 29705->29749 29707 225dc641650 29708 225dc641268 2 API calls 29707->29708 29709 225dc641661 29708->29709 29710 225dc641268 2 API calls 29709->29710 29711 225dc64166a 29710->29711 29712 225dc641268 2 API calls 29711->29712 29713 225dc641673 29712->29713 29714 225dc64168e RegOpenKeyExW 29713->29714 29715 225dc6418a6 29714->29715 29716 225dc6416c0 RegOpenKeyExW 29714->29716 29715->29702 29717 225dc6416e9 29716->29717 29718 225dc6416ff RegOpenKeyExW 29716->29718 29760 225dc6412bc 13 API calls _invalid_parameter_noinfo 29717->29760 29719 225dc64173a RegOpenKeyExW 29718->29719 29720 225dc641723 29718->29720 29723 225dc641775 RegOpenKeyExW 29719->29723 29724 225dc64175e 29719->29724 29753 225dc64104c RegQueryInfoKeyW 29720->29753 29728 225dc641799 29723->29728 29729 225dc6417b0 RegOpenKeyExW 29723->29729 29761 225dc6412bc 13 API calls _invalid_parameter_noinfo 29724->29761 29725 225dc6416f5 RegCloseKey 29725->29718 29762 225dc6412bc 13 API calls _invalid_parameter_noinfo 29728->29762 29732 225dc6417eb RegOpenKeyExW 29729->29732 29733 225dc6417d4 29729->29733 29730 225dc64176b RegCloseKey 29730->29723 29734 225dc641826 RegOpenKeyExW 29732->29734 29735 225dc64180f 29732->29735 29763 225dc6412bc 13 API calls _invalid_parameter_noinfo 29733->29763 29739 225dc64184a 29734->29739 29740 225dc641861 RegOpenKeyExW 29734->29740 29738 225dc64104c 5 API calls 29735->29738 29736 225dc6417a6 RegCloseKey 29736->29729 29742 225dc64181c RegCloseKey 29738->29742 29743 225dc64104c 5 API calls 29739->29743 29744 225dc64189c RegCloseKey 29740->29744 29745 225dc641885 29740->29745 29741 225dc6417e1 RegCloseKey 29741->29732 29742->29734 29746 225dc641857 RegCloseKey 29743->29746 29744->29715 29747 225dc64104c 5 API calls 29745->29747 29746->29740 29748 225dc641892 RegCloseKey 29747->29748 29748->29744 29764 225dc656168 29749->29764 29751 225dc641283 GetProcessHeap 29752 225dc6412ae _invalid_parameter_noinfo 29751->29752 29752->29707 29754 225dc6411b5 RegCloseKey 29753->29754 29755 225dc6410bf 29753->29755 29754->29719 29755->29754 29756 225dc6410cf RegEnumValueW 29755->29756 29758 225dc641125 _invalid_parameter_noinfo 29756->29758 29757 225dc64114e GetProcessHeap 29757->29758 29758->29754 29758->29756 29758->29757 29759 225dc64116e GetProcessHeap HeapFree 29758->29759 29759->29758 29760->29725 29761->29730 29762->29736 29763->29741 29765 225dc61273c 29766 225dc61276a 29765->29766 29767 225dc6127c5 VirtualAlloc 29766->29767 29770 225dc6128d4 29766->29770 29768 225dc6127ec 29767->29768 29767->29770 29769 225dc612858 LoadLibraryA 29768->29769 29768->29770 29769->29768 29771 225dc6428c8 29772 225dc64290e 29771->29772 29773 225dc642970 29772->29773 29775 225dc643844 29772->29775 29776 225dc643866 29775->29776 29777 225dc643851 StrCmpNIW 29775->29777 29776->29772 29777->29776 29778 225dc64554d 29780 225dc645554 29778->29780 29779 225dc6455bb 29780->29779 29781 225dc645637 VirtualProtect 29780->29781 29782 225dc645671 29781->29782 29783 225dc645663 GetLastError 29781->29783 29783->29782 29784 225dc6ad6cc 29789 225dc6ad6dd _invalid_parameter_noinfo 29784->29789 29785 225dc6ad72e 29790 225dc6ad6ac 6 API calls __free_lconv_mon 29785->29790 29786 225dc6ad712 HeapAlloc 29787 225dc6ad72c 29786->29787 29786->29789 29789->29785 29789->29786 29790->29787 29791 225dc645cf0 29792 225dc645cfd 29791->29792 29793 225dc645d09 29792->29793 29799 225dc645e1a 29792->29799 29794 225dc645d3e 29793->29794 29795 225dc645d8d 29793->29795 29796 225dc645d66 SetThreadContext 29794->29796 29796->29795 29797 225dc645e41 VirtualProtect FlushInstructionCache 29797->29799 29798 225dc645efe 29800 225dc645f1e 29798->29800 29813 225dc6443e0 VirtualFree 29798->29813 29799->29797 29799->29798 29809 225dc644df0 GetCurrentProcess 29800->29809 29802 225dc645f23 29804 225dc645f77 29802->29804 29805 225dc645f37 ResumeThread 29802->29805 29814 225dc647940 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 29804->29814 29806 225dc645f6b 29805->29806 29806->29802 29808 225dc645fbf 29810 225dc644e0c 29809->29810 29811 225dc644e22 VirtualProtect FlushInstructionCache 29810->29811 29812 225dc644e53 29810->29812 29811->29810 29812->29802 29813->29800 29814->29808

                                  Executed Functions

                                  Function 00000225DC641628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                  • API String ID: 106492572-2879589442
                                  • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction ID: 406a7c028b3c229bdc1c75f8301e19e1701b13e4dfdd540bc7c265abecc9bc67
                                  • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction Fuzzy Hash: 47712D7E328E60A6EB109FA9E85869D33B4F784F9AF509111DE4E47B69EF34C444C740
                                  Function 00000225DC643790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                  • String ID: wr
                                  • API String ID: 1092925422-2678910430
                                  • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction ID: 5b5ece5b16f05410ef88fc7334ca4b30fcb2165cfe8f9a178b0778bd0effcbe9
                                  • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction Fuzzy Hash: 96118B2A318F5493EF549BA9E408269B2A0FB88F86F148038DF8A03B94EF3DC505C704
                                  Function 00000225DC645B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 59 225dc645b30-225dc645b57 60 225dc645b59-225dc645b68 59->60 61 225dc645b6b-225dc645b76 GetCurrentThreadId 59->61 60->61 62 225dc645b78-225dc645b7d 61->62 63 225dc645b82-225dc645b89 61->63 64 225dc645faf-225dc645fc6 call 225dc647940 62->64 65 225dc645b9b-225dc645baf 63->65 66 225dc645b8b-225dc645b96 call 225dc645960 63->66 69 225dc645bbe-225dc645bc4 65->69 66->64 72 225dc645bca-225dc645bd3 69->72 73 225dc645c95-225dc645cb6 69->73 75 225dc645c1a-225dc645c8d call 225dc644510 call 225dc6444b0 call 225dc644470 72->75 76 225dc645bd5-225dc645c18 call 225dc6485c0 72->76 78 225dc645cbc-225dc645cdc GetThreadContext 73->78 79 225dc645e1f-225dc645e30 call 225dc6474bf 73->79 87 225dc645c90 75->87 76->87 83 225dc645e1a 78->83 84 225dc645ce2-225dc645d03 78->84 90 225dc645e35-225dc645e3b 79->90 83->79 84->83 93 225dc645d09-225dc645d12 84->93 87->69 94 225dc645e41-225dc645e98 VirtualProtect FlushInstructionCache 90->94 95 225dc645efe-225dc645f0e 90->95 97 225dc645d92-225dc645da3 93->97 98 225dc645d14-225dc645d25 93->98 101 225dc645ec9-225dc645ef9 call 225dc6478ac 94->101 102 225dc645e9a-225dc645ea4 94->102 106 225dc645f1e-225dc645f2a call 225dc644df0 95->106 107 225dc645f10-225dc645f17 95->107 103 225dc645e15 97->103 104 225dc645da5-225dc645dc3 97->104 99 225dc645d27-225dc645d3c 98->99 100 225dc645d8d 98->100 99->100 108 225dc645d3e-225dc645d88 call 225dc643970 SetThreadContext 99->108 100->103 101->90 102->101 109 225dc645ea6-225dc645ec1 call 225dc644390 102->109 104->103 110 225dc645dc5-225dc645e10 call 225dc643900 call 225dc6474dd 104->110 120 225dc645f2f-225dc645f35 106->120 107->106 112 225dc645f19 call 225dc6443e0 107->112 108->100 109->101 110->103 112->106 124 225dc645f77-225dc645f95 120->124 125 225dc645f37-225dc645f75 ResumeThread call 225dc6478ac 120->125 128 225dc645fa9 124->128 129 225dc645f97-225dc645fa6 124->129 125->120 128->64 129->128
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Thread$Current$Context
                                  • String ID:
                                  • API String ID: 1666949209-0
                                  • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                  • Instruction ID: f245da02ec037058e9828f5728e6f8f7909b60f63258dcba4de34453af5a61e8
                                  • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                  • Instruction Fuzzy Hash: B9D1997A20CF9896DA70DB4AE49835A7BA0F7C8B85F104156EACE47BA5DF3CC541CB40
                                  Function 00000225DC6450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 131 225dc6450d0-225dc6450fc 132 225dc64510d-225dc645116 131->132 133 225dc6450fe-225dc645106 131->133 134 225dc645127-225dc645130 132->134 135 225dc645118-225dc645120 132->135 133->132 136 225dc645141-225dc64514a 134->136 137 225dc645132-225dc64513a 134->137 135->134 138 225dc64514c-225dc645151 136->138 139 225dc645156-225dc645161 GetCurrentThreadId 136->139 137->136 140 225dc6456d3-225dc6456da 138->140 141 225dc645163-225dc645168 139->141 142 225dc64516d-225dc645174 139->142 141->140 143 225dc645176-225dc64517c 142->143 144 225dc645181-225dc64518a 142->144 143->140 145 225dc64518c-225dc645191 144->145 146 225dc645196-225dc6451a2 144->146 145->140 147 225dc6451a4-225dc6451c9 146->147 148 225dc6451ce-225dc645225 call 225dc6456e0 * 2 146->148 147->140 153 225dc64523a-225dc645243 148->153 154 225dc645227-225dc64522e 148->154 155 225dc645255-225dc64525e 153->155 156 225dc645245-225dc645252 153->156 157 225dc645236 154->157 158 225dc645230 154->158 159 225dc645273-225dc645298 call 225dc647870 155->159 160 225dc645260-225dc645270 155->160 156->155 157->153 162 225dc6452a6-225dc6452aa 157->162 161 225dc6452b0-225dc6452b6 158->161 170 225dc64532d-225dc645342 call 225dc643cc0 159->170 171 225dc64529e 159->171 160->159 164 225dc6452e5-225dc6452eb 161->164 165 225dc6452b8-225dc6452d4 call 225dc644390 161->165 162->161 168 225dc645315-225dc645328 164->168 169 225dc6452ed-225dc64530c call 225dc6478ac 164->169 165->164 175 225dc6452d6-225dc6452de 165->175 168->140 169->168 178 225dc645351-225dc64535a 170->178 179 225dc645344-225dc64534c 170->179 171->162 175->164 180 225dc64536c-225dc6453ba call 225dc648c60 178->180 181 225dc64535c-225dc645369 178->181 179->162 184 225dc6453c2-225dc6453ca 180->184 181->180 185 225dc6454d7-225dc6454df 184->185 186 225dc6453d0-225dc6454bb call 225dc647440 184->186 187 225dc6454e1-225dc6454f4 call 225dc644590 185->187 188 225dc645523-225dc64552b 185->188 194 225dc6454bd 186->194 195 225dc6454bf-225dc6454ce call 225dc644060 186->195 203 225dc6454f6 187->203 204 225dc6454f8-225dc645521 187->204 191 225dc645537-225dc645546 188->191 192 225dc64552d-225dc645535 188->192 198 225dc645548 191->198 199 225dc64554f 191->199 192->191 197 225dc645554-225dc645561 192->197 194->185 208 225dc6454d2 195->208 209 225dc6454d0 195->209 200 225dc645563 197->200 201 225dc645564-225dc6455b9 call 225dc6485c0 197->201 198->199 199->197 200->201 210 225dc6455bb-225dc6455c3 201->210 211 225dc6455c8-225dc645661 call 225dc644510 call 225dc644470 VirtualProtect 201->211 203->188 204->185 208->184 209->185 216 225dc645671-225dc6456d1 211->216 217 225dc645663-225dc645668 GetLastError 211->217 216->140 217->216
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                  • Instruction ID: ca8f9a462bd9996edb27ee4ecd3a9b3d43bbe2f9124c1ca87dd336038b8394af
                                  • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                  • Instruction Fuzzy Hash: 1102C83661DF9496EB60CB99E49436AB7A1F3C4795F104056EA8E87BA8DF7CC444CF00
                                  Function 00000225DC6439E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Virtual$AllocQuery
                                  • String ID:
                                  • API String ID: 31662377-0
                                  • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                  • Instruction ID: 3d7c28a49f1379a387e1eab8d3c47744672dc9424a01523034e22865a73a9f88
                                  • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                  • Instruction Fuzzy Hash: 7F31302625DE98A1EA30DB9DE05835E76A1F388B85F108575F6CF46BA8DF7CC180CB04
                                  Function 00000225DC64328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                  • String ID:
                                  • API String ID: 1683269324-0
                                  • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction ID: 7d3d60018f90cf45d3bc6b126cf75a44508ad4678cf0a9f52ef5460c3c2565a3
                                  • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction Fuzzy Hash: 7011C07C62CEA8B2FB619BE8F90C3993295AB54B47F50C1B4EB0781690EF78C044C240
                                  Function 00000225DC644DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                  • String ID:
                                  • API String ID: 3733156554-0
                                  • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                  • Instruction ID: 7e590623df8fc7209075b22fdaf8685971673eb90f371bc8902be2096d1f9670
                                  • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                  • Instruction Fuzzy Hash: 9FF03A2A21CF24D0D630DB89E44976ABBA0F788BD5F148151FA8E43B69CE3CC681CF00
                                  Function 00000225DC61273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 265 225dc61273c-225dc6127a4 call 225dc6129d4 * 4 274 225dc6127aa-225dc6127ad 265->274 275 225dc6129b2 265->275 274->275 277 225dc6127b3-225dc6127b6 274->277 276 225dc6129b4-225dc6129d0 275->276 277->275 278 225dc6127bc-225dc6127bf 277->278 278->275 279 225dc6127c5-225dc6127e6 VirtualAlloc 278->279 279->275 280 225dc6127ec-225dc61280c 279->280 281 225dc612838-225dc61283f 280->281 282 225dc61280e-225dc612836 280->282 283 225dc612845-225dc612852 281->283 284 225dc6128df-225dc6128e6 281->284 282->281 282->282 283->284 285 225dc612858-225dc61286a LoadLibraryA 283->285 286 225dc6128ec-225dc612901 284->286 287 225dc612992-225dc6129b0 284->287 289 225dc6128ca-225dc6128d2 285->289 290 225dc61286c-225dc612878 285->290 286->287 288 225dc612907 286->288 287->276 291 225dc61290d-225dc612921 288->291 289->285 293 225dc6128d4-225dc6128d9 289->293 292 225dc6128c5-225dc6128c8 290->292 295 225dc612982-225dc61298c 291->295 296 225dc612923-225dc612934 291->296 292->289 297 225dc61287a-225dc61287d 292->297 293->284 295->287 295->291 299 225dc612936-225dc61293d 296->299 300 225dc61293f-225dc612943 296->300 301 225dc6128a7-225dc6128b7 297->301 302 225dc61287f-225dc6128a5 297->302 303 225dc612970-225dc612980 299->303 304 225dc612945-225dc61294b 300->304 305 225dc61294d-225dc612951 300->305 306 225dc6128ba-225dc6128c1 301->306 302->306 303->295 303->296 304->303 307 225dc612963-225dc612967 305->307 308 225dc612953-225dc612961 305->308 306->292 307->303 310 225dc612969-225dc61296c 307->310 308->303 310->303
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: AllocLibraryLoadVirtual
                                  • String ID:
                                  • API String ID: 3550616410-0
                                  • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction ID: b5a9ffdff3e85ff3f1f12f145a610503c53f3502f35e5ceb3ac916478b11310c
                                  • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction Fuzzy Hash: D261363AB02AA097DF56CF5ED00876DB392F754BA6F18C521CE5907788DA38D852C700
                                  Function 00000225DC641ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00000225DC641628: GetProcessHeap.KERNEL32 ref: 00000225DC641633
                                    • Part of subcall function 00000225DC641628: HeapAlloc.KERNEL32 ref: 00000225DC641642
                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416B2
                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416DF
                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6416F9
                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641719
                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641734
                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641754
                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64176F
                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64178F
                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417AA
                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417CA
                                  • Sleep.KERNEL32 ref: 00000225DC641AD7
                                  • SleepEx.KERNELBASE ref: 00000225DC641ADD
                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417E5
                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641805
                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641820
                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641840
                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64185B
                                    • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64187B
                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641896
                                    • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6418A0
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CloseOpen$HeapSleep$AllocProcess
                                  • String ID:
                                  • API String ID: 1534210851-0
                                  • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction ID: b89290e72799dd3975187c06206b195ef9f7eec7f326f7ac498d84b976088364
                                  • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction Fuzzy Hash: 0731356921CE61B2FF509BAED6593A933A4AB54BC6F04D4A19E0F873E5FF30C451C210
                                  Function 00000225DC67273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 350 225dc67273c-225dc6727a4 call 225dc6729d4 * 4 359 225dc6727aa-225dc6727ad 350->359 360 225dc6729b2 350->360 359->360 362 225dc6727b3-225dc6727b6 359->362 361 225dc6729b4-225dc6729d0 360->361 362->360 363 225dc6727bc-225dc6727bf 362->363 363->360 364 225dc6727c5-225dc6727e6 VirtualAlloc 363->364 364->360 365 225dc6727ec-225dc67280c 364->365 366 225dc672838-225dc67283f 365->366 367 225dc67280e-225dc672836 365->367 368 225dc672845-225dc672852 366->368 369 225dc6728df-225dc6728e6 366->369 367->366 367->367 368->369 372 225dc672858-225dc67286a 368->372 370 225dc6728ec-225dc672901 369->370 371 225dc672992-225dc6729b0 369->371 370->371 373 225dc672907 370->373 371->361 379 225dc67286c-225dc672878 372->379 380 225dc6728ca-225dc6728d2 372->380 375 225dc67290d-225dc672921 373->375 377 225dc672923-225dc672934 375->377 378 225dc672982-225dc67298c 375->378 383 225dc672936-225dc67293d 377->383 384 225dc67293f-225dc672943 377->384 378->371 378->375 385 225dc6728c5-225dc6728c8 379->385 380->372 381 225dc6728d4-225dc6728d9 380->381 381->369 386 225dc672970-225dc672980 383->386 387 225dc672945-225dc67294b 384->387 388 225dc67294d-225dc672951 384->388 385->380 389 225dc67287a-225dc67287d 385->389 386->377 386->378 387->386 392 225dc672963-225dc672967 388->392 393 225dc672953-225dc672961 388->393 390 225dc6728a7-225dc6728b7 389->390 391 225dc67287f-225dc6728a5 389->391 394 225dc6728ba-225dc6728c1 390->394 391->394 392->386 395 225dc672969-225dc67296c 392->395 393->386 394->385 395->386
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction ID: c822286e1b467df8a310eb99b0d592360f537eec13a50740bd2f5dfddf19021e
                                  • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction Fuzzy Hash: A561483AB01AA0D7DB56CF9AD00876DB3A2F754BA5F18C921CF5907BC8DA38D852C700
                                  Function 00000225DC6AD6CC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 397 225dc6ad6cc-225dc6ad6db 398 225dc6ad6dd-225dc6ad6e9 397->398 399 225dc6ad6eb-225dc6ad6fb 397->399 398->399 400 225dc6ad72e-225dc6ad739 call 225dc6ad6ac 398->400 401 225dc6ad712-225dc6ad72a HeapAlloc 399->401 407 225dc6ad73b-225dc6ad740 400->407 402 225dc6ad6fd-225dc6ad704 call 225dc6b0720 401->402 403 225dc6ad72c 401->403 402->400 409 225dc6ad706-225dc6ad710 call 225dc6ab85c 402->409 403->407 409->400 409->401
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: AllocHeap
                                  • String ID:
                                  • API String ID: 4292702814-0
                                  • Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                  • Instruction ID: d48ce241fd5c6b57c9d66a3839ec59588558f897ab86195e616c0656e38ee758
                                  • Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                  • Instruction Fuzzy Hash: 21F05E6C301E2161FE6DDBEE995D3A552955F89B82F6CE4344D0AC67E2EE3CC481C620

                                  Non-executed Functions

                                  Function 00000225DC642B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                  • API String ID: 2119608203-3850299575
                                  • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction ID: 02e5d621d8295eb5dd385e75f9606a0c78f62cf6da70878d64f9e7b1c174dd69
                                  • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction Fuzzy Hash: DCB1B47A21CE60A6EB968FEDC4487A973A5F744B8AF24D056DE0A53B94DF34CC41C340
                                  Function 00000225DC6A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                  • API String ID: 2119608203-3850299575
                                  • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction ID: 8b409eee056ac65ba81e46254c59d85845063fb26c80b4bd130284c66f771075
                                  • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction Fuzzy Hash: 96B1B37A290E60A2EBAADFADC44876963A5F744B86F24D016DE0DD3B95DF35CC81C340
                                  Function 00000225DC647D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 3140674995-0
                                  • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction ID: a0dd4a3191c2f22ec65cd5f9c7d8c34c65d38d6a3a9ca6151c6be4ce44add157
                                  • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction Fuzzy Hash: 29318376219F909AEB609FA4E8447ED73A0F784745F44812ADB4E57B94EF38C548CB10
                                  Function 00000225DC6A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 3140674995-0
                                  • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction ID: 3b87e895a044953073a839ffa4b4feaece301703ffc135d08af6657be6a0d668
                                  • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction Fuzzy Hash: 14317276205F9099EB64DFA4E8443EE73A1F78474AF448029DB4E57B94EF38C548CB10
                                  Function 00000225DC64D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                  • String ID:
                                  • API String ID: 1239891234-0
                                  • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction ID: f4e1f7a423249601853f9bf4c02ae152ed9a85bcd9bd447fde6e0ecec31a17ad
                                  • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction Fuzzy Hash: 1531C73A218F90A6DB60DFA9E8443EE73A0F789755F504126EB9E43B94DF38C145CB00
                                  Function 00000225DC6AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                  • String ID:
                                  • API String ID: 1239891234-0
                                  • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction ID: 4dbdfab791ea173b22a2c1feee1540d37dae8e72db698209205baee473c09c96
                                  • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction Fuzzy Hash: 7631C93A214F90A6EB64CFA9E8443DE73A0F789756F504126EB9D43B54DF38C145CB00
                                  Function 00000225DC647960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction ID: d33dc497d620ec2850d47fa6d7599d0f75ef197f864d2f2ea1a1538dcd62ba05
                                  • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction Fuzzy Hash: 54113026714F119AEF50CFE8E8593A833A4F719759F440E21DB6D467A4DF78C1A8C380
                                  Function 00000225DC64DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                  • Instruction ID: 712154813c46b612020be7a143dde11e41283ee14142f5bab4be78c3f0fa479c
                                  • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                  • Instruction Fuzzy Hash: 11511A26B0CBA0A9FB20DBBAE84879E7BA1F740BD5F148155EE5927B95DB38C001C700
                                  Function 00000225DC6ADCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                  • Instruction ID: da0f1b53d22c38e7f028f1682345193667a56556076439a06e8349e4d1e3cf91
                                  • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                  • Instruction Fuzzy Hash: 3C510926700FE0A9FB20DFBAA84879E7BA5F7447D5F248114EE58A7B95DB38C411C700
                                  Function 00000225DC6236F0 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                  • Instruction ID: fee74b632db8da7adfbcef3e822971e4130eb4171b3ad2da802a4781d9383549
                                  • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                  • Instruction Fuzzy Hash: EAF062B57146A49EDBA98F6CA80671A77E1F308381FD4C029D68983B04D33C8061CF04
                                  Function 00000225DC6A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                  • API String ID: 106492572-2879589442
                                  • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction ID: 545a197093dbf33f1111aaff3c94dd347963510d91bf182c1d2d2b3e49a62449
                                  • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction Fuzzy Hash: 1B71FE7A314E24E6EB10DFAAE85869D33B5FB84B8AF109111DE4E97B69DF38C444C740
                                  Function 00000225DC6412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                  • String ID: d
                                  • API String ID: 2005889112-2564639436
                                  • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction ID: fb1b484c7ebee393b1b53cdd5cd81ac2c1ca147a5507fda1b24fca473b782784
                                  • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction Fuzzy Hash: 46515E7A214F9496EB64CFAAE54836A77A1F789F9AF148124DF4A07B58DF3CC045C700
                                  Function 00000225DC6A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                  • String ID: d
                                  • API String ID: 2005889112-2564639436
                                  • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction ID: d2d635d82ad37731a82d28168a5eda6b08545a77464cd3cb2b7161adfafd8aad
                                  • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction Fuzzy Hash: 22516C7A200F94DAEB54CFAAE54835A77A6F789F9AF148124DE4A47728DF3CC049C700
                                  Function 00000225DC641D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentThread$AddressHandleModuleProc
                                  • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                  • API String ID: 4175298099-1975688563
                                  • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction ID: 52c27ab1b4cc8d1b0b7a026bbb00d0580f7e8789e5eca17ee175a033894297e0
                                  • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction Fuzzy Hash: 9231B8AC518DAAB0EB46EFEDE9597D43361B70434BF90D093940B025B1AF38828AC350
                                  Function 00000225DC6A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentThread$AddressHandleModuleProc
                                  • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                  • API String ID: 4175298099-1975688563
                                  • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction ID: bae3e35cc23bdf7e795311711b41c652c83ad71068a264824faefe60a6291ab9
                                  • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction Fuzzy Hash: 583195AC240D6AB0EA46EFEDE8697D46361B70474BF94D023D80986675EF3CC249C350
                                  Function 00000225DC616910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                  • API String ID: 190073905-1786718095
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: 7539ecd07ed9e19813cea4b70ed8e4e8e5b401edcb5cd18e99020899339b4ff2
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: DF81122D702E71A6FE60EBED944D35962E0EB95783F18C425AB4983797EF38C946C700
                                  Function 00000225DC676910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                  • API String ID: 190073905-1786718095
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: 22cde9f525fffbeb1c6e8d8417a217ee6af8dab08b44ae11a5e6f92b2a2e472d
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: 5581E26D710E61A6FA54EBEE944D35923D0EB85B82F58C8259B0947FD7EF38C846CB00
                                  Function 00000225DC64CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32 ref: 00000225DC64CE37
                                  • FlsGetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE4C
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE6D
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE9A
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEAB
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEBC
                                  • SetLastError.KERNEL32 ref: 00000225DC64CED7
                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF0D
                                  • FlsSetValue.KERNEL32(?,?,00000001,00000225DC64ECCC,?,?,?,?,00000225DC64BF9F,?,?,?,?,?,00000225DC647AB0), ref: 00000225DC64CF2C
                                    • Part of subcall function 00000225DC64D6CC: HeapAlloc.KERNEL32 ref: 00000225DC64D721
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF54
                                    • Part of subcall function 00000225DC64D744: HeapFree.KERNEL32 ref: 00000225DC64D75A
                                    • Part of subcall function 00000225DC64D744: GetLastError.KERNEL32 ref: 00000225DC64D764
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF65
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF76
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                  • String ID:
                                  • API String ID: 570795689-0
                                  • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction ID: c96d39c070731bccc58dc25472949b9c8324ede58aceb138708ddbc32eb2cb43
                                  • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction Fuzzy Hash: 3B41AB2C34CE64B6FE68A7FD955D36932825F857B2F24C7A4A937467E6DF388442C200
                                  Function 00000225DC6ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32 ref: 00000225DC6ACE37
                                  • FlsGetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE4C
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE6D
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE9A
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACEAB
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACEBC
                                  • SetLastError.KERNEL32 ref: 00000225DC6ACED7
                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF0D
                                  • FlsSetValue.KERNEL32(?,?,00000001,00000225DC6AECCC,?,?,?,?,00000225DC6ABF9F,?,?,?,?,?,00000225DC6A7AB0), ref: 00000225DC6ACF2C
                                    • Part of subcall function 00000225DC6AD6CC: HeapAlloc.KERNEL32 ref: 00000225DC6AD721
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF54
                                    • Part of subcall function 00000225DC6AD744: HeapFree.KERNEL32 ref: 00000225DC6AD75A
                                    • Part of subcall function 00000225DC6AD744: GetLastError.KERNEL32 ref: 00000225DC6AD764
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF65
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF76
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                  • String ID:
                                  • API String ID: 570795689-0
                                  • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction ID: 16b8eac9f94798cf318e2989be29cf1ddfaa1c447e8d99b4c7a956a79ddaff1c
                                  • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction Fuzzy Hash: 47415868300E6472FE68EBFD565D36922826F887B2F34C724A936C77E6DE39D441D201
                                  Function 00000225DC642244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                  • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                  • API String ID: 2171963597-1373409510
                                  • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction ID: 1de5ddcc8f1dfc1167620b25f9dc58926eb66b08d3309719a253bb24b32ba1e0
                                  • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction Fuzzy Hash: 8E215679628F5093F710CBA9F54835977A1F785796F608215DB5903BA4CF7CC145CB00
                                  Function 00000225DC6A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                  • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                  • API String ID: 2171963597-1373409510
                                  • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction ID: 123304303fb7c22e5d95d7b69af9060bb35e9dacbc8375ccdc98a975ab60097a
                                  • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction Fuzzy Hash: 71217F7A614B6092FB14CBA9F54835973A1F789BA6F508215EB5943BA8CF7CC149CB00
                                  Function 00000225DC64A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction ID: bf4187be2395a619f89a1bc8f3fca4df6631bddcfcdd61a4c67bb6d669326bcb
                                  • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction Fuzzy Hash: 65E1A47A60CF60AAFB60DFA9D44839D77A4F745799F208155EE8A57B9ACB34C082C700
                                  Function 00000225DC619944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction ID: ccd8efdbd64409059a3f17658d38d7afc50ea8cd74631e28eb6d2bb9e49f1cd4
                                  • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction Fuzzy Hash: F3E1D37A602F609AEF60DFA9D48839D77E0F749B8BF108115EE8947B99CB34C592C700
                                  Function 00000225DC679944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction ID: 79a22f26d4f7f371d14ec50af5f62361132822db574cad1d617c9f743099e6d3
                                  • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction Fuzzy Hash: 18E1C17A600F609AEB60DFA9D48839D77E0F749B9AF108915EE8957FD9CB34C492C700
                                  Function 00000225DC6AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction ID: 555fb57b5e2f5e687e313f4fed1146f863cabed64c72fa6e629389c121d24878
                                  • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction Fuzzy Hash: 23E1C77A604F50AAFB60DFADD44839D77A0F745799F309116EE8997B9ACB34C182CB00
                                  Function 00000225DC64F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: AddressFreeLibraryProc
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3013587201-537541572
                                  • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction ID: 4194e3e7209c85e71950454c05d0e0ffaf74f2fe4e207fa6d649fb1745087b51
                                  • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction Fuzzy Hash: E541F42A32DE20B1EB56CBEEA9087553391BB49BE2F15C125AD0F87785EF38C445C315
                                  Function 00000225DC6AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: AddressFreeLibraryProc
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3013587201-537541572
                                  • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction ID: 17cc71c834340602f80b56e8e75482b2e164db3fe2ea15b9f73ab924f287fe61
                                  • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction Fuzzy Hash: 4A41C22A311F20A5FB16CBAEA9087553391FB45BA2F258129AE0EC7785EF38C445C316
                                  Function 00000225DC64104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                  • String ID: d
                                  • API String ID: 3743429067-2564639436
                                  • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction ID: d1ef6154134f3d25a2e3b62082cc3c12da5f52964662e2438e80bc3b6bcb4469
                                  • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction Fuzzy Hash: B6418077218F94D6E760CFA5E44879E77A1F388B99F148129DB8A07B58DF38C449CB00
                                  Function 00000225DC6A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                  • String ID: d
                                  • API String ID: 3743429067-2564639436
                                  • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction ID: 5a3c0a9bbafb0f78905138bbf46c57f4a34e7ddab14eac61c3c20f9c737e8ad5
                                  • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction Fuzzy Hash: 9B418077214F94D6E764CFA5E44839E77A1F388B9AF148129DB8947B58DF38C849CB00
                                  Function 00000225DC64D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FlsGetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D087
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0A6
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0CE
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0DF
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID: 1%$Y%
                                  • API String ID: 3702945584-1395475152
                                  • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction ID: be52c68ba33939f5a848b29d9d21d48e408fdab80177f021fac5a07cf6ddf0ee
                                  • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction Fuzzy Hash: C111B628B0CE64A1FE6897BED55D32971415B557F2F14C3A4A87B477DADE78C442C200
                                  Function 00000225DC6AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FlsGetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD087
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0A6
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0CE
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0DF
                                  • FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID: 1%$Y%
                                  • API String ID: 3702945584-1395475152
                                  • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction ID: 2022ee20624ae9fac7997fd3bf5dc1645fffc08433487f268156f8275001b495
                                  • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction Fuzzy Hash: 6911C468700F6461FA68EBFE5A5D36961415F543F2F34D324A83AC77EADE78C842C201
                                  Function 00000225DC647510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID:
                                  • API String ID: 190073905-0
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: a54115b046e8042141df28d7bb05dcfe8318faa30d7cb3b304a9c15ab40c91e6
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: 0281362C61CE31AAFB54ABEDA44C39937D1E785782F14C4A4DA0B877A6DB38C845CF00
                                  Function 00000225DC6A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID:
                                  • API String ID: 190073905-0
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: f6d16694de95954a0b883b7a0c824403c85fe028b68c945db90d9150eb585885
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: CF81D22D700E21B6FB54EBEDA84D39966D1AB8578BF34D425DA04C77A6DB38C845CF00
                                  Function 00000225DC649DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                  • String ID: api-ms-
                                  • API String ID: 2559590344-2084034818
                                  • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction ID: 1846bb63d11909a53191b25e77548844483a8de6adc9bd3f24389271b0a95010
                                  • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction Fuzzy Hash: 2131E62935EE60F1EE21DBCAA408B653398BB48BA6F5985259D1F0B798DF39C447C300
                                  Function 00000225DC6A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                  • String ID: api-ms-
                                  • API String ID: 2559590344-2084034818
                                  • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction ID: 0f4212df039294fefdde6ff96b437b18f0d6b6311749627e01e145e3100ab471
                                  • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction Fuzzy Hash: F431F429312E20F1EE25DBCAA80875523D4BF48BA2F3985259D1E8B79ADF38C047C300
                                  Function 00000225DC653DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                  • String ID: CONOUT$
                                  • API String ID: 3230265001-3130406586
                                  • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction ID: 158becd88709c9cbcacd230cd8387edf0a13bed790f97ee48f9835d8b457c441
                                  • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction Fuzzy Hash: 5A119135720F6096E7608BDAE84831977A0F788FE6F248225EB5E877A4CF78C914C740
                                  Function 00000225DC6B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                  • String ID: CONOUT$
                                  • API String ID: 3230265001-3130406586
                                  • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction ID: 6e1e93a200b7bd570fa0b190f4c403581b2cb531a58d9972e87f4823fb88df5f
                                  • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction Fuzzy Hash: 1E11BC35310FA096E7508B9AE848319B7A5F388FE7F088225EB1E877A4CF38C805C740
                                  Function 00000225DC6A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                  • String ID: wr
                                  • API String ID: 1092925422-2678910430
                                  • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction ID: 5626651945d5fb8906f413eb53f91b70d6605e573597d601334c82dde5c84599
                                  • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction Fuzzy Hash: 40118B2A304F6092EF189BAAE40C269B3A5FB88F86F148038DF8943794EF3DC505C704
                                  Function 00000225DC6A5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Thread$Current$Context
                                  • String ID:
                                  • API String ID: 1666949209-0
                                  • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                  • Instruction ID: 0ad3d618e1835294593f6452ab590f590bc81cd41d15a12307719c1f0daf2064
                                  • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                  • Instruction Fuzzy Hash: C9D1AC7A208F9895DB70DB4AE49435A7BA0F7C8B89F104116EACD87BA9DF3CC551CB40
                                  Function 00000225DC642F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID: dialer
                                  • API String ID: 756756679-3528709123
                                  • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction ID: 2e98920b3895b546e8cfee93848436d20f1d91fbd890dc42e4983bef65e91d92
                                  • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction Fuzzy Hash: 9131CE2A309F65A2EB52CFDEE54872A77A0FB44B86F18C1209F4A47B55EF34C4A1C300
                                  Function 00000225DC6A2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID: dialer
                                  • API String ID: 756756679-3528709123
                                  • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction ID: 6d0a1707391fcb5c153528b149007a8a8c9fe1f40df049437015618af4cf0edf
                                  • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction Fuzzy Hash: 5E31B23A781F61A2EA15CF9EE54876967A1FB48B86F18C0309F4C87B55EF34D4A1C300
                                  Function 00000225DC64CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction ID: 4157702fcb9233f49a77c46e803b27685ba528657f510afb3a862d3f666b09f6
                                  • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction Fuzzy Hash: B3119D2874CE6071FE64ABFE954D32932426B95BB6F10C3A4A837477EADE78C441C200
                                  Function 00000225DC6ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction ID: 6f9918c3cbd4a8341a5960baa032c6c80083ab5fabd7ed8650c6535314c37da2
                                  • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction Fuzzy Hash: B9119D68300E6061FA68EBFE564D32922426F987B6F30C324A836C77EADE78C441C201
                                  Function 00000225DC64199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                  • String ID:
                                  • API String ID: 517849248-0
                                  • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction ID: c75f4c628c11a50a5007a532dfe706c93d8ee4e04b1e1be502c9ae2a36d6589c
                                  • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction Fuzzy Hash: 0E016929314E5092EB60DB9AA84C35963A1F788BC6F988075DF8A43754DF3CC989C740
                                  Function 00000225DC6A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                  • String ID:
                                  • API String ID: 517849248-0
                                  • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction ID: cb2a63c83e44a23da2db583fd32e9b754654e1e9db48b59022d394c89ab082b1
                                  • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction Fuzzy Hash: 99016929300E5092EB18DB9AA89C35963A6FB88BC6F988035DF4D83754DF3CC989C740
                                  Function 00000225DC6436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                  • String ID:
                                  • API String ID: 449555515-0
                                  • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction ID: 5377c2d080006a4fe2cd119959f91c4f1597db279fc077c9b970d2bb0f292206
                                  • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction Fuzzy Hash: E101296D325F6492FB649BAAE80C71A73A0BB49B87F148464CE4A07765EF3DC158C704
                                  Function 00000225DC6A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                  • String ID:
                                  • API String ID: 449555515-0
                                  • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction ID: 3adde3a003b7029c84831e13eabd217eaefc6f8cdf697e4629c9387f833a695b
                                  • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction Fuzzy Hash: FB012969211F60A2EB289BAAE91C71977A1BB59B87F188424CE4947764EF3DC148C704
                                  Function 00000225DC648FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 2395640692-629598281
                                  • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                  • Instruction ID: b166926d79cf74f009588074e3820990c0fc1e07a97fa4e01069ba2e3ee14553
                                  • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                  • Instruction Fuzzy Hash: 6651BF3A75DA20EAEB14DF99E84CB5937AAF344B8AF10C5A4DA174778CDB35C842C700
                                  Function 00000225DC6A8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 2395640692-629598281
                                  • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                  • Instruction ID: 599e737887705c3809ce4680662d838ae3905f4783b37dc68dc1ccc8eae22418
                                  • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                  • Instruction Fuzzy Hash: 78519F3A701A20AAEB14DFA9E84CB5937A6F344BCAF30C524DA568778DDB75DD42C700
                                  Function 00000225DC641A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: FinalHandleNamePathlstrlen
                                  • String ID: \\?\
                                  • API String ID: 2719912262-4282027825
                                  • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction ID: e535c0649dfb5c656df934673802aa2881829a80634b4f76755b7f08d64bed47
                                  • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction Fuzzy Hash: 69F04466718E51A2E7608BE9F9887596761F748BC9F94C020DB4A46654DF3CC68DCB00
                                  Function 00000225DC6A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: FinalHandleNamePathlstrlen
                                  • String ID: \\?\
                                  • API String ID: 2719912262-4282027825
                                  • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction ID: 2a81db31a951e5e259a4acc7b5a595b85a3b479c602b75ed73f30d03813019d1
                                  • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction Fuzzy Hash: BBF06866304E51A2EB60CFE9F9C87597762F748B8AF94C020DB4946654DF3CC64DCB00
                                  Function 00000225DC643044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CombinePath
                                  • String ID: \\.\pipe\
                                  • API String ID: 3422762182-91387939
                                  • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction ID: 05bf48fb40d5b317a8235632c964cef6d02a25c8f7691d3038dd68194b884147
                                  • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction Fuzzy Hash: 51F08C28328FA4A2FA448FDBB90C1196260AB48FD2F18E170EF4A07B58DF3CC485C700
                                  Function 00000225DC64BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction ID: 44bd982de87b7b9a06009664450f2777bab72fc188efb7fa02744482d7f49e87
                                  • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction Fuzzy Hash: 72F09669329F14A1EB108FECE44C3596361EB89766F648259DB6A462F4CF3CC044C740
                                  Function 00000225DC6A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: CombinePath
                                  • String ID: \\.\pipe\
                                  • API String ID: 3422762182-91387939
                                  • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction ID: fb1c96070f1bbd8c52466b515c03c742fb3955bbc3562a61c2f5362b02f3ede6
                                  • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction Fuzzy Hash: 5BF05828204FA4A2EA588FDBB9081197262AB48FC2F08E030EF4A47B18DF38C445C700
                                  Function 00000225DC6ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction ID: 859cf1714d0438efb9fd229f799e05916821dabd80631214c70755d8405ab38f
                                  • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction Fuzzy Hash: 21F09679311F15A1FB148BEDE84C3596361EB84767F548219CB6A452F4DF3CC444C740
                                  Function 00000225DC6A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                  • Instruction ID: cc4e45ee1de0211bceb984575181e682b35c92b14fcfce5c930bbfc96d3dc94e
                                  • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                  • Instruction Fuzzy Hash: EA02C836219F9496EB60CB99F49435AB7A0F3C5795F209015EB8E87BA9DF7CC444CB00
                                  Function 00000225DC645710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                  • Instruction ID: 8f9846ecf6cf7499faee6b5ce6658377365f055e4165f45403509503972279d5
                                  • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                  • Instruction Fuzzy Hash: 6561CD3A51DF94D6E760CB99E44831AB7A0F3C8796F109165EA8E87BA8DB7CC544CF00
                                  Function 00000225DC6A5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                  • Instruction ID: c0f1102daedf8fd83df05dbad566c9dcb67f0f52cae9f12d02fc669b962d21e9
                                  • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                  • Instruction Fuzzy Hash: DB61EE3A519F94D6E760CB99E54831AB7E0F388786F209115FA8E87BA8DB7CC554CF00
                                  Function 00000225DC654104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: a15945065d89435b6d58080b2ea34464beef53a1596a2d5ce657289fdf07ecc6
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: 5911733EA34E7131F67415ECD45D3751151EB783FAF38C6A4A976076D6DA34C841E200
                                  Function 00000225DC623504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: 0f0cd1f3b4902091acada321e62a835e8ba03bea7c675b6eead67c7f9176ca24
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: 6B11C63AA60E3131FB6415ECE45D37991C86B58BB6F48C639A97F2E3D6CB34C881C200
                                  Function 00000225DC683504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: 4770082600421d2f4bb53b6383fc8d4b46f38f5b83b98cacefa30fc3353db637
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: 4111EC3E6A4E3131FA54D5ECE44D37911906F59F76F48C638A976067DACA78C841C203
                                  Function 00000225DC6B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: 790992d3fedfbb3f0c19deaeddb177f6f54104038671def6cf99952e65a916c8
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: 2711733EE14E7131F66415ECD45D3751243EB783BBF18C624AA7E076D6CA34C841E210
                                  Function 00000225DC61F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: _invalid_parameter_noinfo
                                  • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                  • API String ID: 3215553584-4202648911
                                  • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction ID: 944570b48e0c60bc5ad5e959f3b97a539a301ff4876b6c2567b65f1bc9dbc55e
                                  • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction Fuzzy Hash: 2961E27E606E6066FE69CBFCE55D32E66A0F785793F54C415EA0A037A4DB34C842C302
                                  Function 00000225DC67F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: _invalid_parameter_noinfo
                                  • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                  • API String ID: 3215553584-4202648911
                                  • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction ID: b809d82d10e30da49faebdcfad985b935ab92b62efaa54905c9af04f2a82b3da
                                  • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction Fuzzy Hash: 6761D63E614E60B2FA65DBFCD55CB2A26A0E785742F51CD15EA1A07FE4DB34C842C382
                                  Function 00000225DC64AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: 5ee5bc15fcc7ca4683ce8519a978933ac552fc7779cbca0cf07b2e2c35c6d78e
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: 6561CF3B608F94AAEB20DFA9D04439D7BA1F348B8DF148255EF4A17B99DB38C085C700
                                  Function 00000225DC6AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: aa70c4840d0660077c5495364ee98befc91b92371ab933d55f9a834b1db71008
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: 4761BE3B600F949AEB20DFA9D04439D77A0F748B8DF248216EF4A53B99DB38D085CB00
                                  Function 00000225DC64AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: e2a4ec1541559836ceca0d34c116ae26037d4692d9dd8773577d8c71d6944edc
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: 9C51C37A10CBA0FAEB748F9A948835977A0F354B86F24C159FA5A47BD7CB38C451C700
                                  Function 00000225DC61A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 4352b4e7d2f757b2eeab07a41cb79b5cce5006a568909e68af21b5ba570d396d
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: 9B51C23A105BA0EAEF748F99944835877A0F355B97F28C215EB89C7BD6CB38C451C700
                                  Function 00000225DC67A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: d8bc5406c68cbc3a3f3e81927d6ca097891e5497fb3224580501911da265d3db
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: 7D51E83A104BA0DAEB748FA9944835C77A0F355B96F28E615FB5987FD6CB38D490CB00
                                  Function 00000225DC6AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 2e3fcafa7e63c7afecd5eb320568e29d6bc18ccae88d7ce5c4c248ffc38c6f0c
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: 9C51837A100BA0AAEB74CF99958835D77A0F758B86F34C117EA99C7BD6CB34D451CB00
                                  Function 00000225DC618405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction ID: 8a2ee0853dea6fc810b70285cdad8afa924fb268fca63da5ab5c18953c58d14e
                                  • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction Fuzzy Hash: 9F51BF3A712A20AAEF94CF99E448B1937A5F358B9FF52C224DE0647788EB34CC41C704
                                  Function 00000225DC678405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction ID: 8bc61f57c5687e7a86239f1075434ff38e81a80eea30d95d659fdd3eaf197c62
                                  • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction Fuzzy Hash: DD51BF3A711A20AAFB94CF69E448B193795F758B9FF51CA24DA0663BC8EB74CC41C704
                                  Function 00000225DC6183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction ID: a13f22b0c5ddbfd73ffef1e451b0b481ee6602808d75d20c911345d57e3c4186
                                  • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction Fuzzy Hash: A731C03A602B60A6EB64DF5AE84871977A4F748BDFF16C214EE5B47784DB38C940C704
                                  Function 00000225DC6783E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction ID: 7ede24912a818c19e80a806750f1858c6928fd0ae1f237999a321a790690d3dd
                                  • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction Fuzzy Hash: F731BF3A211B60E6EB54DF69E8487193BA4F748B9AF15CA14EE5A13BC8DB38CD40C704
                                  Function 00000225DC652058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                  • String ID:
                                  • API String ID: 2718003287-0
                                  • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction ID: bfa2cf39ed762a0c864f02a182d0b99d9a486c982741babc9b475573dd9f7606
                                  • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction Fuzzy Hash: F7D1F376724E90A9E712CFB9D44839C3BB1F754799F248216CF5E97B99DA34C406C340
                                  Function 00000225DC6B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                  • String ID:
                                  • API String ID: 2718003287-0
                                  • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction ID: 01741f095c584cdd00ba98e3aa790e67a4177efe8c0c1c6c5439ed656a32a405
                                  • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction Fuzzy Hash: F2D1FF76B14E90A9E712CFA9D44839C7BF2F75479AF108216CF6E97B99DA34C406C340
                                  Function 00000225DC6414A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Free
                                  • String ID:
                                  • API String ID: 3168794593-0
                                  • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                  • Instruction ID: 6bfd24914fe268a9eaf32d670607eda920269b08af1813506c338134dac0ed3e
                                  • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                  • Instruction Fuzzy Hash: E2115E7A524FA0E6E724DFEEA80816977A0FB89F86F148025DB4A53726DE34C451C740
                                  Function 00000225DC652980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorLastMode
                                  • String ID:
                                  • API String ID: 953036326-0
                                  • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction ID: 6d7b5b403a3188d3b4841f9fb94707250acf1a7d2d8579f267c512fad794f412
                                  • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction Fuzzy Hash: 7391D67AB20E70A5F766DFAD94883AD3BA0F754B8AF24C109DE0A57795DB34C486C700
                                  Function 00000225DC6B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorLastMode
                                  • String ID:
                                  • API String ID: 953036326-0
                                  • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction ID: 0effa0560eecda1315c6bac3784fbf95153408d93820f0ff7fe2030bc37eebda
                                  • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction Fuzzy Hash: F991D37A710E70A5FB62DFAD94883AD3BE2B704B8BF148109DE1A57A95DF34C486C700
                                  Function 00000225DC6A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction ID: 6c068aa945f0ac6dafb2ede45e1116f91dfe096492dd73cd30e6c0fcb5e07c68
                                  • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction Fuzzy Hash: A7111226710F1599EF00CFA8E8593A833A4F75975EF441E25DB6D867A4DF78C1A8C380
                                  Function 00000225DC64253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction ID: 898a99a824d3708835f2c6571b9ade3bad5d2cda467ec0446c5c9970c4b06ed6
                                  • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction Fuzzy Hash: 6471F63A20CFA166E7269FED98483EA7794F389B86F648066DD0B53B89DE35C541C700
                                  Function 00000225DC6A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction ID: 5f5e41b068d0f293cc7ef7899fb07c4c471cec35d55f3e32321b6d3ba8d92876
                                  • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction Fuzzy Hash: 0971FB3A280FA166D726DFADD8483AA6794F385B86F648025DD0ED3B89DE35C645C700
                                  Function 00000225DC619E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: CallTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3163161869-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: 1c103488b81b5755e9a858689f9c8f9220dbcbf2f2fcf3c8ea21b2028d61d58d
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: C5619D3B602F549AEB20CFA9D44439D7BA0F748B8EF148215EF4917B99DB38D156C700
                                  Function 00000225DC679E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: CallTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3163161869-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: 9fd3008523d1d31d7ee32bda0e514125121f93270c61e4c83d0e3fe2aa1cbd72
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: 4B61AB3B600F949AEB20DFA9D44439D77A0F748B8DF148A15EF4917B99DB38D496C700
                                  Function 00000225DC642330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction ID: 46897ffc2cc2630562e995aa3ab88a20c60a5fe9943d3a7bd5f75d2a5dc7dda7
                                  • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction Fuzzy Hash: 8051273A60CFA1A1E6799FEDE05C37A7B51F784B41F648165CE4B03B49CA39C544C740
                                  Function 00000225DC6A2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction ID: a83db0d25de40b44f666c5a5d64bcfc4ffcb5cd7079b315c16954b0aa5d8d6a1
                                  • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction Fuzzy Hash: 0F516B3A284FA1A5F63ADFADE09C3BAA751F785B41F648125CE4D83B49CE39C544C740
                                  Function 00000225DC6526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: U
                                  • API String ID: 442123175-4171548499
                                  • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction ID: ff598f2dff618ae855125180d135eff0feb50115b417593be16094bb43c2f728
                                  • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction Fuzzy Hash: BC41C476325E90A6DB21CFA9E8483AE77A0F798795F508021EE4E87794EB7CC445C740
                                  Function 00000225DC6B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: U
                                  • API String ID: 442123175-4171548499
                                  • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction ID: 2b7cbdf29e740ea36268c330b496c3bcbbcaca586992bcfa57e7be5236719281
                                  • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction Fuzzy Hash: F0412A76314F90A2EB21DFA9E8483A977A1F398796F508021EE4D87794EF3CC445C740
                                  Function 00000225DC6494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: ExceptionFileHeaderRaise
                                  • String ID: csm
                                  • API String ID: 2573137834-1018135373
                                  • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction ID: 8e6f9ddc8bd4a0050d82363797f3a651ef4e3f91162d625b6a7f86f7e5c4113b
                                  • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction Fuzzy Hash: CF115B36218F9092EB608B59E40435977E4FB88B99F288260EF8D47B68DF3CC552CB00
                                  Function 00000225DC6A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: ExceptionFileHeaderRaise
                                  • String ID: csm
                                  • API String ID: 2573137834-1018135373
                                  • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction ID: c91e1e86bab824f286d7942031cacff95a827eda15b7eec0a60a9f277f66f1ea
                                  • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction Fuzzy Hash: 54112B3A218F9092EB65CB59E44435977E5FB88B99F688220EF8C47768DF3CC552CB00
                                  Function 00000225DC617356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: ierarchy Descriptor'$riptor at (
                                  • API String ID: 592178966-758928094
                                  • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction ID: 40d697394cd767119a46280874914b4daa5d8e9346db535fcc515f98333aa0ca
                                  • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction Fuzzy Hash: 7EE08661A41F84A0DF118F66E8442D873A0DB58B69B48D122995C46311FA38D1E9C300
                                  Function 00000225DC677356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: ierarchy Descriptor'$riptor at (
                                  • API String ID: 592178966-758928094
                                  • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction ID: 3bdf3a98a46eddaab18917913d4673d13906e839a3b4fd0dcf7fe39589f613a6
                                  • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction Fuzzy Hash: B2E08661640F84A0EF018F65E8442D833A0DB5CB65B49D122995C06351FA38D1E9C301
                                  Function 00000225DC6173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3124929864.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: Locator'$riptor at (
                                  • API String ID: 592178966-4215709766
                                  • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction ID: 33387b3a89b0f7cf97b4c9f63ea1e6ce0b438a2dcf969175634c70bf0c094b31
                                  • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction Fuzzy Hash: F9E0CD61A01F44D0DF118F65D4441D87360E75CB69F88D222CD4C47311FB38D1E5C300
                                  Function 00000225DC6773B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126330898.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: Locator'$riptor at (
                                  • API String ID: 592178966-4215709766
                                  • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction ID: 5795fbfa8a47514ff8c6ddda118d1662a7868f1be9d24305db9b02968eedc405
                                  • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction Fuzzy Hash: 28E08661640F8490EF018F65D4401987360EB5CB55B88D122C95C06351FA38D1E5C301
                                  Function 00000225DC641BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID:
                                  • API String ID: 756756679-0
                                  • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction ID: 435233d5cd765dd7833698f1ddb9f59ae8d1156237805913c2fcddc5f4e0a6b6
                                  • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction Fuzzy Hash: B2119129615F5492EB54DFAEA80C26973A1FB89FC2F188065DE4E53765DF38C442C300
                                  Function 00000225DC6A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID:
                                  • API String ID: 756756679-0
                                  • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction ID: 1420031e885aaf21fcc6fdccc82258bc3790c71e1673b6532d453dab14891ff2
                                  • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction Fuzzy Hash: 95115129601F64E2EA54DFAEA44C22977A5FB89FC2F188025DE4E97765DF38C442C300
                                  Function 00000225DC641268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3125474685.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction ID: 46137aeb2ac080d4014b8e101a3abee4704eba82c5d2520b876412a79b8151bf
                                  • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction Fuzzy Hash: 77E06D39621E1486EB548FEAD80C36A36E1FB89F06F14C024CA0907751DF7DC499C750
                                  Function 00000225DC6A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3126704946.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction ID: 5f6bbecbb8621be69b39046fe70b37093b4047639506c31062e86b7116282652
                                  • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction Fuzzy Hash: 3EE03239A01E1486EB088BAAD80834A36E2EB89B07F08C0248A0907361DF7DC499CB90

                                  Executed Functions

                                  Function 00007FF686591140 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.1970038902.00007FF686591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF686590000, based on PE: true
                                  • Associated: 0000001B.00000002.1969951076.00007FF686590000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 0000001B.00000002.1970064849.00007FF68659B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 0000001B.00000002.1970096387.00007FF68659E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 0000001B.00000002.1970820681.00007FF68681D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 0000001B.00000002.1971750697.00007FF686A93000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 0000001B.00000002.1971824825.00007FF686ACA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_7ff686590000_lrgkmixyjzta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                  • Instruction ID: aa5ba63aab0d9c4dc5cff805978ebf4f8074599982a42362f75bc785f464a31a
                                  • Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
                                  • Instruction Fuzzy Hash: 71B012B0D0430DC4F7002F01F84136932607F19B84F400034C40C43362CE7F6850CB12

                                  Execution Graph

                                  Execution Coverage:0.7%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:100
                                  Total number of Limit Nodes:15
                                  execution_graph 22393 202c0ab273c 22396 202c0ab276a 22393->22396 22394 202c0ab28d4 22395 202c0ab2858 LoadLibraryA 22395->22396 22396->22394 22396->22395 22397 202c0ae202c 22398 202c0ae205d 22397->22398 22399 202c0ae2081 22398->22399 22400 202c0ae2173 22398->22400 22406 202c0ae213e 22398->22406 22404 202c0ae20b9 StrCmpNIW 22399->22404 22399->22406 22408 202c0ae1bf4 5 API calls Concurrency::details::SchedulerProxy::DeleteThis 22399->22408 22401 202c0ae2178 22400->22401 22402 202c0ae21e7 22400->22402 22409 202c0ae2f04 9 API calls Concurrency::details::SchedulerProxy::DeleteThis 22401->22409 22402->22406 22410 202c0ae2f04 9 API calls Concurrency::details::SchedulerProxy::DeleteThis 22402->22410 22404->22399 22408->22399 22409->22406 22410->22406 22411 202c0ae1abc 22416 202c0ae1628 GetProcessHeap 22411->22416 22413 202c0ae1ad2 Sleep SleepEx 22414 202c0ae1acb 22413->22414 22414->22413 22415 202c0ae1598 StrCmpIW StrCmpW 22414->22415 22415->22414 22417 202c0ae1648 Concurrency::details::SchedulerProxy::DeleteThis 22416->22417 22461 202c0ae1268 GetProcessHeap 22417->22461 22419 202c0ae1650 22420 202c0ae1268 2 API calls 22419->22420 22421 202c0ae1661 22420->22421 22422 202c0ae1268 2 API calls 22421->22422 22423 202c0ae166a 22422->22423 22424 202c0ae1268 2 API calls 22423->22424 22425 202c0ae1673 22424->22425 22426 202c0ae168e RegOpenKeyExW 22425->22426 22427 202c0ae16c0 RegOpenKeyExW 22426->22427 22428 202c0ae18a6 22426->22428 22429 202c0ae16ff RegOpenKeyExW 22427->22429 22430 202c0ae16e9 22427->22430 22428->22414 22432 202c0ae173a RegOpenKeyExW 22429->22432 22433 202c0ae1723 22429->22433 22472 202c0ae12bc 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 22430->22472 22436 202c0ae175e 22432->22436 22437 202c0ae1775 RegOpenKeyExW 22432->22437 22465 202c0ae104c RegQueryInfoKeyW 22433->22465 22434 202c0ae16f5 RegCloseKey 22434->22429 22473 202c0ae12bc 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 22436->22473 22438 202c0ae17b0 RegOpenKeyExW 22437->22438 22439 202c0ae1799 22437->22439 22443 202c0ae17eb RegOpenKeyExW 22438->22443 22444 202c0ae17d4 22438->22444 22474 202c0ae12bc 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 22439->22474 22448 202c0ae180f 22443->22448 22449 202c0ae1826 RegOpenKeyExW 22443->22449 22475 202c0ae12bc 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 22444->22475 22445 202c0ae176b RegCloseKey 22445->22437 22446 202c0ae17a6 RegCloseKey 22446->22438 22451 202c0ae104c 5 API calls 22448->22451 22452 202c0ae1861 RegOpenKeyExW 22449->22452 22453 202c0ae184a 22449->22453 22450 202c0ae17e1 RegCloseKey 22450->22443 22456 202c0ae181c RegCloseKey 22451->22456 22454 202c0ae189c RegCloseKey 22452->22454 22455 202c0ae1885 22452->22455 22457 202c0ae104c 5 API calls 22453->22457 22454->22428 22458 202c0ae104c 5 API calls 22455->22458 22456->22449 22459 202c0ae1857 RegCloseKey 22457->22459 22460 202c0ae1892 RegCloseKey 22458->22460 22459->22452 22460->22454 22476 202c0af6168 22461->22476 22463 202c0ae1283 GetProcessHeap 22464 202c0ae12ae Concurrency::details::SchedulerProxy::DeleteThis 22463->22464 22464->22419 22466 202c0ae10bf 22465->22466 22467 202c0ae11b5 RegCloseKey 22465->22467 22466->22467 22468 202c0ae10cf RegEnumValueW 22466->22468 22467->22432 22470 202c0ae1125 Concurrency::details::SchedulerProxy::DeleteThis 22468->22470 22469 202c0ae114e GetProcessHeap 22469->22470 22470->22467 22470->22468 22470->22469 22471 202c0ae116e GetProcessHeap HeapFree 22470->22471 22471->22470 22472->22434 22473->22445 22474->22446 22475->22450 22477 202c0ae253c 22479 202c0ae25bb 22477->22479 22478 202c0ae27aa 22479->22478 22480 202c0ae261d GetFileType 22479->22480 22481 202c0ae2641 22480->22481 22482 202c0ae262b StrCpyW 22480->22482 22493 202c0ae1a40 GetFinalPathNameByHandleW 22481->22493 22483 202c0ae2650 22482->22483 22487 202c0ae265a 22483->22487 22491 202c0ae26ff 22483->22491 22486 202c0ae3844 StrCmpNIW 22486->22491 22487->22478 22498 202c0ae3844 22487->22498 22501 202c0ae3044 StrCmpIW StrCpyW StrCatW PathCombineW 22487->22501 22502 202c0ae1cac StrCmpIW StrCmpW 22487->22502 22491->22478 22491->22486 22503 202c0ae3044 StrCmpIW StrCpyW StrCatW PathCombineW 22491->22503 22504 202c0ae1cac StrCmpIW StrCmpW 22491->22504 22494 202c0ae1a6a StrCmpNIW 22493->22494 22495 202c0ae1aa9 22493->22495 22494->22495 22496 202c0ae1a84 lstrlenW 22494->22496 22495->22483 22496->22495 22497 202c0ae1a96 StrCpyW 22496->22497 22497->22495 22499 202c0ae3851 StrCmpNIW 22498->22499 22500 202c0ae3866 22498->22500 22499->22500 22500->22487 22501->22487 22502->22487 22503->22491 22504->22491 22505 202c0b4d6cc 22510 202c0b4d6dd __std_exception_copy 22505->22510 22506 202c0b4d72e 22511 202c0b4d6ac 6 API calls __std_exception_copy 22506->22511 22507 202c0b4d712 HeapAlloc 22508 202c0b4d72c 22507->22508 22507->22510 22510->22506 22510->22507 22511->22508

                                  Executed Functions

                                  Function 00000202C0AE253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 58 202c0ae253c-202c0ae25c0 call 202c0b02cc0 61 202c0ae27d8-202c0ae27fb 58->61 62 202c0ae25c6-202c0ae25c9 58->62 62->61 63 202c0ae25cf-202c0ae25dd 62->63 63->61 64 202c0ae25e3-202c0ae2629 call 202c0ae8c60 * 3 GetFileType 63->64 71 202c0ae2641-202c0ae264b call 202c0ae1a40 64->71 72 202c0ae262b-202c0ae263f StrCpyW 64->72 73 202c0ae2650-202c0ae2654 71->73 72->73 75 202c0ae26ff-202c0ae2704 73->75 76 202c0ae265a-202c0ae2673 call 202c0ae30a8 call 202c0ae3844 73->76 77 202c0ae2707-202c0ae270c 75->77 89 202c0ae26aa-202c0ae26f4 call 202c0b02cc0 76->89 90 202c0ae2675-202c0ae26a4 call 202c0ae30a8 call 202c0ae3044 call 202c0ae1cac 76->90 79 202c0ae270e-202c0ae2711 77->79 80 202c0ae2729 77->80 79->80 82 202c0ae2713-202c0ae2716 79->82 84 202c0ae272c-202c0ae2745 call 202c0ae30a8 call 202c0ae3844 80->84 82->80 85 202c0ae2718-202c0ae271b 82->85 99 202c0ae2787-202c0ae2789 84->99 100 202c0ae2747-202c0ae2776 call 202c0ae30a8 call 202c0ae3044 call 202c0ae1cac 84->100 85->80 88 202c0ae271d-202c0ae2720 85->88 88->80 93 202c0ae2722-202c0ae2727 88->93 89->61 101 202c0ae26fa 89->101 90->61 90->89 93->80 93->84 104 202c0ae27aa-202c0ae27ad 99->104 105 202c0ae278b-202c0ae27a5 99->105 100->99 122 202c0ae2778-202c0ae2783 100->122 101->76 108 202c0ae27af-202c0ae27b5 104->108 109 202c0ae27b7-202c0ae27ba 104->109 105->77 108->61 112 202c0ae27bc-202c0ae27bf 109->112 113 202c0ae27d5 109->113 112->113 115 202c0ae27c1-202c0ae27c4 112->115 113->61 115->113 117 202c0ae27c6-202c0ae27c9 115->117 117->113 119 202c0ae27cb-202c0ae27ce 117->119 119->113 121 202c0ae27d0-202c0ae27d3 119->121 121->61 121->113 122->61 123 202c0ae2785 122->123 123->77
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction ID: 383afa285ac380fd55eaa2c4cb7d261a7defb1f4293108ecd3c580df2b121f06
                                  • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction Fuzzy Hash: 517190362047C1C6F625DF2998CC3AE7794F389B84F560127DFAA53B8ADA35CA598700
                                  Function 00000202C0AE202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 124 202c0ae202c-202c0ae2057 call 202c0b02d00 126 202c0ae205d-202c0ae2066 124->126 127 202c0ae206f-202c0ae2072 126->127 128 202c0ae2068-202c0ae206c 126->128 129 202c0ae2078-202c0ae207b 127->129 130 202c0ae2223-202c0ae2243 127->130 128->127 131 202c0ae2081-202c0ae2093 129->131 132 202c0ae2173-202c0ae2176 129->132 131->130 133 202c0ae2099-202c0ae20a5 131->133 134 202c0ae2178-202c0ae2192 call 202c0ae2f04 132->134 135 202c0ae21e7-202c0ae21ea 132->135 136 202c0ae20a7-202c0ae20b7 133->136 137 202c0ae20d3-202c0ae20de call 202c0ae1bbc 133->137 134->130 144 202c0ae2198-202c0ae21ae 134->144 135->130 138 202c0ae21ec-202c0ae21ff call 202c0ae2f04 135->138 136->137 141 202c0ae20b9-202c0ae20d1 StrCmpNIW 136->141 145 202c0ae20ff-202c0ae2111 137->145 150 202c0ae20e0-202c0ae20f8 call 202c0ae1bf4 137->150 138->130 149 202c0ae2201-202c0ae2209 138->149 141->137 141->145 144->130 148 202c0ae21b0-202c0ae21cc 144->148 151 202c0ae2121-202c0ae2123 145->151 152 202c0ae2113-202c0ae2115 145->152 155 202c0ae21d0-202c0ae21e3 148->155 149->130 158 202c0ae220b-202c0ae2213 149->158 150->145 166 202c0ae20fa-202c0ae20fd 150->166 156 202c0ae212a 151->156 157 202c0ae2125-202c0ae2128 151->157 153 202c0ae211c-202c0ae211f 152->153 154 202c0ae2117-202c0ae211a 152->154 160 202c0ae212d-202c0ae2130 153->160 154->160 155->155 161 202c0ae21e5 155->161 156->160 157->160 162 202c0ae2216-202c0ae2221 158->162 164 202c0ae213e-202c0ae2141 160->164 165 202c0ae2132-202c0ae2138 160->165 161->130 162->130 162->162 164->130 167 202c0ae2147-202c0ae214b 164->167 165->133 165->164 166->160 168 202c0ae214d-202c0ae2150 167->168 169 202c0ae2162-202c0ae216e 167->169 168->130 170 202c0ae2156-202c0ae215b 168->170 169->130 170->167 171 202c0ae215d 170->171 171->130
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID: S$dialer
                                  • API String ID: 756756679-3873981283
                                  • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                  • Instruction ID: 7d0801e181e7e1027f0f2556f8cd6da4d5c454e321737ababf7947f23bb56196
                                  • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                  • Instruction Fuzzy Hash: 5651AC32B107A4C6FB61CF29E88C6AD63E5F704784F069123DFA512B86DB35C969C300
                                  Function 00000202C0AE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                  • API String ID: 106492572-2879589442
                                  • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction ID: 1d03e476145ce09beb9e97f2b7c5aab0935724522098279c66d9844aa9511552
                                  • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction Fuzzy Hash: F2710636210B50C6FB109F25E8DCA9D23A9FB84F88F425123DB9E47B6ADE39C458C744
                                  Function 00000202C0AE1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: FinalHandleNamePathlstrlen
                                  • String ID: \\?\
                                  • API String ID: 2719912262-4282027825
                                  • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction ID: 8c3d5dbfacf504bca622ea7f657326f4a67cd1e3c1ec290e5004b19a988dad2d
                                  • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction Fuzzy Hash: BCF01922304781D2FB608B21E8CC76D6765F748BC8F958123DB994B966DA2DC68DCB00
                                  Function 00000202C0AE328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                  • String ID:
                                  • API String ID: 1683269324-0
                                  • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction ID: 435a5f88e7c6a6dd218e0f6004eb37f2790bd4aa4d5b291e1e8191fef771e2ad
                                  • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction Fuzzy Hash: A8119672618782D2F760D721F8CDB6D2294BB54748F528127ABB6497A3EF78C46C8240
                                  Function 00000202C0AE1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00000202C0AE1628: GetProcessHeap.KERNEL32 ref: 00000202C0AE1633
                                    • Part of subcall function 00000202C0AE1628: HeapAlloc.KERNEL32 ref: 00000202C0AE1642
                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16B2
                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16DF
                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE16F9
                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1719
                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1734
                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1754
                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE176F
                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE178F
                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17AA
                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17CA
                                  • Sleep.KERNEL32 ref: 00000202C0AE1AD7
                                  • SleepEx.KERNELBASE ref: 00000202C0AE1ADD
                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17E5
                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1805
                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1820
                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1840
                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE185B
                                    • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE187B
                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1896
                                    • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE18A0
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: CloseOpen$HeapSleep$AllocProcess
                                  • String ID:
                                  • API String ID: 1534210851-0
                                  • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction ID: 1519724245a59a03f973eddcebe70884a6cccd966baeab2eab41fd8751cf1259
                                  • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction Fuzzy Hash: ED31C071200BE1C1FF509B26DACD3AD53A5AB84FC4F0654239FA987697FE14C879C210
                                  Function 00000202C0AB273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 229 202c0ab273c-202c0ab27a4 call 202c0ab29d4 * 4 238 202c0ab27aa-202c0ab27ad 229->238 239 202c0ab29b2 229->239 238->239 240 202c0ab27b3-202c0ab27b6 238->240 241 202c0ab29b4-202c0ab29d0 239->241 240->239 242 202c0ab27bc-202c0ab27bf 240->242 242->239 243 202c0ab27c5-202c0ab27e6 242->243 243->239 245 202c0ab27ec-202c0ab280c 243->245 246 202c0ab280e-202c0ab2836 245->246 247 202c0ab2838-202c0ab283f 245->247 246->246 246->247 248 202c0ab28df-202c0ab28e6 247->248 249 202c0ab2845-202c0ab2852 247->249 250 202c0ab28ec-202c0ab2901 248->250 251 202c0ab2992-202c0ab29b0 248->251 249->248 252 202c0ab2858-202c0ab286a LoadLibraryA 249->252 250->251 253 202c0ab2907 250->253 251->241 254 202c0ab286c-202c0ab2878 252->254 255 202c0ab28ca-202c0ab28d2 252->255 258 202c0ab290d-202c0ab2921 253->258 259 202c0ab28c5-202c0ab28c8 254->259 255->252 256 202c0ab28d4-202c0ab28d9 255->256 256->248 261 202c0ab2923-202c0ab2934 258->261 262 202c0ab2982-202c0ab298c 258->262 259->255 260 202c0ab287a-202c0ab287d 259->260 266 202c0ab287f-202c0ab28a5 260->266 267 202c0ab28a7-202c0ab28b7 260->267 264 202c0ab293f-202c0ab2943 261->264 265 202c0ab2936-202c0ab293d 261->265 262->251 262->258 269 202c0ab294d-202c0ab2951 264->269 270 202c0ab2945-202c0ab294b 264->270 268 202c0ab2970-202c0ab2980 265->268 271 202c0ab28ba-202c0ab28c1 266->271 267->271 268->261 268->262 273 202c0ab2963-202c0ab2967 269->273 274 202c0ab2953-202c0ab2961 269->274 270->268 271->259 273->268 275 202c0ab2969-202c0ab296c 273->275 274->268 275->268
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction ID: e9c472418be9705004432d1361e805bb540b7ad58247b10c253449de9ed0d722
                                  • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction Fuzzy Hash: 8161DF72B01790C7EB648F15908C76DB3A2FB54BA4F598127DF5D0778ADA38D86AC700
                                  Function 00000202C0B4D6CC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 276 202c0b4d6cc-202c0b4d6db 277 202c0b4d6eb-202c0b4d6fb 276->277 278 202c0b4d6dd-202c0b4d6e9 276->278 280 202c0b4d712-202c0b4d72a HeapAlloc 277->280 278->277 279 202c0b4d72e-202c0b4d739 call 202c0b4d6ac 278->279 285 202c0b4d73b-202c0b4d740 279->285 281 202c0b4d6fd-202c0b4d704 call 202c0b50720 280->281 282 202c0b4d72c 280->282 281->279 288 202c0b4d706-202c0b4d710 call 202c0b4b85c 281->288 282->285 288->279 288->280
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: AllocHeap
                                  • String ID:
                                  • API String ID: 4292702814-0
                                  • Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                  • Instruction ID: 34ca642fddbfa80b98dd7d1e12cd625f7d8416b3242e726ef6993ad470ce53bd
                                  • Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                  • Instruction Fuzzy Hash: 51F03A58301701C1FE68DBE699DD3AD52845BA9B88F0F54374A0A867C3EE2CCE898621

                                  Non-executed Functions

                                  Function 00000202C0B42B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                  • API String ID: 2119608203-3850299575
                                  • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction ID: ea49defb10b1f29b0a940c33d04d96a7ecb763d36349eb628f0f926092e888ee
                                  • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction Fuzzy Hash: 49B15B62610F50C2FB68CFA5D48C7AD63A5FB64B88F865027EE0953B96DA34CE48D740
                                  Function 00000202C0AE2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                  • API String ID: 2119608203-3850299575
                                  • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction ID: 629c2a77cc7c689ebc2a82fae016c29b45818ce3604cad8590d8ad8b42d26791
                                  • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction Fuzzy Hash: 8BB18B62210BA0C6FB688F25C8CC7AD67A5F744B88F565017EF9953796EB35CC68C340
                                  Function 00000202C0B47D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 3140674995-0
                                  • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction ID: 074cb2b116bef8104a3ff1e1834ec69d9378fb96776ea096e4a568f3e73522d9
                                  • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction Fuzzy Hash: 7E313A72205B80CAFB60DF64E8883ED6364F794748F45402BDA4D57A96EF38CA48CB10
                                  Function 00000202C0AE7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 3140674995-0
                                  • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction ID: 43f65ee015122b04127526cc5c334c21e5a52d8fe7862f76cef395083f707644
                                  • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction Fuzzy Hash: 74311972205B80CAFB609F60E8887ED6364F784744F45442BDB8E57A9AEF39C658C710
                                  Function 00000202C0B4D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                  • String ID:
                                  • API String ID: 1239891234-0
                                  • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction ID: 20738ec7ba0cd5b3c578590298eade2181db2edcda4be7abefa7008bced66b77
                                  • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction Fuzzy Hash: 36318632214F80D6EB60DF65E88839E73A4F799758F550127EA9D43B56DF38CA49CB00
                                  Function 00000202C0AED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                  • String ID:
                                  • API String ID: 1239891234-0
                                  • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction ID: 3629953f5db9c1b5f8070e01c3cc1c8c2a667b2e639c3edd282c0df2f16cc2f9
                                  • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction Fuzzy Hash: FF314F36214B80C6EB60CF25E88879E73A4F789758F550127EB9D47BA6EF38C559CB00
                                  Function 00000202C0B41628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                  • API String ID: 106492572-2879589442
                                  • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction ID: 149db328da245b585e47ad4ced1ad46789ec14c8a6fdb7b940b5e9de63c5882f
                                  • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction Fuzzy Hash: 76711826A10B11C6FB20DF65E8DC69D23A8F794B9CF461613DA4E53B6AEE34C948C740
                                  Function 00000202C0B412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                  • String ID: d
                                  • API String ID: 2005889112-2564639436
                                  • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction ID: 2b8714d9082f3f218f4c46e0c3f9fa38d1d4531711b30a527e95a4339a34b327
                                  • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction Fuzzy Hash: 77513836600B85C6EB54CF62E48C36E77A5F798F89F054126DA4A07B5ADF3CC9498B00
                                  Function 00000202C0AE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                  • String ID: d
                                  • API String ID: 2005889112-2564639436
                                  • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction ID: a5c0dd0dd48098ab404cbb16107d584fe92d72ef17c22032ec6d5acc94b81fb7
                                  • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction Fuzzy Hash: 2C513876200B84C6EB50CF62E48C35EB7A5F788F89F458126DB890776ADF39C059CB00
                                  Function 00000202C0B41D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentThread$AddressHandleModuleProc
                                  • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                  • API String ID: 4175298099-1975688563
                                  • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction ID: e40b0a0d983c3e5c2f972df2f8d56332244cd6638b8c526d6e2f878550c6667d
                                  • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction Fuzzy Hash: EC316F64600F4AE0FA15EBA5E8DD6EC2321EB2474CFC35553994A02567AE78CF8ED350
                                  Function 00000202C0AE1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentThread$AddressHandleModuleProc
                                  • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                  • API String ID: 4175298099-1975688563
                                  • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction ID: 90a0736ddaf8fe37476ff4478ca91d660d6ffa8bbfea73cfc67e31501e438409
                                  • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction Fuzzy Hash: 5031A2A5100B8AE0FE15EF69E8DD7DC2321F704748F835423D7A9021679F79866ED391
                                  Function 00000202C0AB6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 432 202c0ab6910-202c0ab6916 433 202c0ab6951-202c0ab695b 432->433 434 202c0ab6918-202c0ab691b 432->434 435 202c0ab6a78-202c0ab6a8d 433->435 436 202c0ab691d-202c0ab6920 434->436 437 202c0ab6945-202c0ab6984 call 202c0ab6fc0 434->437 438 202c0ab6a9c-202c0ab6ab6 call 202c0ab6e54 435->438 439 202c0ab6a8f 435->439 441 202c0ab6922-202c0ab6925 436->441 442 202c0ab6938 __scrt_dllmain_crt_thread_attach 436->442 455 202c0ab698a-202c0ab699f call 202c0ab6e54 437->455 456 202c0ab6a52 437->456 453 202c0ab6aef-202c0ab6b20 call 202c0ab7190 438->453 454 202c0ab6ab8-202c0ab6aed call 202c0ab6f7c call 202c0ab6e1c call 202c0ab7318 call 202c0ab7130 call 202c0ab7154 call 202c0ab6fac 438->454 445 202c0ab6a91-202c0ab6a9b 439->445 443 202c0ab6931-202c0ab6936 call 202c0ab6f04 441->443 444 202c0ab6927-202c0ab6930 441->444 447 202c0ab693d-202c0ab6944 442->447 443->447 464 202c0ab6b31-202c0ab6b37 453->464 465 202c0ab6b22-202c0ab6b28 453->465 454->445 467 202c0ab6a6a-202c0ab6a77 call 202c0ab7190 455->467 468 202c0ab69a5-202c0ab69b6 call 202c0ab6ec4 455->468 459 202c0ab6a54-202c0ab6a69 456->459 470 202c0ab6b7e-202c0ab6b94 call 202c0ab268c 464->470 471 202c0ab6b39-202c0ab6b43 464->471 465->464 469 202c0ab6b2a-202c0ab6b2c 465->469 467->435 482 202c0ab69b8-202c0ab69dc call 202c0ab72dc call 202c0ab6e0c call 202c0ab6e38 call 202c0abac0c 468->482 483 202c0ab6a07-202c0ab6a11 call 202c0ab7130 468->483 477 202c0ab6c1f-202c0ab6c2c 469->477 489 202c0ab6bcc-202c0ab6bce 470->489 490 202c0ab6b96-202c0ab6b98 470->490 478 202c0ab6b4f-202c0ab6b5d call 202c0ac5780 471->478 479 202c0ab6b45-202c0ab6b4d 471->479 485 202c0ab6b63-202c0ab6b78 call 202c0ab6910 478->485 500 202c0ab6c15-202c0ab6c1d 478->500 479->485 482->483 535 202c0ab69de-202c0ab69e5 __scrt_dllmain_after_initialize_c 482->535 483->456 503 202c0ab6a13-202c0ab6a1f call 202c0ab7180 483->503 485->470 485->500 498 202c0ab6bd0-202c0ab6bd3 489->498 499 202c0ab6bd5-202c0ab6bea call 202c0ab6910 489->499 490->489 497 202c0ab6b9a-202c0ab6bbc call 202c0ab268c call 202c0ab6a78 490->497 497->489 529 202c0ab6bbe-202c0ab6bc6 call 202c0ac5780 497->529 498->499 498->500 499->500 514 202c0ab6bec-202c0ab6bf6 499->514 500->477 522 202c0ab6a21-202c0ab6a2b call 202c0ab7098 503->522 523 202c0ab6a45-202c0ab6a50 503->523 519 202c0ab6c01-202c0ab6c11 call 202c0ac5780 514->519 520 202c0ab6bf8-202c0ab6bff 514->520 519->500 520->500 522->523 534 202c0ab6a2d-202c0ab6a3b 522->534 523->459 529->489 534->523 535->483 536 202c0ab69e7-202c0ab6a04 call 202c0ababc8 535->536 536->483
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                  • API String ID: 190073905-1786718095
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: 14de66892ba18830acab2e245ab1e6cb8a15d62160b2822f01b591de40b948de
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: 1381EE31600701CAFB50AB66A4CD39D66E8EB85780F57842BAB48977B7DF3DC88D8700
                                  Function 00000202C0B4CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32 ref: 00000202C0B4CE37
                                  • FlsGetValue.KERNEL32(?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CE4C
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CE6D
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CE9A
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CEAB
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CEBC
                                  • SetLastError.KERNEL32 ref: 00000202C0B4CED7
                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CF0D
                                  • FlsSetValue.KERNEL32(?,?,00000001,00000202C0B4ECCC,?,?,?,?,00000202C0B4BF9F,?,?,?,?,?,00000202C0B47AB0), ref: 00000202C0B4CF2C
                                    • Part of subcall function 00000202C0B4D6CC: HeapAlloc.KERNEL32 ref: 00000202C0B4D721
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CF54
                                    • Part of subcall function 00000202C0B4D744: HeapFree.KERNEL32 ref: 00000202C0B4D75A
                                    • Part of subcall function 00000202C0B4D744: GetLastError.KERNEL32 ref: 00000202C0B4D764
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CF65
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CF76
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                  • String ID:
                                  • API String ID: 570795689-0
                                  • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction ID: 2cdc79b8be68d16d60699a1a675998334f4061f55ae4612a1583d38688d983d1
                                  • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction Fuzzy Hash: 7141C121340745C5FEA9E7F155DD32D22429B64FBCF1B0B27A83A476D7DE28AE4D8200
                                  Function 00000202C0AECE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetLastError.KERNEL32 ref: 00000202C0AECE37
                                  • FlsGetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE4C
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE6D
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE9A
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECEAB
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECEBC
                                  • SetLastError.KERNEL32 ref: 00000202C0AECED7
                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF0D
                                  • FlsSetValue.KERNEL32(?,?,00000001,00000202C0AEECCC,?,?,?,?,00000202C0AEBF9F,?,?,?,?,?,00000202C0AE7AB0), ref: 00000202C0AECF2C
                                    • Part of subcall function 00000202C0AED6CC: HeapAlloc.KERNEL32 ref: 00000202C0AED721
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF54
                                    • Part of subcall function 00000202C0AED744: HeapFree.KERNEL32 ref: 00000202C0AED75A
                                    • Part of subcall function 00000202C0AED744: GetLastError.KERNEL32 ref: 00000202C0AED764
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF65
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF76
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                  • String ID:
                                  • API String ID: 570795689-0
                                  • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction ID: 4882f9c6545ddba956175daa0b1033055c58a1b9921f799def37e079ec50fdf9
                                  • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction Fuzzy Hash: 754197603013C4D6FE68A73555DD36D2242AB44BB4F174B27ABBB077E7EE38886A4600
                                  Function 00000202C0B42244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                  • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                  • API String ID: 2171963597-1373409510
                                  • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction ID: 008dbc35dcd28df123ba3ecaa6d45c164ec4b741ee261da0caa348c2525fb32f
                                  • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction Fuzzy Hash: 73213832614B41C2FB10DB25E48C36E63A4F799BA9F550217EA9903AA9CF7CC949CB00
                                  Function 00000202C0AE2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                  • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                  • API String ID: 2171963597-1373409510
                                  • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction ID: a0d3f3940cedbe8f49a02ff4fcf1ce97ef5dd93de91068aee362f87148ae0ba9
                                  • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction Fuzzy Hash: 31213832614B40C2FB208B25E48C75E67A5F789BA4F514217EB9A03BA9CF3DC54DCB00
                                  Function 00000202C0AB9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction ID: 181cfaa8d1e203509729981359315e3b225e44fdda2c096569e0a7ba0a0bf46d
                                  • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction Fuzzy Hash: E5E17A72604B80CAFB60DB69D48839D7BA4F755B98F12011BEF8957B9ACB34C499C704
                                  Function 00000202C0B4A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction ID: fc94518462626f888d8846af3be64f0efb4c56cc64aa87eac9decc31170b97bd
                                  • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction Fuzzy Hash: 38E16B72604780CAFB60DFA5948839D77A4F765B9CF120117EE8967B9ACB34CA89C700
                                  Function 00000202C0AEA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction ID: dc69ca82dc18b6d9c62c9d97f6a4348578a3add946f7b447ab90ca90604d3949
                                  • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction Fuzzy Hash: 12E16A72600B80CAFB60DB65948C39D77A4F7A6B98F120117EFA957B97CB34D4A9C700
                                  Function 00000202C0B4F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: AddressFreeLibraryProc
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3013587201-537541572
                                  • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction ID: 4d0429e463cdcf790b333bae80d732790b8fc7ae5b9fddcec2d0db7aee47192f
                                  • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction Fuzzy Hash: E741E622311B11D1FA57CBA6A88C75E2395F759BE8F0B45279D0D87786EE38CE4D8310
                                  Function 00000202C0AEF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: AddressFreeLibraryProc
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3013587201-537541572
                                  • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction ID: 26dcd2d441800ec49dab0db58e17c16847a3beddbc1f683c45a4dffa8db80317
                                  • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction Fuzzy Hash: 2A41F422311B90D1FA16CB56A88C75E2395F748BA0F0A45279F6E877D6EE3DC45D8300
                                  Function 00000202C0B4104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                  • String ID: d
                                  • API String ID: 3743429067-2564639436
                                  • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction ID: 99df361078cfd39b5a53b450fecf6a20a2520eab45679cb7f8f0db21186f57c2
                                  • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction Fuzzy Hash: 1C414F33614B84C6F760CF61E48879E77A5F388B98F45812ADB8A17B59DF38C949CB40
                                  Function 00000202C0AE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                  • String ID: d
                                  • API String ID: 3743429067-2564639436
                                  • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction ID: a80658ec44f4b8303e4c6cbc6e08df687ba0206d03e3ba62d1abb9220ce3f758
                                  • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction Fuzzy Hash: B6415E73214B84C6F760CF21E48879E77A5F388B98F45822ADB8907B59DF39C599CB40
                                  Function 00000202C0B4D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FlsGetValue.KERNEL32(?,?,?,00000202C0B4C7DE,?,?,?,?,?,?,?,?,00000202C0B4CF9D,?,?,00000001), ref: 00000202C0B4D087
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0B4C7DE,?,?,?,?,?,?,?,?,00000202C0B4CF9D,?,?,00000001), ref: 00000202C0B4D0A6
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0B4C7DE,?,?,?,?,?,?,?,?,00000202C0B4CF9D,?,?,00000001), ref: 00000202C0B4D0CE
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0B4C7DE,?,?,?,?,?,?,?,?,00000202C0B4CF9D,?,?,00000001), ref: 00000202C0B4D0DF
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0B4C7DE,?,?,?,?,?,?,?,?,00000202C0B4CF9D,?,?,00000001), ref: 00000202C0B4D0F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID: 1%$Y%
                                  • API String ID: 3702945584-1395475152
                                  • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction ID: d231aa1d353db854b018b057b1d8bd56a7c0a04610d8b0695e9d3c6f40d33619
                                  • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction Fuzzy Hash: F9119020704744C1FE69E7A559DE33E61419B647FCF1A4727A839477EBDE28CE4A8200
                                  Function 00000202C0AED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FlsGetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED087
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0A6
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0CE
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0DF
                                  • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID: 1%$Y%
                                  • API String ID: 3702945584-1395475152
                                  • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction ID: 363b9827668d8b761d31e44ad5a3e4dbf29d2bfe1cda884ffc1cc8260375dec9
                                  • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction Fuzzy Hash: D111AB607043C4C6FE68973555DD37D6141AB447F4F1A4727EAFA077DBDE28C86A8600
                                  Function 00000202C0B47510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID:
                                  • API String ID: 190073905-0
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: 82d5730b3bd781178e04ea6ea214ed563beb6a2d9171056f0756c27a91450d9f
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: 7C81B160690741C6FA54EBEA94DD36D2291EB65B8CF5B48279A0847397DB38CF4DCF00
                                  Function 00000202C0AE7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID:
                                  • API String ID: 190073905-0
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: 14979f1a24b322753f854ca5a4dead1d4ee237c3b69154d6c2c35d4c8e247c5d
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: CE81F4617007C1C6FB54AB65A8CD39D2390BB85B84F174427EBE9477A7EB38CA6D8700
                                  Function 00000202C0B49DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                  • String ID: api-ms-
                                  • API String ID: 2559590344-2084034818
                                  • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction ID: 87e2d02121405d5361c2b6a95ffff34f0ff5d3ef441214c854b1118af53f8c05
                                  • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction Fuzzy Hash: AD31E621352B40E1FE66DB82A48C76D2398B758BA8F5B05279D2D0B796DF39CA4D8304
                                  Function 00000202C0AE9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                  • String ID: api-ms-
                                  • API String ID: 2559590344-2084034818
                                  • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction ID: 93692ba9be4b391852265e8ab40df330be3080cd4f0ad2a801a0759650363b03
                                  • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction Fuzzy Hash: A731A722212B80D1FE15DB42A48C75D2294B748BA0F5B49279FBE07792DF39C5AD8304
                                  Function 00000202C0B53DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                  • String ID: CONOUT$
                                  • API String ID: 3230265001-3130406586
                                  • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction ID: cbbbceb24f5ce54632a83b901a10a48b25b1590716be8934f9ae3d7b08fea1b1
                                  • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction Fuzzy Hash: AC115B21614F81C6F750CB52E89C31D66A4F788FE8F094267EA5E877A6CF38CD198740
                                  Function 00000202C0AF3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                  • String ID: CONOUT$
                                  • API String ID: 3230265001-3130406586
                                  • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction ID: b26ab6e85d4882431b05eb7ffbdc71b03f0f6e90507cbc4b46897213533c190b
                                  • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction Fuzzy Hash: 91116D22314B40C6F7508B52E89C71D77A4F788FE8F154227EA5E877A6CF39C8188744
                                  Function 00000202C0B43790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                  • String ID: wr
                                  • API String ID: 1092925422-2678910430
                                  • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction ID: 3dd9236182729e1c9d45bc30feb16208763638e2466170d7b0defd25a75cf602
                                  • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction Fuzzy Hash: CF113C26704B41C2FF54DB61E48C66DA3A4FB48B99F4A042BDE8907796EF3DCA09C704
                                  Function 00000202C0AE3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                  • String ID: wr
                                  • API String ID: 1092925422-2678910430
                                  • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction ID: bcb637cd16c44afa16a89db43d108bf5c410f3b34640b7b1e1fa2b494dd30d53
                                  • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction Fuzzy Hash: E1115726304B81C2FB149B21E48C26D72B4FB88B85F06412BDF99037AAEF3EC509C704
                                  Function 00000202C0B45B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Thread$Current$Context
                                  • String ID:
                                  • API String ID: 1666949209-0
                                  • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                  • Instruction ID: 082a9d93261c48ee679b36a2734b52a2479ae609a7ebdf301e1be071b0282b61
                                  • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                  • Instruction Fuzzy Hash: C1D18936205F88C5EA70DB86E49835E77A0F798B88F150517EA8D47BA6DF38CA55CB00
                                  Function 00000202C0AE5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Thread$Current$Context
                                  • String ID:
                                  • API String ID: 1666949209-0
                                  • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                  • Instruction ID: dbc3b65819fd6533e59164d32a3bb8f97f2c88b353aa9b524f2c9543e34d3ae7
                                  • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                  • Instruction Fuzzy Hash: 30D18776205B88C6EA70DB1AE49835E77A0F388B88F110517EADE47BA6DF3CC555CB40
                                  Function 00000202C0B42F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID: dialer
                                  • API String ID: 756756679-3528709123
                                  • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction ID: b1ab9f40b1b022d4ca432ff24e07bc5572fa7a11743250ed673a526c4c5375f9
                                  • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction Fuzzy Hash: 3831BD22701F51C2FA54CF96E58C72D67A0FB64B88F4A41239F4847B57EF34C9A98300
                                  Function 00000202C0AE2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID: dialer
                                  • API String ID: 756756679-3528709123
                                  • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction ID: 539d7fa312dabe0a02a4a36991552fccd56336bf33b53f387f86ad28829e058b
                                  • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction Fuzzy Hash: 18319D22701B91C2FA14CF16A98C72DA7A0FB44B84F0A41279F9847B67EF35C4B98740
                                  Function 00000202C0B4CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction ID: eb53f131f87901231c0a27538f4d99e0b73b6215208e06d7d335de92b87f5561
                                  • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction Fuzzy Hash: E1117F20304790C1FE69E7B155DD32D2252ABA4BFCF170727A836477DBDE289E4D8200
                                  Function 00000202C0AECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction ID: c83c6b407707b4dbc6b3b7b82b2caed50328515e1eb0a43fe36386d7293909be
                                  • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction Fuzzy Hash: 0A1163203013C0C6FE68A73555DD72D6242AB987F4F164727EAB7477E7EE68C86A8700
                                  Function 00000202C0B4199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                  • String ID:
                                  • API String ID: 517849248-0
                                  • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction ID: a6561bdb165a881d15422f835cadb1e13ccb21f1502ce777dd17883e3612e1f0
                                  • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction Fuzzy Hash: 8F013521700B41C2FA54DB52A88C36D63A9B788FC8F894477DE5953756DE38C9898700
                                  Function 00000202C0AE199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                  • String ID:
                                  • API String ID: 517849248-0
                                  • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction ID: c1f12f185a365d98643c548e91b1e72bf4effc7dbd05845da70183f29bcaf82d
                                  • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction Fuzzy Hash: DD010532301B80C2FA649B52A89C75963A9B788FC4F894137DF9A43766DE39C989C740
                                  Function 00000202C0B436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                  • String ID:
                                  • API String ID: 449555515-0
                                  • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction ID: 74fd01a74412d06a4f1fde6f711d275a3bc9d19be57d7f81b4b0cffb2d4478c7
                                  • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction Fuzzy Hash: 8A012965711B41C2FB24DB62E88C75E63A4BB59B8AF0A0467CE49077A6EF3DC94C8700
                                  Function 00000202C0AE36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                  • String ID:
                                  • API String ID: 449555515-0
                                  • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction ID: 164501a6415bffd66fe917e88f769ddc3ad1f1b40aa64bea97b79c9247d2f77e
                                  • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction Fuzzy Hash: B5012DB6611B40C2FB249B21E88C71E73A4BB45B86F154527CF9907766EF3EC55C8704
                                  Function 00000202C0B48FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 2395640692-629598281
                                  • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                  • Instruction ID: cdf4f2fb1187d6a8dcbafb28738f89d68df44d9043d5a640eb90c02eb8421405
                                  • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                  • Instruction Fuzzy Hash: 2B51BC32201702EAFB14CB55E88CB5D37A6F364B8CF128127DA565378AEB35CE49C708
                                  Function 00000202C0AE8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 2395640692-629598281
                                  • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                  • Instruction ID: 4b0a6f3e062a47a2f3e77ad4f28d0830188973ba44af3f5408a27d7634b4296d
                                  • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                  • Instruction Fuzzy Hash: 6751BF32201B81CAFB94CF15E88CB5D3795F344B88F528227DBA64774AEB35C859C708
                                  Function 00000202C0B41A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: FinalHandleNamePathlstrlen
                                  • String ID: \\?\
                                  • API String ID: 2719912262-4282027825
                                  • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction ID: 020cede8a7a987332edfbf5aca9d92e432b968816ab88e3e30adde122549f28e
                                  • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction Fuzzy Hash: D2F03C22704741D2FB60CBA5E8CC75E6765F758BCCF854023DA4947956DE6CCA8DCB00
                                  Function 00000202C0B43044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: CombinePath
                                  • String ID: \\.\pipe\
                                  • API String ID: 3422762182-91387939
                                  • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction ID: 5d9cbfb492b0178b2b911afb72d4c9bd8dfc2e2cf28399869c02c77398260dad
                                  • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction Fuzzy Hash: BBF08220708B81C2FE54CB57B99C21D6264AB48FD8F094173EE4607B1ADF3CC98D8704
                                  Function 00000202C0B4BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction ID: 645132413f0d5c41dbedb974bd271ef1814a753cdf3104992c7f24d066aaf9fd
                                  • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction Fuzzy Hash: 73F06261311B05C1FB10CB64E4CC75D6320EB88769F55025BDA6A461E6CF2CC94CC740
                                  Function 00000202C0AE3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: CombinePath
                                  • String ID: \\.\pipe\
                                  • API String ID: 3422762182-91387939
                                  • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction ID: 748eaec06fdd8304175141e91d7fcb10eea3299cf276c1654e8c92baf0a6311d
                                  • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction Fuzzy Hash: 6DF01C66718B84C2FA148B53B99C11D6665AB48FD0F0A9233EF5A4BB2ADF3DC45D8700
                                  Function 00000202C0AEBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction ID: b1dae043e590163143f4e82ec39ab210fa29368e4bf0a17308b2a9fdf74dbffb
                                  • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction Fuzzy Hash: 65F06262211B45C1FB108B24E8CC35E6360EB88765F55021BCB6A452F6DF3DC55C8700
                                  Function 00000202C0B450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                  • Instruction ID: 3fed152e6cff7dccc901cbea7ee32e5366edeb575043839d1dac5842a2deb3ef
                                  • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                  • Instruction Fuzzy Hash: 9802BB32619B84C6E760CB95E59835EB7A0F3D4794F110417EA8E87B6ADF7CC958CB00
                                  Function 00000202C0AE50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                  • Instruction ID: cdd9b78ec5eaf04cb1b2f14923f4cedba8257b9bf05445ea44050982a578b50b
                                  • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                  • Instruction Fuzzy Hash: 6C02A432219B84C6EB60CB55F49875EB7A1F384794F110117EBDE87BAADB78C498CB00
                                  Function 00000202C0B45710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                  • Instruction ID: 77d1f7d05a3ad9f64fc2c1a5073131f9b872f7803a0cba496c3396a3ccaf51c6
                                  • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                  • Instruction Fuzzy Hash: 61619736519B44C6F660CB95E58C31E77A0F398798F111117EA8D47BAADB78CA48CB00
                                  Function 00000202C0AE5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                  • Instruction ID: 76b413ec14e38a6ac9e88e25468b0616ac705ba1cdb0ca70ff7d6d8fad0dbab9
                                  • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                  • Instruction Fuzzy Hash: 6061B676619B80C6F660CB15F48871E77A0F388794F110517EBDE47BAADB78C968CB40
                                  Function 00000202C0AC3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: 2438009d4eccd0bfdc5c9a2303f4341fa76b055f83bc79e43529a95e1e4287f6
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: 5B112533A5CF09C9FAA42128E4CE37D10D07B59370F4B863BAB76163E7CA6AC84C4201
                                  Function 00000202C0B54104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: a27617d20751772c0d2e6d2b58e970e4ca10ba7ae22a2201759a8aa1afc7c419
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: EB112322A00F5091F6A49128D4DD36D88106B783FCF0B06A7A936276D7CB74CCCD6200
                                  Function 00000202C0AF4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: aadaf6c08f9748136de9f6cbceaa287ca2a5a32013c1ebda6f4ef6558c209bf0
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: EE119E23A10B54A9F7641568E8DE36D11406B683F8F0A0727AB76076EB8B2AC8CD424C
                                  Function 00000202C0ABF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: _invalid_parameter_noinfo
                                  • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                  • API String ID: 3215553584-4202648911
                                  • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction ID: 26cf979074d90fcf05d85e544fcdcf7579b7cc95cef60043f929738aa5a5c4dc
                                  • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction Fuzzy Hash: F2610536600760C6FA69DB69E5CC76E6AA0F789780F5B8917CB0A177A7DB34C84DC300
                                  Function 00000202C0B4AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: 1082c6acd1cc596f15c131e8822e091c6a91a0a8de98abab672acc75df972cb0
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: EB613B32600B44CAFB50DFA5D48839D77A1F368B8CF154217EE4927B9ADB78DA59C700
                                  Function 00000202C0AEAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: 558256b13703980bb35bc78ab76fb44dce15fdc78b8fdb1fb2b32ce49efec02f
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: 36614832600B84CAFB20DF65D48839D77A0F399B88F154217EF9917B9ADB78D5A9C700
                                  Function 00000202C0ABA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 19c43cd71e60161d93812c77d0e4ac8737510cff6eeb5711627b4654a467fa8f
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: 44516D36104780CAFB748B25959C39C7BA0F365B94F1A8217DB998BBD7CB39D499C700
                                  Function 00000202C0B4AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 02eca69797dd3fc95978741111c5327d76f7dc405fd09751aa7a5e218e1104e0
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: B2514A72100380CAFB64CF9595CC35D77A0F364B99F164127EA9997AD6CB38DA99CB00
                                  Function 00000202C0AEAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 97304d35c4b486749e002e92b9cf81982149fd581c5d11b448b14438c7f928ed
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: 44514C721007C0CAFB648B2595CC35D77A0F766B95F1A4217DBE947B96CB38E4A9CB00
                                  Function 00000202C0AB8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction ID: 8446a618bbd1140fecb175adc7a255fff733e8375c6260d7fd1f59283cc66251
                                  • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction Fuzzy Hash: 1151AB32601700CAFB29CF29E48CB5D3795F354B98F568227DB164378AEB35D889C704
                                  Function 00000202C0AB83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction ID: 90803dd6b9b29f9c4154e969358d487dae67566bd5ce1f620f43925fcc542657
                                  • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction Fuzzy Hash: 7F316A32201740D6FB299F29E88C75D7BA4F340B98F168117AF5A07786DB39C948C704
                                  Function 00000202C0B52058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                  • String ID:
                                  • API String ID: 2718003287-0
                                  • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction ID: 8a758bb2884d5aaedfb3744de96242c17db80bcf3bb398f7e2c9eb2ed4567db6
                                  • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction Fuzzy Hash: 02D1BC32B15B80C9F711CFA9D4882AC3BB2E355B9CF154257CF59A7B9ADA34C90AC340
                                  Function 00000202C0AF2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                  • String ID:
                                  • API String ID: 2718003287-0
                                  • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction ID: 5415e984cde6a1f954e745032577872c235aef40fdbcb0d3a10d64624b9653db
                                  • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction Fuzzy Hash: 99D1BC73B14B80C9F721CFA9D48829C3BA1F354B98F158217CF5A97B9ADA39C54AC740
                                  Function 00000202C0AE14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Free
                                  • String ID:
                                  • API String ID: 3168794593-0
                                  • Opcode ID: fccdced75e0e166058a65fb9f01cb5bc762ae8e924348a52df6b038ca287fb4d
                                  • Instruction ID: e1a4700da16e8d3ef1b17da53b22238d79ed5d8b917823312ea25b365b8a4f34
                                  • Opcode Fuzzy Hash: fccdced75e0e166058a65fb9f01cb5bc762ae8e924348a52df6b038ca287fb4d
                                  • Instruction Fuzzy Hash: 1E117977500B90C6F714DF62A88C14DB7A4F788F81F0A4127EB4903766DE39C0598744
                                  Function 00000202C0B52980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorLastMode
                                  • String ID:
                                  • API String ID: 953036326-0
                                  • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction ID: 4f66446779e12f263f25ce4e9c77a33638de583a08e4096a77af12e6fbb60eb3
                                  • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction Fuzzy Hash: 9A919C22701B50C5FB64DF6594DC3AD2BA0B756B8CF16419BDF0A67A96DA34C88AC700
                                  Function 00000202C0AF2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorLastMode
                                  • String ID:
                                  • API String ID: 953036326-0
                                  • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction ID: 7750c07c3da3ab5777ee1fb19e88fe5ee8ba8c540cdc789170c23b37d6888931
                                  • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction Fuzzy Hash: D9918A73610B50C9FB61DF6594CC7AD2BA0B744B88F56410BDF4A67A96DB3AC88BC700
                                  Function 00000202C0B47960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction ID: 479f58a84b1af8cc552df62d3a1eb5b2e5cfb4fc25200f2b708c8a573a58311b
                                  • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction Fuzzy Hash: 7F110A22710F418AFB40CBA0E8992AC33A4E719B58F451E22DA6D477A5DB78C5988280
                                  Function 00000202C0AE7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction ID: c1e121f40b66a15715f8d269b70c98ee374ca54bb48e74cdb6f3174d14493375
                                  • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction Fuzzy Hash: 34111C22710B01C9FB00CB60E8983AC33A4F719B58F450E22DB6D467A5DB78C5988380
                                  Function 00000202C0B4253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction ID: 7d93dc7456e3ad94e783113e8cd02d63737e867bede78650b2f336d940fa284c
                                  • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction Fuzzy Hash: 0171C236200B81C5F764DFA5A8CC3AE6794F7A9B88F960117DE0953B8BDA35CF499700
                                  Function 00000202C0AB9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: CallTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3163161869-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: f3028f0bacb26f4c6116040a1e45f79bacc9d5a175de68b6d573a429fff7c7f3
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: B7614532A00B84CAFB24DF65D4883AD77A0F748B98F154217EF4917B9ADB38D599C704
                                  Function 00000202C0B42330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction ID: 5f314875d0c3bc3841964ba540442de661241415e68cd2692db0ecf16478f177
                                  • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction Fuzzy Hash: D651D322604B81C1F664DBA9A5EC3BE6651F7B5788F860127DF5903B4BDA39CE0C9740
                                  Function 00000202C0AE2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction ID: 3514571e2c1d6cd3889b28a5e79674fb4b07f5075b2e224e86b20f94a4d05b12
                                  • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction Fuzzy Hash: 2B5180322087C1C1F6649B29A5DC3BEA791F385B80F560127DFEA03B9BDA39C52D8750
                                  Function 00000202C0B526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: U
                                  • API String ID: 442123175-4171548499
                                  • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction ID: 33d0f85bed8054878330e124cb41046c1196a38989f2ae81037b8b67b1af0991
                                  • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction Fuzzy Hash: DC419132215B80C6EB20DF65E88C3AE67A0F799798F554023EE4D87795DB3CC945CB40
                                  Function 00000202C0AF26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: U
                                  • API String ID: 442123175-4171548499
                                  • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction ID: b84669cd5d919c91a09ffca97e8587df6a0950af1a2baa035680203c31bd1311
                                  • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction Fuzzy Hash: 93418E63614B80C6EB209F25E8883AEA7A0F798794F524023EF4D87795EB39C44AC740
                                  Function 00000202C0B494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: ExceptionFileHeaderRaise
                                  • String ID: csm
                                  • API String ID: 2573137834-1018135373
                                  • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction ID: 08f9c71afd5e9278f51d521f771f4a89ae9865d7b896ade5cf211a61c0145b66
                                  • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction Fuzzy Hash: A0112B32214B8082FB61CB15E48835DB7E5F798B98F594262EE8C47B59DF3CC955CB04
                                  Function 00000202C0AE94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: ExceptionFileHeaderRaise
                                  • String ID: csm
                                  • API String ID: 2573137834-1018135373
                                  • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction ID: 149d407967b934cd8ed689359ce0485475af0033eaf3f8f7976efa754672e473
                                  • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction Fuzzy Hash: 8F112B36214B8082EB618B15E48835D77E5F788B94F594222EFCC077A9DF3DC569CB04
                                  Function 00000202C0AB7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: ierarchy Descriptor'$riptor at (
                                  • API String ID: 592178966-758928094
                                  • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction ID: 8da40ad284d153a9b89d1544e12ba7a913fe1935213764a8cba5128ad5ea2d85
                                  • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction Fuzzy Hash: A1E08661641B44D0EF018F31E88829C33A4DB58B64F9A91239A5C06312FA38D1EDC300
                                  Function 00000202C0AB73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3139891765.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ab0000_lsass.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: Locator'$riptor at (
                                  • API String ID: 592178966-4215709766
                                  • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction ID: 5205816057d34bf06f4ea810c880042c8f0231ff55e9ce8539c58bb0b426eeb2
                                  • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction Fuzzy Hash: 30E08661601F44C0EF058F31D88419C73A4E758B54F8A9123DA4C06312EA38D1E9C300
                                  Function 00000202C0B41BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID:
                                  • API String ID: 756756679-0
                                  • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction ID: f7db78db4812f02fdb92ec06a4f81ca507783c67906b6739e6c27fb9885f9b4a
                                  • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction Fuzzy Hash: 9D119D25A01F45C1FA44CBA6A88C22D63A0FB98FC8F0A4027CE4D57767DE38C8469300
                                  Function 00000202C0AE1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID:
                                  • API String ID: 756756679-0
                                  • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction ID: 0bfdd2f4f70d0c77588d297d632a834cc4e271defd7936f82574c36193d19b8d
                                  • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction Fuzzy Hash: 6C119A26601B94C1FA44CB66A88C22D63A0FBC8FC0F1A412BDF8D83766DF39C45AC300
                                  Function 00000202C0B41268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140509666.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0b40000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction ID: 06db176155879b138fcd680d50a070c95727c6bf2d194cd39e0c05b7c35e898b
                                  • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction Fuzzy Hash: FAE03935601B05C6FB44CB62D84C36E36E5EB99B0AF069026890907752DF7D889AC750
                                  Function 00000202C0AE1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001C.00000002.3140098003.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_28_2_202c0ae0000_lsass.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction ID: 14bf7bafefd4b55b8bc325b1bb0149ce76066631eeb9ae1ebb85862f094286e6
                                  • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction Fuzzy Hash: 48E03936601704C6FB048B62D84C34A36E5EB89B06F0681268B0907362DF7E8499C750

                                  Execution Graph

                                  Execution Coverage:0.7%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:73
                                  Total number of Limit Nodes:2
                                  execution_graph 14854 2a661301abc 14859 2a661301628 GetProcessHeap 14854->14859 14856 2a661301ad2 Sleep SleepEx 14857 2a661301acb 14856->14857 14857->14856 14858 2a661301598 StrCmpIW StrCmpW 14857->14858 14858->14857 14860 2a661301648 __std_exception_copy 14859->14860 14904 2a661301268 GetProcessHeap 14860->14904 14862 2a661301650 14863 2a661301268 2 API calls 14862->14863 14864 2a661301661 14863->14864 14865 2a661301268 2 API calls 14864->14865 14866 2a66130166a 14865->14866 14867 2a661301268 2 API calls 14866->14867 14868 2a661301673 14867->14868 14869 2a66130168e RegOpenKeyExW 14868->14869 14870 2a6613018a6 14869->14870 14871 2a6613016c0 RegOpenKeyExW 14869->14871 14870->14857 14872 2a6613016e9 14871->14872 14873 2a6613016ff RegOpenKeyExW 14871->14873 14908 2a6613012bc RegQueryInfoKeyW 14872->14908 14874 2a66130173a RegOpenKeyExW 14873->14874 14875 2a661301723 14873->14875 14878 2a66130175e 14874->14878 14879 2a661301775 RegOpenKeyExW 14874->14879 14919 2a66130104c RegQueryInfoKeyW 14875->14919 14882 2a6613012bc 13 API calls 14878->14882 14883 2a661301799 14879->14883 14884 2a6613017b0 RegOpenKeyExW 14879->14884 14885 2a66130176b RegCloseKey 14882->14885 14886 2a6613012bc 13 API calls 14883->14886 14887 2a6613017eb RegOpenKeyExW 14884->14887 14888 2a6613017d4 14884->14888 14885->14879 14891 2a6613017a6 RegCloseKey 14886->14891 14889 2a661301826 RegOpenKeyExW 14887->14889 14890 2a66130180f 14887->14890 14892 2a6613012bc 13 API calls 14888->14892 14894 2a66130184a 14889->14894 14895 2a661301861 RegOpenKeyExW 14889->14895 14893 2a66130104c 5 API calls 14890->14893 14891->14884 14896 2a6613017e1 RegCloseKey 14892->14896 14897 2a66130181c RegCloseKey 14893->14897 14898 2a66130104c 5 API calls 14894->14898 14899 2a66130189c RegCloseKey 14895->14899 14900 2a661301885 14895->14900 14896->14887 14897->14889 14901 2a661301857 RegCloseKey 14898->14901 14899->14870 14902 2a66130104c 5 API calls 14900->14902 14901->14895 14903 2a661301892 RegCloseKey 14902->14903 14903->14899 14925 2a661316168 14904->14925 14906 2a661301283 GetProcessHeap 14907 2a6613012ae __std_exception_copy 14906->14907 14907->14862 14909 2a661301327 GetProcessHeap 14908->14909 14910 2a66130148a RegCloseKey 14908->14910 14913 2a66130133e __std_exception_copy 14909->14913 14910->14873 14911 2a661301476 GetProcessHeap HeapFree 14911->14910 14912 2a661301352 RegEnumValueW 14912->14913 14913->14911 14913->14912 14915 2a66130141e lstrlenW GetProcessHeap 14913->14915 14916 2a6613013d3 GetProcessHeap 14913->14916 14917 2a6613013f3 GetProcessHeap HeapFree 14913->14917 14918 2a661301443 StrCpyW 14913->14918 14926 2a66130152c 14913->14926 14915->14913 14916->14913 14917->14915 14918->14913 14920 2a6613011b5 RegCloseKey 14919->14920 14923 2a6613010bf __std_exception_copy 14919->14923 14920->14874 14921 2a6613010cf RegEnumValueW 14921->14923 14922 2a66130114e GetProcessHeap 14922->14923 14923->14920 14923->14921 14923->14922 14924 2a66130116e GetProcessHeap HeapFree 14923->14924 14924->14923 14927 2a66130157c 14926->14927 14930 2a661301546 14926->14930 14927->14913 14928 2a66130155d StrCmpIW 14928->14930 14929 2a661301565 StrCmpW 14929->14930 14930->14927 14930->14928 14930->14929 14931 2a6612d273c 14934 2a6612d276a 14931->14934 14932 2a6612d28d4 14933 2a6612d2858 LoadLibraryA 14933->14934 14934->14932 14934->14933

                                  Executed Functions

                                  Function 000002A66130328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                  • String ID:
                                  • API String ID: 1683269324-0
                                  • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction ID: 077229c1eed964279b07ec97370b47b92095969d86f76acc536d4c6ada0caa5e
                                  • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction Fuzzy Hash: DC11AD70F246408BFB60EB61F98DB6923ECA746F46F8C41249907A3691EF7CC04C8283
                                  Function 000002A661301ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 000002A661301628: GetProcessHeap.KERNEL32 ref: 000002A661301633
                                    • Part of subcall function 000002A661301628: HeapAlloc.KERNEL32 ref: 000002A661301642
                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016B2
                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016DF
                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613016F9
                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301719
                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301734
                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301754
                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130176F
                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130178F
                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017AA
                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017CA
                                  • Sleep.KERNEL32 ref: 000002A661301AD7
                                  • SleepEx.KERNELBASE ref: 000002A661301ADD
                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017E5
                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301805
                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301820
                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301840
                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130185B
                                    • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130187B
                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301896
                                    • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613018A0
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CloseOpen$HeapSleep$AllocProcess
                                  • String ID:
                                  • API String ID: 1534210851-0
                                  • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction ID: 99b07525fd2711d8e82b8b49fba128a9359a21ce05ef994d83d7f8484eb62716
                                  • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction Fuzzy Hash: F3314171B00A4593FF509B26DA4D3A963FCAB46FCAF0C54219E0BA7295FF1CC459C292
                                  Function 000002A661303844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 57 2a661303844-2a66130384f 58 2a661303869-2a661303870 57->58 59 2a661303851-2a661303864 StrCmpNIW 57->59 59->58 60 2a661303866 59->60 60->58
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: dialer
                                  • API String ID: 0-3528709123
                                  • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                  • Instruction ID: 84d7da99e8808b0adfb76846f8b28e16625e6655772c6f218550ef611b4de524
                                  • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                  • Instruction Fuzzy Hash: 59D0A760B512498BFF14DFE688CDA603798EB09F45F8C4034D90213150DF6C8A9D9711
                                  Function 000002A6612D273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction ID: 1627250a6f1587746d6adcb486bc21ae0d1f8d3e6a0bb4f849c2ff22e67d6bd2
                                  • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction Fuzzy Hash: DC61F0B2F016908BDB548F25D0487ADB3AEFB55FA4F688121DE5907788DF38D89AC701

                                  Non-executed Functions

                                  Function 000002A661302B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 367 2a661302b2c-2a661302ba5 call 2a661322ce0 370 2a661302bab-2a661302bb1 367->370 371 2a661302ee0-2a661302f03 367->371 370->371 372 2a661302bb7-2a661302bba 370->372 372->371 373 2a661302bc0-2a661302bc3 372->373 373->371 374 2a661302bc9-2a661302bd9 GetModuleHandleA 373->374 375 2a661302bdb-2a661302beb call 2a661316090 374->375 376 2a661302bed 374->376 378 2a661302bf0-2a661302c0e 375->378 376->378 378->371 381 2a661302c14-2a661302c33 StrCmpNIW 378->381 381->371 382 2a661302c39-2a661302c3d 381->382 382->371 383 2a661302c43-2a661302c4d 382->383 383->371 384 2a661302c53-2a661302c5a 383->384 384->371 385 2a661302c60-2a661302c73 384->385 386 2a661302c83 385->386 387 2a661302c75-2a661302c81 385->387 388 2a661302c86-2a661302c8a 386->388 387->388 389 2a661302c9a 388->389 390 2a661302c8c-2a661302c98 388->390 391 2a661302c9d-2a661302ca7 389->391 390->391 392 2a661302d9d-2a661302da1 391->392 393 2a661302cad-2a661302cb0 391->393 394 2a661302da7-2a661302daa 392->394 395 2a661302ed2-2a661302eda 392->395 396 2a661302cc2-2a661302ccc 393->396 397 2a661302cb2-2a661302cbf call 2a66130199c 393->397 398 2a661302dbb-2a661302dc5 394->398 399 2a661302dac-2a661302db8 call 2a66130199c 394->399 395->371 395->385 401 2a661302cce-2a661302cdb 396->401 402 2a661302d00-2a661302d0a 396->402 397->396 407 2a661302dc7-2a661302dd4 398->407 408 2a661302df5-2a661302df8 398->408 399->398 401->402 403 2a661302cdd-2a661302cea 401->403 404 2a661302d3a-2a661302d3d 402->404 405 2a661302d0c-2a661302d19 402->405 412 2a661302ced-2a661302cf3 403->412 414 2a661302d4b-2a661302d58 lstrlenW 404->414 415 2a661302d3f-2a661302d49 call 2a661301bbc 404->415 405->404 413 2a661302d1b-2a661302d28 405->413 407->408 417 2a661302dd6-2a661302de3 407->417 410 2a661302dfa-2a661302e03 call 2a661301bbc 408->410 411 2a661302e05-2a661302e12 lstrlenW 408->411 410->411 436 2a661302e4a-2a661302e55 410->436 421 2a661302e14-2a661302e1e 411->421 422 2a661302e35-2a661302e3f call 2a661303844 411->422 419 2a661302cf9-2a661302cfe 412->419 420 2a661302d93-2a661302d98 412->420 423 2a661302d2b-2a661302d31 413->423 425 2a661302d5a-2a661302d64 414->425 426 2a661302d7b-2a661302d8d call 2a661303844 414->426 415->414 415->420 427 2a661302de6-2a661302dec 417->427 419->402 419->412 430 2a661302e42-2a661302e44 420->430 421->422 431 2a661302e20-2a661302e33 call 2a66130152c 421->431 422->430 423->420 432 2a661302d33-2a661302d38 423->432 425->426 435 2a661302d66-2a661302d79 call 2a66130152c 425->435 426->420 426->430 427->436 437 2a661302dee-2a661302df3 427->437 430->395 430->436 431->422 431->436 432->404 432->423 435->420 435->426 441 2a661302e57-2a661302e5b 436->441 442 2a661302ecc-2a661302ed0 436->442 437->408 437->427 446 2a661302e5d-2a661302e61 441->446 447 2a661302e63-2a661302e7d call 2a6613085c0 441->447 442->395 446->447 449 2a661302e80-2a661302e83 446->449 447->449 451 2a661302ea6-2a661302ea9 449->451 452 2a661302e85-2a661302ea3 call 2a6613085c0 449->452 451->442 454 2a661302eab-2a661302ec9 call 2a6613085c0 451->454 452->451 454->442
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                  • API String ID: 2119608203-3850299575
                                  • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction ID: 517c12f0b0e1090de60bb0fcc7bf1fefb46beb5eab338aff40a4245cd4b9731a
                                  • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction Fuzzy Hash: 52B17C72B10A9087EB649F35D64C7A963E9F746F86F485016EE0A63B94DF39CC48C381
                                  Function 000002A661307D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 3140674995-0
                                  • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction ID: cc74eacb843f1603229d41cad126e5c04d88afadf7cf4452611ec155d591a17a
                                  • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction Fuzzy Hash: E5315072705B808AEB609F60E8483ED73A8F785B44F484429DA8E67B94EF7CC54DC710
                                  Function 000002A66130D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                  • String ID:
                                  • API String ID: 1239891234-0
                                  • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction ID: 36f9f4375d1256616007857bae393de0df9f8980b3b202d925a5ac7eb32d36a2
                                  • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction Fuzzy Hash: 4A316F32714F8086DB60CF25E84839E73A8F78AB55F580125EA9E53B68DF7CC159CB41
                                  Function 000002A661301628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                  • API String ID: 106492572-2879589442
                                  • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction ID: c27f832fced2d29170b0e4fb301a485cb6098ecabde165e8eb95b814a7a813c5
                                  • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction Fuzzy Hash: BA71F476B10E5087EB10DF65E89D69933B8FB8AF8DF081121DA4F67A68DF28C548C341
                                  Function 000002A6613012BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                  • String ID: d
                                  • API String ID: 2005889112-2564639436
                                  • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction ID: 5c01c19bc0298f85c8339ea94e196dd5b5f1323890ee4be88120aa0ba9bb59bc
                                  • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction Fuzzy Hash: F0512776A14B8487EB50CFA2E44D35AB7B9F78AF89F094124DA4A27728DF7CC049C741
                                  Function 000002A661301D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentThread$AddressHandleModuleProc
                                  • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                  • API String ID: 4175298099-1975688563
                                  • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction ID: 147c2e2ec541b53145e726b289546c28288565d736413d3e5244b9f1f05d4738
                                  • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction Fuzzy Hash: 8A31A064B10A5AA3EA04EBA5ED5E6D423A9B717F49F8C4113940B331659F3CC24DC3D2
                                  Function 000002A6612D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 209 2a6612d6910-2a6612d6916 210 2a6612d6951-2a6612d695b 209->210 211 2a6612d6918-2a6612d691b 209->211 212 2a6612d6a78-2a6612d6a8d 210->212 213 2a6612d6945-2a6612d6984 call 2a6612d6fc0 211->213 214 2a6612d691d-2a6612d6920 211->214 218 2a6612d6a8f 212->218 219 2a6612d6a9c-2a6612d6ab6 call 2a6612d6e54 212->219 232 2a6612d6a52 213->232 233 2a6612d698a-2a6612d699f call 2a6612d6e54 213->233 216 2a6612d6922-2a6612d6925 214->216 217 2a6612d6938 __scrt_dllmain_crt_thread_attach 214->217 224 2a6612d6931-2a6612d6936 call 2a6612d6f04 216->224 225 2a6612d6927-2a6612d6930 216->225 222 2a6612d693d-2a6612d6944 217->222 220 2a6612d6a91-2a6612d6a9b 218->220 230 2a6612d6aef-2a6612d6b20 call 2a6612d7190 219->230 231 2a6612d6ab8-2a6612d6aed call 2a6612d6f7c call 2a6612d6e1c call 2a6612d7318 call 2a6612d7130 call 2a6612d7154 call 2a6612d6fac 219->231 224->222 241 2a6612d6b22-2a6612d6b28 230->241 242 2a6612d6b31-2a6612d6b37 230->242 231->220 236 2a6612d6a54-2a6612d6a69 232->236 244 2a6612d69a5-2a6612d69b6 call 2a6612d6ec4 233->244 245 2a6612d6a6a-2a6612d6a77 call 2a6612d7190 233->245 241->242 246 2a6612d6b2a-2a6612d6b2c 241->246 247 2a6612d6b7e-2a6612d6b94 call 2a6612d268c 242->247 248 2a6612d6b39-2a6612d6b43 242->248 259 2a6612d6a07-2a6612d6a11 call 2a6612d7130 244->259 260 2a6612d69b8-2a6612d69dc call 2a6612d72dc call 2a6612d6e0c call 2a6612d6e38 call 2a6612dac0c 244->260 245->212 253 2a6612d6c1f-2a6612d6c2c 246->253 266 2a6612d6bcc-2a6612d6bce 247->266 267 2a6612d6b96-2a6612d6b98 247->267 254 2a6612d6b45-2a6612d6b4d 248->254 255 2a6612d6b4f-2a6612d6b5d call 2a6612e5780 248->255 262 2a6612d6b63-2a6612d6b78 call 2a6612d6910 254->262 255->262 276 2a6612d6c15-2a6612d6c1d 255->276 259->232 280 2a6612d6a13-2a6612d6a1f call 2a6612d7180 259->280 260->259 312 2a6612d69de-2a6612d69e5 __scrt_dllmain_after_initialize_c 260->312 262->247 262->276 274 2a6612d6bd5-2a6612d6bea call 2a6612d6910 266->274 275 2a6612d6bd0-2a6612d6bd3 266->275 267->266 273 2a6612d6b9a-2a6612d6bbc call 2a6612d268c call 2a6612d6a78 267->273 273->266 306 2a6612d6bbe-2a6612d6bc6 call 2a6612e5780 273->306 274->276 294 2a6612d6bec-2a6612d6bf6 274->294 275->274 275->276 276->253 299 2a6612d6a45-2a6612d6a50 280->299 300 2a6612d6a21-2a6612d6a2b call 2a6612d7098 280->300 296 2a6612d6c01-2a6612d6c11 call 2a6612e5780 294->296 297 2a6612d6bf8-2a6612d6bff 294->297 296->276 297->276 299->236 300->299 311 2a6612d6a2d-2a6612d6a3b 300->311 306->266 311->299 312->259 313 2a6612d69e7-2a6612d6a04 call 2a6612dabc8 312->313 313->259
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                  • API String ID: 190073905-1786718095
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: e87bf346922b52b2af9168f1f418e053012b6a09ee5fcf7955fafdcfd6fac762
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: 0D81CE21F106818BFA54AB66D48D399329DAF87F80F5C8125DA4987796EF3CC9CD8703
                                  Function 000002A66130CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetLastError.KERNEL32 ref: 000002A66130CE37
                                  • FlsGetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE4C
                                  • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE6D
                                  • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE9A
                                  • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CEAB
                                  • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CEBC
                                  • SetLastError.KERNEL32 ref: 000002A66130CED7
                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF0D
                                  • FlsSetValue.KERNEL32(?,?,00000001,000002A66130ECCC,?,?,?,?,000002A66130BF9F,?,?,?,?,?,000002A661307AB0), ref: 000002A66130CF2C
                                    • Part of subcall function 000002A66130D6CC: HeapAlloc.KERNEL32 ref: 000002A66130D721
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF54
                                    • Part of subcall function 000002A66130D744: HeapFree.KERNEL32 ref: 000002A66130D75A
                                    • Part of subcall function 000002A66130D744: GetLastError.KERNEL32 ref: 000002A66130D764
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF65
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF76
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                  • String ID:
                                  • API String ID: 570795689-0
                                  • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction ID: a3ebcece3df98fd1e9725f906f8bf8db5f5c64855dc8a79f9fd7b15e885684d0
                                  • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction Fuzzy Hash: 77417420F0128443FA68A735595D36922DD5B47FB2F1C4764A93B376E6DF2C980D8393
                                  Function 000002A661302244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                  • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                  • API String ID: 2171963597-1373409510
                                  • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction ID: 9e913e5ef9d9d4dd90f3ca067dd4efb44e8ac8cefc28dc1332a14b226ca3e093
                                  • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction Fuzzy Hash: 6C213A72B18A9083EB10CB65E54D35A73A4F78ABA5F580215EA5A13AA8CF7CC149CB41
                                  Function 000002A6612D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 467 2a6612d9944-2a6612d99ac call 2a6612da814 470 2a6612d9e13-2a6612d9e1b call 2a6612dbb48 467->470 471 2a6612d99b2-2a6612d99b5 467->471 471->470 472 2a6612d99bb-2a6612d99c1 471->472 474 2a6612d9a90-2a6612d9aa2 472->474 475 2a6612d99c7-2a6612d99cb 472->475 477 2a6612d9d63-2a6612d9d67 474->477 478 2a6612d9aa8-2a6612d9aac 474->478 475->474 479 2a6612d99d1-2a6612d99dc 475->479 482 2a6612d9da0-2a6612d9daa call 2a6612d8a34 477->482 483 2a6612d9d69-2a6612d9d70 477->483 478->477 480 2a6612d9ab2-2a6612d9abd 478->480 479->474 481 2a6612d99e2-2a6612d99e7 479->481 480->477 484 2a6612d9ac3-2a6612d9aca 480->484 481->474 485 2a6612d99ed-2a6612d99f7 call 2a6612d8a34 481->485 482->470 496 2a6612d9dac-2a6612d9dcb call 2a6612d6d40 482->496 483->470 486 2a6612d9d76-2a6612d9d9b call 2a6612d9e1c 483->486 488 2a6612d9c94-2a6612d9ca0 484->488 489 2a6612d9ad0-2a6612d9b07 call 2a6612d8e10 484->489 485->496 501 2a6612d99fd-2a6612d9a28 call 2a6612d8a34 * 2 call 2a6612d9124 485->501 486->482 488->482 493 2a6612d9ca6-2a6612d9caa 488->493 489->488 505 2a6612d9b0d-2a6612d9b15 489->505 498 2a6612d9cba-2a6612d9cc2 493->498 499 2a6612d9cac-2a6612d9cb8 call 2a6612d90e4 493->499 498->482 504 2a6612d9cc8-2a6612d9cd5 call 2a6612d8cb4 498->504 499->498 511 2a6612d9cdb-2a6612d9ce3 499->511 536 2a6612d9a2a-2a6612d9a2e 501->536 537 2a6612d9a48-2a6612d9a52 call 2a6612d8a34 501->537 504->482 504->511 509 2a6612d9b19-2a6612d9b4b 505->509 513 2a6612d9b51-2a6612d9b5c 509->513 514 2a6612d9c87-2a6612d9c8e 509->514 516 2a6612d9df6-2a6612d9e12 call 2a6612d8a34 * 2 call 2a6612dbaa8 511->516 517 2a6612d9ce9-2a6612d9ced 511->517 513->514 518 2a6612d9b62-2a6612d9b7b 513->518 514->488 514->509 516->470 520 2a6612d9cef-2a6612d9cfe call 2a6612d90e4 517->520 521 2a6612d9d00 517->521 522 2a6612d9c74-2a6612d9c79 518->522 523 2a6612d9b81-2a6612d9bc6 call 2a6612d90f8 * 2 518->523 526 2a6612d9d03-2a6612d9d0d call 2a6612da8ac 520->526 521->526 528 2a6612d9c84 522->528 548 2a6612d9c04-2a6612d9c0a 523->548 549 2a6612d9bc8-2a6612d9bee call 2a6612d90f8 call 2a6612da038 523->549 526->482 546 2a6612d9d13-2a6612d9d61 call 2a6612d8d44 call 2a6612d8f50 526->546 528->514 536->537 539 2a6612d9a30-2a6612d9a3b 536->539 537->474 552 2a6612d9a54-2a6612d9a74 call 2a6612d8a34 * 2 call 2a6612da8ac 537->552 539->537 545 2a6612d9a3d-2a6612d9a42 539->545 545->470 545->537 546->482 556 2a6612d9c7b 548->556 557 2a6612d9c0c-2a6612d9c10 548->557 567 2a6612d9c15-2a6612d9c72 call 2a6612d9870 549->567 568 2a6612d9bf0-2a6612d9c02 549->568 573 2a6612d9a8b 552->573 574 2a6612d9a76-2a6612d9a80 call 2a6612da99c 552->574 561 2a6612d9c80 556->561 557->523 561->528 567->561 568->548 568->549 573->474 577 2a6612d9df0-2a6612d9df5 call 2a6612dbaa8 574->577 578 2a6612d9a86-2a6612d9def call 2a6612d86ac call 2a6612da3f4 call 2a6612d88a0 574->578 577->516 578->577
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction ID: 681959dd6542599d6789764f186a42efd8a6d505218f830932f82b8ebb8010d4
                                  • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction Fuzzy Hash: C1E17C32F04B808BEB609B65D45839D77ACFB56B98F181115EE8957B99CF38C0E9C702
                                  Function 000002A66130A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 588 2a66130a544-2a66130a5ac call 2a66130b414 591 2a66130a5b2-2a66130a5b5 588->591 592 2a66130aa13-2a66130aa1b call 2a66130c748 588->592 591->592 593 2a66130a5bb-2a66130a5c1 591->593 595 2a66130a5c7-2a66130a5cb 593->595 596 2a66130a690-2a66130a6a2 593->596 595->596 600 2a66130a5d1-2a66130a5dc 595->600 598 2a66130a6a8-2a66130a6ac 596->598 599 2a66130a963-2a66130a967 596->599 598->599 603 2a66130a6b2-2a66130a6bd 598->603 601 2a66130a969-2a66130a970 599->601 602 2a66130a9a0-2a66130a9aa call 2a661309634 599->602 600->596 604 2a66130a5e2-2a66130a5e7 600->604 601->592 605 2a66130a976-2a66130a99b call 2a66130aa1c 601->605 602->592 614 2a66130a9ac-2a66130a9cb call 2a661307940 602->614 603->599 607 2a66130a6c3-2a66130a6ca 603->607 604->596 608 2a66130a5ed-2a66130a5f7 call 2a661309634 604->608 605->602 611 2a66130a6d0-2a66130a707 call 2a661309a10 607->611 612 2a66130a894-2a66130a8a0 607->612 608->614 618 2a66130a5fd-2a66130a628 call 2a661309634 * 2 call 2a661309d24 608->618 611->612 623 2a66130a70d-2a66130a715 611->623 612->602 615 2a66130a8a6-2a66130a8aa 612->615 620 2a66130a8ba-2a66130a8c2 615->620 621 2a66130a8ac-2a66130a8b8 call 2a661309ce4 615->621 656 2a66130a648-2a66130a652 call 2a661309634 618->656 657 2a66130a62a-2a66130a62e 618->657 620->602 627 2a66130a8c8-2a66130a8d5 call 2a6613098b4 620->627 621->620 636 2a66130a8db-2a66130a8e3 621->636 629 2a66130a719-2a66130a74b 623->629 627->602 627->636 633 2a66130a887-2a66130a88e 629->633 634 2a66130a751-2a66130a75c 629->634 633->612 633->629 634->633 637 2a66130a762-2a66130a77b 634->637 638 2a66130a9f6-2a66130aa12 call 2a661309634 * 2 call 2a66130c6a8 636->638 639 2a66130a8e9-2a66130a8ed 636->639 641 2a66130a781-2a66130a7c6 call 2a661309cf8 * 2 637->641 642 2a66130a874-2a66130a879 637->642 638->592 643 2a66130a8ef-2a66130a8fe call 2a661309ce4 639->643 644 2a66130a900 639->644 669 2a66130a7c8-2a66130a7ee call 2a661309cf8 call 2a66130ac38 641->669 670 2a66130a804-2a66130a80a 641->670 648 2a66130a884 642->648 652 2a66130a903-2a66130a90d call 2a66130b4ac 643->652 644->652 648->633 652->602 667 2a66130a913-2a66130a961 call 2a661309944 call 2a661309b50 652->667 656->596 673 2a66130a654-2a66130a674 call 2a661309634 * 2 call 2a66130b4ac 656->673 657->656 661 2a66130a630-2a66130a63b 657->661 661->656 666 2a66130a63d-2a66130a642 661->666 666->592 666->656 667->602 689 2a66130a7f0-2a66130a802 669->689 690 2a66130a815-2a66130a872 call 2a66130a470 669->690 674 2a66130a87b 670->674 675 2a66130a80c-2a66130a810 670->675 694 2a66130a676-2a66130a680 call 2a66130b59c 673->694 695 2a66130a68b 673->695 679 2a66130a880 674->679 675->641 679->648 689->669 689->670 690->679 698 2a66130a686-2a66130a9ef call 2a6613092ac call 2a66130aff4 call 2a6613094a0 694->698 699 2a66130a9f0-2a66130a9f5 call 2a66130c6a8 694->699 695->596 698->699 699->638
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction ID: f9dc5a9824cbe41745e6e6afb53450f4abea2dc5f6e99ba2920a5b912b4b268f
                                  • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction Fuzzy Hash: AEE19F72B047448BEB20DF25A44C39D7BE8F746B99F084115DE8A67BA5CF38C189C782
                                  Function 000002A66130F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: AddressFreeLibraryProc
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3013587201-537541572
                                  • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction ID: fa6adfc857896f79626ba7455a121a59232fbacac11bf9aa969e94737a29d1b3
                                  • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction Fuzzy Hash: 2241E122B15A0083EA16DB56A80C75533DDBB46FE1F0E41259D0BB7784EF3CC44D838A
                                  Function 000002A66130104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 739 2a66130104c-2a6613010b9 RegQueryInfoKeyW 740 2a6613010bf-2a6613010c9 739->740 741 2a6613011b5-2a6613011d0 739->741 740->741 742 2a6613010cf-2a66130111f RegEnumValueW 740->742 743 2a6613011a5-2a6613011af 742->743 744 2a661301125-2a66130112a 742->744 743->741 743->742 744->743 745 2a66130112c-2a661301135 744->745 746 2a661301147-2a66130114c 745->746 747 2a661301137 745->747 749 2a661301199-2a6613011a3 746->749 750 2a66130114e-2a661301193 GetProcessHeap call 2a661316168 GetProcessHeap HeapFree 746->750 748 2a66130113b-2a66130113f 747->748 748->743 751 2a661301141-2a661301145 748->751 749->743 750->749 751->746 751->748
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                  • String ID: d
                                  • API String ID: 3743429067-2564639436
                                  • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction ID: 29549edc3a05bb9f30fb41ffd792d5d1f480f0e7d2fd4d10c68227b69ff2f9b1
                                  • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction Fuzzy Hash: 2B418B72614B80C7E764CF61E44839A77B5F389F89F488129DA8A17B58DF3CC489CB41
                                  Function 000002A66130D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FlsGetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D087
                                  • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0A6
                                  • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0CE
                                  • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0DF
                                  • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID: 1%$Y%
                                  • API String ID: 3702945584-1395475152
                                  • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction ID: bc4377a1b8938ee1d589c6b188f15fe87120af383a10576ee3c01281e8991c6e
                                  • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction Fuzzy Hash: F2118620F0428443FA68A735595D36962DD5B46FF1F1C4324993B277DADF2CC40A8686
                                  Function 000002A661307510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID:
                                  • API String ID: 190073905-0
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: 94d9e67a34e61d90d8dc91a526529cd9d217a7a82295564c3aa49440afe65ca8
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: 79810230F0064187FA50AB69984D39966ECAB87F82F1C44249A8B73396DF3DC84D8783
                                  Function 000002A661309DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                  • String ID: api-ms-
                                  • API String ID: 2559590344-2084034818
                                  • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction ID: 50e13fa17c3bf59197d400e801c98b0be272adff0d23520052f25ab3404dd5bc
                                  • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction Fuzzy Hash: 3F319021B12A40A3EE11DF46A80C76562DCB74AFA1F5D05259D1F6B790DF3DC849C392
                                  Function 000002A661313DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                  • String ID: CONOUT$
                                  • API String ID: 3230265001-3130406586
                                  • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction ID: ff65df3e6d8c9de4419cb773b33199b337b810cada23280e1cd4933ea371c746
                                  • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction Fuzzy Hash: 8A116D32B14B8087E7509B52E84D31976B8F78AFE4F084224EA5F97794CF7CC8188781
                                  Function 000002A661303790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                  • String ID: wr
                                  • API String ID: 1092925422-2678910430
                                  • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction ID: 025d1bc40c232432275dae4ecc1318edf57f0e1ebcf64f5229914e418f725714
                                  • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction Fuzzy Hash: F8115B76B04B8187EF149B62E40C66976B8FB8AF85F480029DE8E17794EF3DC609C705
                                  Function 000002A661305B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Thread$Current$Context
                                  • String ID:
                                  • API String ID: 1666949209-0
                                  • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                  • Instruction ID: 5f5900bbcb72c6ae03449aabeaeaebc51276a3d35255987f9de81e93377eb069
                                  • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                  • Instruction Fuzzy Hash: 3BD1B836604B8882EA70DB0AE49835A77F4F389F85F144216EACE57BA5CF3DC545CB81
                                  Function 000002A661302F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID: dialer
                                  • API String ID: 756756679-3528709123
                                  • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction ID: 0dbaea95a655bbe900e3289c597c93d81e3b199630ae2b61a37e5e2c9be7583f
                                  • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction Fuzzy Hash: AA31BF32B01B5183EA10DF66A64C76A67E8FB46FC5F0C40249E4A17B55EF3CC4A98381
                                  Function 000002A66130CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction ID: 0c3f37101a929da6b2ab2e1659a4edb589a4527edbf683f148d599b530f189ca
                                  • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction Fuzzy Hash: A4116020B0028443FA64A7315A5D72962DE6B86FF1F1C4724A937676D6DF6C84098783
                                  Function 000002A66130199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                  • String ID:
                                  • API String ID: 517849248-0
                                  • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction ID: 471f3759c9f5d2bef42bfea3fd4cb3963e2dd95c959e6c4d1128e52080657580
                                  • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction Fuzzy Hash: C4015771B00A8083EA50DB92A85C35AA3A9F789FC5F884035DE8A63764DF7CC98DC741
                                  Function 000002A6613036C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                  • String ID:
                                  • API String ID: 449555515-0
                                  • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction ID: 79ca0cd446847db94c87b220a4133f292dc0ecc6b103301cedece9ec62c6ad04
                                  • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction Fuzzy Hash: B8011BB5B15B8087EB249B62E80D71972B8BB46F86F080424CA4A27754EF7DC50CC742
                                  Function 000002A661309005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 2395640692-629598281
                                  • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction ID: 077875c1ecc3ba653c40cf27df437926aa55189474758356bf14258b29207a20
                                  • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction Fuzzy Hash: AC517C32B0160087EB18DF15E84CB5937DAF346F99F198528DA5B63788EF79C849C782
                                  Function 000002A661308FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 2395640692-629598281
                                  • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction ID: ba38e771323935cd7c4c993903e564a77b026bca2c24c40e091b995464114721
                                  • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction Fuzzy Hash: 39315432B0064087E714DF12E84CB1977A9F386F89F0A8418EA5B23789DF79C948C786
                                  Function 000002A661301A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: FinalHandleNamePathlstrlen
                                  • String ID: \\?\
                                  • API String ID: 2719912262-4282027825
                                  • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction ID: b1b7e669e6661b3feae12b7b33b5b685191a7800304716cf001d880ba287570f
                                  • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction Fuzzy Hash: 07F08C72B0468083FB208B60E88C35A63B9F749F88F888024DA4A57964DF6CC68DCB01
                                  Function 000002A661303044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CombinePath
                                  • String ID: \\.\pipe\
                                  • API String ID: 3422762182-91387939
                                  • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction ID: cf77e8b58ec68dbf932fe7d168add0dfe5d0c02535d993d737ff7324a50749b0
                                  • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction Fuzzy Hash: 65F08CA0B04BC083EA008B93B90D119B2A9AB4AFC0F0C8430EE4B27B28DF7CC44D8701
                                  Function 000002A66130BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction ID: e21ae87d0ac0485e57b5ed7f78d9bcfc49820b6887902ab70198c3f652ea4012
                                  • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction Fuzzy Hash: 24F06275B1164583EF108B64E84D3597368EB86F61F5C4619CA6B5B1E8CF6CC14DC341
                                  Function 000002A6613050D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                  • Instruction ID: 9fa3ce34b8c865c90ad51e3620c2008df4696012e5c82a0db968548b5f0cb8e8
                                  • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                  • Instruction Fuzzy Hash: 1002E832A19B8487EB60CB55F49835AB7E4F3C5B91F140015EA8E97BA8DF7DC488CB41
                                  Function 000002A661305710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                  • Instruction ID: 94fa4eeebce64f2b49e1f32bc3357c48cfb3c794009292f3f2d6159d2374f774
                                  • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                  • Instruction Fuzzy Hash: AE61F636A19B44C7E7608B15E44C31AB7E8F389B85F580115EA8E57BA8DF7CC548CF82
                                  Function 000002A6612E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: 22cd65d3b8f6dd6f7d9b94902791a143805ac03df98696b6fd4da49aabfe5191
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: F2118F22F10AD113FA649539F44D36911CD7B5FB76E4C8638A966073F68F2CCACD4202
                                  Function 000002A661314104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: 66361736f5e8a90f3f2d0b71ac309b0d3cb3498acf01c0f7b7fefb88f4f0f5d8
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: F211A022F10A5123F6641568E95F369354C6B7BBBCF5C0634E977277E6CF2CC84A8202
                                  Function 000002A6612DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: _invalid_parameter_noinfo
                                  • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                  • API String ID: 3215553584-4202648911
                                  • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction ID: 0bf1e752806efdf3d6918c8cb5621e3440e718aefe77ceb97043c9c5cc2f889e
                                  • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction Fuzzy Hash: 80618E66F0024047FB658B75E54C32B66ADEB87F40F5D4519CA4A177A8DF3CC9CE820A
                                  Function 000002A66130AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: af1233a52f56241061660763b27a88547fce862d6649db4ccb4df901e0d389cc
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: 86614932B00B848AEB20DF65E44839D77E4F345B89F084215EE4A27BA8DF78C599C781
                                  Function 000002A6612DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 9e9e64640e33ee222bca170c8ee76b8c2aa3a2d202631a961c3e70975ee64d6a
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: CE515B32E042808BEBA48B26D44CB5877ADFB56F84F1C5116DA9987AE5CF7CD4D88702
                                  Function 000002A66130AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 71553aecd4e6c0be1a45bd4f8553e36c14cf70e2545c3f161416fa0a9a176b52
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: 7F519272B002808BEB648F25A49C35977E8F356F86F1C4119DA8A67BE5CF7CD458C782
                                  Function 000002A6612D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction ID: 8201e1b19b336b27b06942c19ab8646d026c506d3e7787226ca7cd4a84cb06ae
                                  • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction Fuzzy Hash: 4751AF32F112008BEB14CB15E40CB59379DFB52F98F9AA124DA064378CEF38D9C89706
                                  Function 000002A6612D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction ID: cefbc8a046af985220aa2329bd1f73024f30a7703efedaf0860a35be415e2574
                                  • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction Fuzzy Hash: 94317A35B1168097E7149B21E84C75937ACFB42F88F5A9018EE5A03788DF3CC988D706
                                  Function 000002A661312058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                  • String ID:
                                  • API String ID: 2718003287-0
                                  • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction ID: daab32c25a9fadadc3e1a32652520a2a78c62dababe1d4e9fdec7867a8e6883d
                                  • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction Fuzzy Hash: 7AD1E332B14A808AE711CFB5D54939C3BB9F356B98F284215DE5AB7B99DF38C40AC341
                                  Function 000002A6613014A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Free
                                  • String ID:
                                  • API String ID: 3168794593-0
                                  • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                  • Instruction ID: 921e1a85b60784aa0bba0433d9b0249e05675eea00effd83e5fc34bb76f58227
                                  • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                  • Instruction Fuzzy Hash: D5118BB6A00AD0C7E714DFA2A80D25977B8F78AF85F084035EA4A23726DF7CC058C741
                                  Function 000002A661312980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorLastMode
                                  • String ID:
                                  • API String ID: 953036326-0
                                  • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction ID: f98e1d8c780189fb48322b240abb3135e65948d30303f15e17900ffbada13fd6
                                  • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction Fuzzy Hash: 85918E72B1065486FB609F75994E3AD3BA8B747F98F284109DE0B77694DF38C48AC702
                                  Function 000002A661307960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction ID: 1cc862d301829f27dd78957ba1fd8c5096fa0c01cbaac4e6f591e442f6dc95cb
                                  • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction Fuzzy Hash: 14111F32B10F418AEB409B60E8593A833B8F719B58F480D21DA6E57794DF7CC1988381
                                  Function 000002A66130253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction ID: a77167060b87a4fc452a4d9a47af32d2e27e7869f2a7b79b94de1e5e43e7598e
                                  • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction Fuzzy Hash: 3571A436B0078147EA25DE35994C3AA67E8F386F95F580016DD0B63B89DF39C54DC782
                                  Function 000002A6612D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: CallTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3163161869-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: 4c1e01fd7d14f6ffb4a4eaa44a0f6dfd295677d667dd27de79d18e1f6fb3ebd9
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: 21614832F00B848AEB20DF65D48879D77A8FB45B88F084216EF4917B99DF38D199C701
                                  Function 000002A661302330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction ID: 8b65ca84562374e5dcff84955426101dcfa6df48021d4bc966f847153521bb2b
                                  • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction Fuzzy Hash: 03519232B0478183E664DA39A65C3AAA6E9F386F41F4A0125DD5B33B59DF3DC50C87C2
                                  Function 000002A6613126F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: U
                                  • API String ID: 442123175-4171548499
                                  • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction ID: 435cc8df130a4e77d3710c788b2ddf4808abbc3271533ea666418ec5651f9c6f
                                  • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction Fuzzy Hash: E941E672B14A8087DB20DF25E94D3AA77A4F38AB94F584021EE4E97784DF7CC405C741
                                  Function 000002A6613094A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: ExceptionFileHeaderRaise
                                  • String ID: csm
                                  • API String ID: 2573137834-1018135373
                                  • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction ID: b3e6afc7812eff5d23d9e2531ddbd3c8dde3b3595130f4102b15f64d21df9287
                                  • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction Fuzzy Hash: 5A115832604B8082EB218F15E448359B7E8FB89F94F1D4220EE8E17B68DF3CC555CB40
                                  Function 000002A6612D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: ierarchy Descriptor'$riptor at (
                                  • API String ID: 592178966-758928094
                                  • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction ID: 0f3f6b22aa811685f5e546128debed61f89d1e56892167602ce41c22e1950124
                                  • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction Fuzzy Hash: FDE04F65B50B8591DB028F62E8482D833A89B5AB64B489122D95C07311EB3CD2EDC301
                                  Function 000002A6612D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130525469.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a6612d0000_svchost.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: Locator'$riptor at (
                                  • API String ID: 592178966-4215709766
                                  • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction ID: 93a3ced56bc647de6299b8a1905d2a6032edb69f7bc4320d41604ef82ca62c1f
                                  • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction Fuzzy Hash: AEE08666F10B4481DF028F71E4441D87368EB5AF54B8C9122C95C07311EF3CD2E9C301
                                  Function 000002A661301BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID:
                                  • API String ID: 756756679-0
                                  • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction ID: 72cf71b4c8bcd0622c645fc165e77207b5f5e2b8a8cfb2fde8c47a753de635a3
                                  • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction Fuzzy Hash: FC115B75B01B8482EA04DB66A80D22A73E9EB8AFC5F1C4028DE4E67765DFBCC446C341
                                  Function 000002A661301268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000001F.00000002.3130934096.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_31_2_2a661300000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction ID: b5369b631e5731d7a483f2840394a7dd6d44661382897b8f9f01a4c4ceb7f075
                                  • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction Fuzzy Hash: 18E065B5B01A4487EB088FA2D80D34A36E5FB8AF06F09C024CD0A07361DFFD8499CB91

                                  Execution Graph

                                  Execution Coverage:1.7%
                                  Dynamic/Decrypted Code Coverage:95.3%
                                  Signature Coverage:0%
                                  Total number of Nodes:127
                                  Total number of Limit Nodes:16
                                  execution_graph 14886 2baaede28c8 14888 2baaede290e 14886->14888 14887 2baaede2970 14888->14887 14890 2baaede3844 14888->14890 14891 2baaede3866 14890->14891 14892 2baaede3851 StrCmpNIW 14890->14892 14891->14888 14892->14891 14893 2baaede3ab9 14898 2baaede3a06 14893->14898 14894 2baaede3a70 14895 2baaede3a56 VirtualQuery 14895->14894 14895->14898 14896 2baaede3a8a VirtualAlloc 14896->14894 14897 2baaede3abb GetLastError 14896->14897 14897->14894 14897->14898 14898->14894 14898->14895 14898->14896 14899 2baaede5cf0 14900 2baaede5cfd 14899->14900 14901 2baaede5d09 14900->14901 14907 2baaede5e1a 14900->14907 14902 2baaede5d3e 14901->14902 14903 2baaede5d8d 14901->14903 14904 2baaede5d66 SetThreadContext 14902->14904 14904->14903 14905 2baaede5e41 VirtualProtect FlushInstructionCache 14905->14907 14906 2baaede5efe 14908 2baaede5f1e 14906->14908 14921 2baaede43e0 14906->14921 14907->14905 14907->14906 14917 2baaede4df0 GetCurrentProcess 14908->14917 14911 2baaede5f23 14912 2baaede5f77 14911->14912 14913 2baaede5f37 ResumeThread 14911->14913 14925 2baaede7940 14912->14925 14914 2baaede5f6b 14913->14914 14914->14911 14916 2baaede5fbf 14918 2baaede4e0c 14917->14918 14919 2baaede4e22 VirtualProtect FlushInstructionCache 14918->14919 14920 2baaede4e53 14918->14920 14919->14918 14920->14911 14922 2baaede43fc 14921->14922 14923 2baaede445f 14922->14923 14924 2baaede4412 VirtualFree 14922->14924 14923->14908 14924->14922 14926 2baaede7949 14925->14926 14927 2baaede7954 14926->14927 14928 2baaede812c IsProcessorFeaturePresent 14926->14928 14927->14916 14929 2baaede8144 14928->14929 14932 2baaede8320 RtlCaptureContext 14929->14932 14931 2baaede8157 14931->14916 14933 2baaede833a RtlLookupFunctionEntry 14932->14933 14934 2baaede8389 14933->14934 14935 2baaede8350 RtlVirtualUnwind 14933->14935 14934->14931 14935->14933 14935->14934 14936 2baaedb273c 14937 2baaedb276a 14936->14937 14938 2baaedb27c5 VirtualAlloc 14937->14938 14941 2baaedb28d4 14937->14941 14940 2baaedb27ec 14938->14940 14938->14941 14939 2baaedb2858 LoadLibraryA 14939->14940 14940->14939 14940->14941 14942 2baaede1abc 14947 2baaede1628 GetProcessHeap 14942->14947 14944 2baaede1ad2 Sleep SleepEx 14945 2baaede1acb 14944->14945 14945->14944 14946 2baaede1598 StrCmpIW StrCmpW 14945->14946 14946->14945 14948 2baaede1648 Concurrency::details::SchedulerProxy::DeleteThis 14947->14948 14992 2baaede1268 GetProcessHeap 14948->14992 14950 2baaede1650 14951 2baaede1268 2 API calls 14950->14951 14952 2baaede1661 14951->14952 14953 2baaede1268 2 API calls 14952->14953 14954 2baaede166a 14953->14954 14955 2baaede1268 2 API calls 14954->14955 14956 2baaede1673 14955->14956 14957 2baaede168e RegOpenKeyExW 14956->14957 14958 2baaede18a6 14957->14958 14959 2baaede16c0 RegOpenKeyExW 14957->14959 14958->14945 14960 2baaede16e9 14959->14960 14961 2baaede16ff RegOpenKeyExW 14959->14961 15003 2baaede12bc RegQueryInfoKeyW 14960->15003 14963 2baaede1723 14961->14963 14964 2baaede173a RegOpenKeyExW 14961->14964 14996 2baaede104c RegQueryInfoKeyW 14963->14996 14967 2baaede1775 RegOpenKeyExW 14964->14967 14968 2baaede175e 14964->14968 14971 2baaede1799 14967->14971 14972 2baaede17b0 RegOpenKeyExW 14967->14972 14970 2baaede12bc 13 API calls 14968->14970 14976 2baaede176b RegCloseKey 14970->14976 14973 2baaede12bc 13 API calls 14971->14973 14974 2baaede17d4 14972->14974 14975 2baaede17eb RegOpenKeyExW 14972->14975 14977 2baaede17a6 RegCloseKey 14973->14977 14978 2baaede12bc 13 API calls 14974->14978 14979 2baaede1826 RegOpenKeyExW 14975->14979 14980 2baaede180f 14975->14980 14976->14967 14977->14972 14981 2baaede17e1 RegCloseKey 14978->14981 14983 2baaede1861 RegOpenKeyExW 14979->14983 14984 2baaede184a 14979->14984 14982 2baaede104c 5 API calls 14980->14982 14981->14975 14985 2baaede181c RegCloseKey 14982->14985 14987 2baaede1885 14983->14987 14988 2baaede189c RegCloseKey 14983->14988 14986 2baaede104c 5 API calls 14984->14986 14985->14979 14990 2baaede1857 RegCloseKey 14986->14990 14989 2baaede104c 5 API calls 14987->14989 14988->14958 14991 2baaede1892 RegCloseKey 14989->14991 14990->14983 14991->14988 15014 2baaedf6168 14992->15014 14994 2baaede1283 GetProcessHeap 14995 2baaede12ae Concurrency::details::SchedulerProxy::DeleteThis 14994->14995 14995->14950 14997 2baaede11b5 RegCloseKey 14996->14997 14998 2baaede10bf 14996->14998 14997->14964 14998->14997 14999 2baaede10cf RegEnumValueW 14998->14999 15001 2baaede1125 Concurrency::details::SchedulerProxy::DeleteThis 14999->15001 15000 2baaede114e GetProcessHeap 15000->15001 15001->14997 15001->14999 15001->15000 15002 2baaede116e GetProcessHeap HeapFree 15001->15002 15002->15001 15004 2baaede1327 GetProcessHeap 15003->15004 15005 2baaede148a RegCloseKey 15003->15005 15011 2baaede133e Concurrency::details::SchedulerProxy::DeleteThis 15004->15011 15005->14961 15006 2baaede1476 GetProcessHeap HeapFree 15006->15005 15007 2baaede1352 RegEnumValueW 15007->15011 15009 2baaede13d3 GetProcessHeap 15009->15011 15010 2baaede141e lstrlenW GetProcessHeap 15010->15011 15011->15006 15011->15007 15011->15009 15011->15010 15012 2baaede13f3 GetProcessHeap HeapFree 15011->15012 15013 2baaede1443 StrCpyW 15011->15013 15015 2baaede152c 15011->15015 15012->15010 15013->15011 15018 2baaede1546 15015->15018 15019 2baaede157c 15015->15019 15016 2baaede1565 StrCmpW 15016->15018 15017 2baaede155d StrCmpIW 15017->15018 15018->15016 15018->15017 15018->15019 15019->15011 15020 2baaede554d 15022 2baaede5554 15020->15022 15021 2baaede55bb 15022->15021 15023 2baaede5637 VirtualProtect 15022->15023 15024 2baaede5663 GetLastError 15023->15024 15025 2baaede5671 15023->15025 15024->15025

                                  Executed Functions

                                  Function 000002BAAEDE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                  • API String ID: 106492572-2879589442
                                  • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction ID: f51c27f16c4f6633b98a02c77d83c992d9f34d651df41edee73d5542352582ba
                                  • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction Fuzzy Hash: 4671F626310B11D6EB10DF66E898B9933B4FB88B8CF641129DE8E47B69DF38C444C765
                                  Function 000002BAAEDE3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                  • String ID: wr
                                  • API String ID: 1092925422-2678910430
                                  • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction ID: 03fb2559c010b35fc7aeaff24e1a8aba32389d64a9a4fe1277dbdaef19701dc9
                                  • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction Fuzzy Hash: 2411352A704B8182EF289B21E40C76973B0FB88B85F680029DEDD07B98EF3DC545C765
                                  Function 000002BAAEDE5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 59 2baaede5b30-2baaede5b57 60 2baaede5b59-2baaede5b68 59->60 61 2baaede5b6b-2baaede5b76 GetCurrentThreadId 59->61 60->61 62 2baaede5b78-2baaede5b7d 61->62 63 2baaede5b82-2baaede5b89 61->63 64 2baaede5faf-2baaede5fc6 call 2baaede7940 62->64 65 2baaede5b9b-2baaede5baf 63->65 66 2baaede5b8b-2baaede5b96 call 2baaede5960 63->66 69 2baaede5bbe-2baaede5bc4 65->69 66->64 70 2baaede5c95-2baaede5cb6 69->70 71 2baaede5bca-2baaede5bd3 69->71 79 2baaede5e1f-2baaede5e30 call 2baaede74bf 70->79 80 2baaede5cbc-2baaede5cdc GetThreadContext 70->80 74 2baaede5bd5-2baaede5c18 call 2baaede85c0 71->74 75 2baaede5c1a-2baaede5c8d call 2baaede4510 call 2baaede44b0 call 2baaede4470 71->75 88 2baaede5c90 74->88 75->88 91 2baaede5e35-2baaede5e3b 79->91 84 2baaede5ce2-2baaede5d03 80->84 85 2baaede5e1a 80->85 84->85 90 2baaede5d09-2baaede5d12 84->90 85->79 88->69 94 2baaede5d14-2baaede5d25 90->94 95 2baaede5d92-2baaede5da3 90->95 96 2baaede5e41-2baaede5e98 VirtualProtect FlushInstructionCache 91->96 97 2baaede5efe-2baaede5f0e 91->97 99 2baaede5d27-2baaede5d3c 94->99 100 2baaede5d8d 94->100 103 2baaede5e15 95->103 104 2baaede5da5-2baaede5dc3 95->104 101 2baaede5ec9-2baaede5ef9 call 2baaede78ac 96->101 102 2baaede5e9a-2baaede5ea4 96->102 106 2baaede5f10-2baaede5f17 97->106 107 2baaede5f1e-2baaede5f2a call 2baaede4df0 97->107 99->100 109 2baaede5d3e-2baaede5d88 call 2baaede3970 SetThreadContext 99->109 100->103 101->91 102->101 110 2baaede5ea6-2baaede5ec1 call 2baaede4390 102->110 104->103 111 2baaede5dc5-2baaede5e10 call 2baaede3900 call 2baaede74dd 104->111 106->107 113 2baaede5f19 call 2baaede43e0 106->113 120 2baaede5f2f-2baaede5f35 107->120 109->100 110->101 111->103 113->107 124 2baaede5f77-2baaede5f95 120->124 125 2baaede5f37-2baaede5f75 ResumeThread call 2baaede78ac 120->125 128 2baaede5fa9 124->128 129 2baaede5f97-2baaede5fa6 124->129 125->120 128->64 129->128
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Thread$Current$Context
                                  • String ID:
                                  • API String ID: 1666949209-0
                                  • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                  • Instruction ID: 03eb0375df650c06ded491bd3bd80632cc29d40262d645ae982228ea3575561b
                                  • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                  • Instruction Fuzzy Hash: DFD19976209B8886DB70DB0AE49835A77B1F7C8B84F200616EACD47BA9DF3CC551CB51
                                  Function 000002BAAEDE50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 131 2baaede50d0-2baaede50fc 132 2baaede50fe-2baaede5106 131->132 133 2baaede510d-2baaede5116 131->133 132->133 134 2baaede5118-2baaede5120 133->134 135 2baaede5127-2baaede5130 133->135 134->135 136 2baaede5132-2baaede513a 135->136 137 2baaede5141-2baaede514a 135->137 136->137 138 2baaede5156-2baaede5161 GetCurrentThreadId 137->138 139 2baaede514c-2baaede5151 137->139 141 2baaede5163-2baaede5168 138->141 142 2baaede516d-2baaede5174 138->142 140 2baaede56d3-2baaede56da 139->140 141->140 143 2baaede5176-2baaede517c 142->143 144 2baaede5181-2baaede518a 142->144 143->140 145 2baaede5196-2baaede51a2 144->145 146 2baaede518c-2baaede5191 144->146 147 2baaede51a4-2baaede51c9 145->147 148 2baaede51ce-2baaede5225 call 2baaede56e0 * 2 145->148 146->140 147->140 153 2baaede5227-2baaede522e 148->153 154 2baaede523a-2baaede5243 148->154 155 2baaede5236 153->155 156 2baaede5230 153->156 157 2baaede5255-2baaede525e 154->157 158 2baaede5245-2baaede5252 154->158 155->154 160 2baaede52a6-2baaede52aa 155->160 159 2baaede52b0-2baaede52b6 156->159 161 2baaede5273-2baaede5298 call 2baaede7870 157->161 162 2baaede5260-2baaede5270 157->162 158->157 164 2baaede52b8-2baaede52d4 call 2baaede4390 159->164 165 2baaede52e5-2baaede52eb 159->165 160->159 170 2baaede529e 161->170 171 2baaede532d-2baaede5342 call 2baaede3cc0 161->171 162->161 164->165 174 2baaede52d6-2baaede52de 164->174 168 2baaede5315-2baaede5328 165->168 169 2baaede52ed-2baaede530c call 2baaede78ac 165->169 168->140 169->168 170->160 178 2baaede5344-2baaede534c 171->178 179 2baaede5351-2baaede535a 171->179 174->165 178->160 180 2baaede536c-2baaede53ba call 2baaede8c60 179->180 181 2baaede535c-2baaede5369 179->181 184 2baaede53c2-2baaede53ca 180->184 181->180 185 2baaede54d7-2baaede54df 184->185 186 2baaede53d0-2baaede54bb call 2baaede7440 184->186 187 2baaede5523-2baaede552b 185->187 188 2baaede54e1-2baaede54f4 call 2baaede4590 185->188 198 2baaede54bf-2baaede54ce call 2baaede4060 186->198 199 2baaede54bd 186->199 191 2baaede5537-2baaede5546 187->191 192 2baaede552d-2baaede5535 187->192 200 2baaede54f8-2baaede5521 188->200 201 2baaede54f6 188->201 196 2baaede5548 191->196 197 2baaede554f 191->197 192->191 195 2baaede5554-2baaede5561 192->195 203 2baaede5564-2baaede55b9 call 2baaede85c0 195->203 204 2baaede5563 195->204 196->197 197->195 208 2baaede54d2 198->208 209 2baaede54d0 198->209 199->185 200->185 201->187 210 2baaede55c8-2baaede5661 call 2baaede4510 call 2baaede4470 VirtualProtect 203->210 211 2baaede55bb-2baaede55c3 203->211 204->203 208->184 209->185 216 2baaede5663-2baaede5668 GetLastError 210->216 217 2baaede5671-2baaede56d1 210->217 216->217 217->140
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                  • Instruction ID: 91ee69634ea02954a635d99095fe65fee118dcb80b0bcc1607b42972238d9644
                                  • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                  • Instruction Fuzzy Hash: 0E02C832219B8486EBA0DB59F49835AB7B1F3C4794F204415EACE87BA9DF7CC494CB11
                                  Function 000002BAAEDE39E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Virtual$AllocQuery
                                  • String ID:
                                  • API String ID: 31662377-0
                                  • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                  • Instruction ID: 8cc7483489eac028a1b8660a4de6440c288f4b83ae3d4ae88ffe83b1479d6d27
                                  • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                  • Instruction Fuzzy Hash: 2F311E22219B8481EB71DA15E05D36EB7B0F388784F640525F6CE56BA8DF7DC680CB26
                                  Function 000002BAAEDE328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                  • String ID:
                                  • API String ID: 1683269324-0
                                  • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction ID: 3a809f7ddabc0ac2374ac7064aeba5c0a941d285c9a10799ea84ef759d0c5b2c
                                  • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction Fuzzy Hash: B211803061074092FBA0AB21F84DB7933F4AB58B44F784128E9DE85991EF7CC044C273
                                  Function 000002BAAEDE4DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                  • String ID:
                                  • API String ID: 3733156554-0
                                  • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                  • Instruction ID: b4ddebabd21c7086e64d0149de8e395db77ad3a157d8645319746493b64ae63f
                                  • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                  • Instruction Fuzzy Hash: F0F0DA26218B04C4D670DB05E45975EBBB0F388BD4F245115FACD47B69CB3CC690CB61
                                  Function 000002BAAEDB273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 265 2baaedb273c-2baaedb27a4 call 2baaedb29d4 * 4 274 2baaedb29b2 265->274 275 2baaedb27aa-2baaedb27ad 265->275 277 2baaedb29b4-2baaedb29d0 274->277 275->274 276 2baaedb27b3-2baaedb27b6 275->276 276->274 278 2baaedb27bc-2baaedb27bf 276->278 278->274 279 2baaedb27c5-2baaedb27e6 VirtualAlloc 278->279 279->274 280 2baaedb27ec-2baaedb280c 279->280 281 2baaedb2838-2baaedb283f 280->281 282 2baaedb280e-2baaedb2836 280->282 283 2baaedb2845-2baaedb2852 281->283 284 2baaedb28df-2baaedb28e6 281->284 282->281 282->282 283->284 287 2baaedb2858-2baaedb286a LoadLibraryA 283->287 285 2baaedb2992-2baaedb29b0 284->285 286 2baaedb28ec-2baaedb2901 284->286 285->277 286->285 288 2baaedb2907 286->288 289 2baaedb286c-2baaedb2878 287->289 290 2baaedb28ca-2baaedb28d2 287->290 293 2baaedb290d-2baaedb2921 288->293 294 2baaedb28c5-2baaedb28c8 289->294 290->287 291 2baaedb28d4-2baaedb28d9 290->291 291->284 296 2baaedb2923-2baaedb2934 293->296 297 2baaedb2982-2baaedb298c 293->297 294->290 295 2baaedb287a-2baaedb287d 294->295 301 2baaedb28a7-2baaedb28b7 295->301 302 2baaedb287f-2baaedb28a5 295->302 299 2baaedb2936-2baaedb293d 296->299 300 2baaedb293f-2baaedb2943 296->300 297->285 297->293 303 2baaedb2970-2baaedb2980 299->303 304 2baaedb2945-2baaedb294b 300->304 305 2baaedb294d-2baaedb2951 300->305 306 2baaedb28ba-2baaedb28c1 301->306 302->306 303->296 303->297 304->303 307 2baaedb2963-2baaedb2967 305->307 308 2baaedb2953-2baaedb2961 305->308 306->294 307->303 310 2baaedb2969-2baaedb296c 307->310 308->303 310->303
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: AllocLibraryLoadVirtual
                                  • String ID:
                                  • API String ID: 3550616410-0
                                  • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction ID: 4651f2f1d7f21216073bdf988d316674a800ede48b3b5ac51c383708ecdcaae6
                                  • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction Fuzzy Hash: 5361F037B0169087FF54CF19940872DB3A2FB54BA4F688525DE9D07788EB38D852C721
                                  Function 000002BAAEDE1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 000002BAAEDE1628: GetProcessHeap.KERNEL32 ref: 000002BAAEDE1633
                                    • Part of subcall function 000002BAAEDE1628: HeapAlloc.KERNEL32 ref: 000002BAAEDE1642
                                    • Part of subcall function 000002BAAEDE1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDE16B2
                                    • Part of subcall function 000002BAAEDE1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDE16DF
                                    • Part of subcall function 000002BAAEDE1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDE16F9
                                    • Part of subcall function 000002BAAEDE1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDE1719
                                    • Part of subcall function 000002BAAEDE1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDE1734
                                    • Part of subcall function 000002BAAEDE1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDE1754
                                    • Part of subcall function 000002BAAEDE1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDE176F
                                    • Part of subcall function 000002BAAEDE1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDE178F
                                    • Part of subcall function 000002BAAEDE1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDE17AA
                                    • Part of subcall function 000002BAAEDE1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDE17CA
                                  • Sleep.KERNEL32 ref: 000002BAAEDE1AD7
                                  • SleepEx.KERNELBASE ref: 000002BAAEDE1ADD
                                    • Part of subcall function 000002BAAEDE1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDE17E5
                                    • Part of subcall function 000002BAAEDE1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDE1805
                                    • Part of subcall function 000002BAAEDE1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDE1820
                                    • Part of subcall function 000002BAAEDE1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDE1840
                                    • Part of subcall function 000002BAAEDE1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDE185B
                                    • Part of subcall function 000002BAAEDE1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDE187B
                                    • Part of subcall function 000002BAAEDE1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDE1896
                                    • Part of subcall function 000002BAAEDE1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDE18A0
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CloseOpen$HeapSleep$AllocProcess
                                  • String ID:
                                  • API String ID: 1534210851-0
                                  • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction ID: 93347970251f31573bd7b166405f143642645a7725c3f2ce10dc497f19e03abf
                                  • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction Fuzzy Hash: 9131D461300A4191FF909B26DA5D3AD33B5AB49BD4F3454299E8D8B7D6FF28C851C232

                                  Non-executed Functions

                                  Function 000002BAAEDE2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 573 2baaede2b2c-2baaede2ba5 call 2baaee02ce0 576 2baaede2ee0-2baaede2f03 573->576 577 2baaede2bab-2baaede2bb1 573->577 577->576 578 2baaede2bb7-2baaede2bba 577->578 578->576 579 2baaede2bc0-2baaede2bc3 578->579 579->576 580 2baaede2bc9-2baaede2bd9 GetModuleHandleA 579->580 581 2baaede2bed 580->581 582 2baaede2bdb-2baaede2beb call 2baaedf6090 580->582 583 2baaede2bf0-2baaede2c0e 581->583 582->583 583->576 587 2baaede2c14-2baaede2c33 StrCmpNIW 583->587 587->576 588 2baaede2c39-2baaede2c3d 587->588 588->576 589 2baaede2c43-2baaede2c4d 588->589 589->576 590 2baaede2c53-2baaede2c5a 589->590 590->576 591 2baaede2c60-2baaede2c73 590->591 592 2baaede2c75-2baaede2c81 591->592 593 2baaede2c83 591->593 594 2baaede2c86-2baaede2c8a 592->594 593->594 595 2baaede2c8c-2baaede2c98 594->595 596 2baaede2c9a 594->596 597 2baaede2c9d-2baaede2ca7 595->597 596->597 598 2baaede2d9d-2baaede2da1 597->598 599 2baaede2cad-2baaede2cb0 597->599 602 2baaede2da7-2baaede2daa 598->602 603 2baaede2ed2-2baaede2eda 598->603 600 2baaede2cc2-2baaede2ccc 599->600 601 2baaede2cb2-2baaede2cbf call 2baaede199c 599->601 605 2baaede2d00-2baaede2d0a 600->605 606 2baaede2cce-2baaede2cdb 600->606 601->600 607 2baaede2dac-2baaede2db8 call 2baaede199c 602->607 608 2baaede2dbb-2baaede2dc5 602->608 603->576 603->591 613 2baaede2d0c-2baaede2d19 605->613 614 2baaede2d3a-2baaede2d3d 605->614 606->605 612 2baaede2cdd-2baaede2cea 606->612 607->608 609 2baaede2dc7-2baaede2dd4 608->609 610 2baaede2df5-2baaede2df8 608->610 609->610 616 2baaede2dd6-2baaede2de3 609->616 617 2baaede2e05-2baaede2e12 lstrlenW 610->617 618 2baaede2dfa-2baaede2e03 call 2baaede1bbc 610->618 619 2baaede2ced-2baaede2cf3 612->619 613->614 620 2baaede2d1b-2baaede2d28 613->620 621 2baaede2d3f-2baaede2d49 call 2baaede1bbc 614->621 622 2baaede2d4b-2baaede2d58 lstrlenW 614->622 624 2baaede2de6-2baaede2dec 616->624 630 2baaede2e14-2baaede2e1e 617->630 631 2baaede2e35-2baaede2e3f call 2baaede3844 617->631 618->617 636 2baaede2e4a-2baaede2e55 618->636 628 2baaede2cf9-2baaede2cfe 619->628 629 2baaede2d93-2baaede2d98 619->629 632 2baaede2d2b-2baaede2d31 620->632 621->622 621->629 625 2baaede2d5a-2baaede2d64 622->625 626 2baaede2d7b-2baaede2d8d call 2baaede3844 622->626 635 2baaede2dee-2baaede2df3 624->635 624->636 625->626 637 2baaede2d66-2baaede2d79 call 2baaede152c 625->637 626->629 640 2baaede2e42-2baaede2e44 626->640 628->605 628->619 629->640 630->631 641 2baaede2e20-2baaede2e33 call 2baaede152c 630->641 631->640 632->629 642 2baaede2d33-2baaede2d38 632->642 635->610 635->624 644 2baaede2e57-2baaede2e5b 636->644 645 2baaede2ecc-2baaede2ed0 636->645 637->626 637->629 640->603 640->636 641->631 641->636 642->614 642->632 650 2baaede2e63-2baaede2e7d call 2baaede85c0 644->650 651 2baaede2e5d-2baaede2e61 644->651 645->603 654 2baaede2e80-2baaede2e83 650->654 651->650 651->654 657 2baaede2ea6-2baaede2ea9 654->657 658 2baaede2e85-2baaede2ea3 call 2baaede85c0 654->658 657->645 660 2baaede2eab-2baaede2ec9 call 2baaede85c0 657->660 658->657 660->645
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                  • API String ID: 2119608203-3850299575
                                  • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction ID: fed9cd66ed9b55ec7cef7e7dc686b5543bf6ed6a649df049435d1d00bc1ec111
                                  • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction Fuzzy Hash: 70B18F62210A6082EBA9CF29D84C7AD73B5F744F98F645016EE8D53B94DF75CC40C7A1
                                  Function 000002BAAEDE7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 3140674995-0
                                  • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction ID: 55e80fbaf23816403465270af0dc4074800cc56b198f1335513d6f366cc430c3
                                  • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction Fuzzy Hash: C7315E72205B808AEB60DF60E8887ED7374F784748F54442ADB8E57B98EF38C648C761
                                  Function 000002BAAEDED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                  • String ID:
                                  • API String ID: 1239891234-0
                                  • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction ID: 0ee97b97aff5f101b128dc2aa6078ea0799bc1a6a7abf3d5e902e16b3898f902
                                  • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction Fuzzy Hash: 8D319036214F8096EB60CF25E84839E73B0F789B58F64012AEADD47B98DF38C555CB51
                                  Function 000002BAAEDE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                  • String ID: d
                                  • API String ID: 2005889112-2564639436
                                  • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction ID: ba0e41d2ce2acbbebdb94407daf03836a3d040c2e78f8d4b07826546e41b99b6
                                  • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction Fuzzy Hash: 16513976200B848AEB54CF62E54C35AB7B1F789B99F648128DA9A07B58DF3CC049CB51
                                  Function 000002BAAEDE1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CurrentThread$AddressHandleModuleProc
                                  • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                  • API String ID: 4175298099-1975688563
                                  • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction ID: 4a553e43fb258f79cd30f61e687182d088c6036249cca1ff1032c4820fece77d
                                  • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction Fuzzy Hash: A531D265200A4AA0EE55EFA9E89D7E43371B708388FB04417E8DD12576EF7C8249C3B3
                                  Function 000002BAAEDB6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 415 2baaedb6910-2baaedb6916 416 2baaedb6918-2baaedb691b 415->416 417 2baaedb6951-2baaedb695b 415->417 419 2baaedb6945-2baaedb6984 call 2baaedb6fc0 416->419 420 2baaedb691d-2baaedb6920 416->420 418 2baaedb6a78-2baaedb6a8d 417->418 424 2baaedb6a9c-2baaedb6ab6 call 2baaedb6e54 418->424 425 2baaedb6a8f 418->425 435 2baaedb6a52 419->435 436 2baaedb698a-2baaedb699f call 2baaedb6e54 419->436 422 2baaedb6922-2baaedb6925 420->422 423 2baaedb6938 __scrt_dllmain_crt_thread_attach 420->423 427 2baaedb6927-2baaedb6930 422->427 428 2baaedb6931-2baaedb6936 call 2baaedb6f04 422->428 431 2baaedb693d-2baaedb6944 423->431 438 2baaedb6ab8-2baaedb6aed call 2baaedb6f7c call 2baaedb6e1c call 2baaedb7318 call 2baaedb7130 call 2baaedb7154 call 2baaedb6fac 424->438 439 2baaedb6aef-2baaedb6b20 call 2baaedb7190 424->439 429 2baaedb6a91-2baaedb6a9b 425->429 428->431 441 2baaedb6a54-2baaedb6a69 435->441 448 2baaedb69a5-2baaedb69b6 call 2baaedb6ec4 436->448 449 2baaedb6a6a-2baaedb6a77 call 2baaedb7190 436->449 438->429 450 2baaedb6b22-2baaedb6b28 439->450 451 2baaedb6b31-2baaedb6b37 439->451 468 2baaedb69b8-2baaedb69dc call 2baaedb72dc call 2baaedb6e0c call 2baaedb6e38 call 2baaedbac0c 448->468 469 2baaedb6a07-2baaedb6a11 call 2baaedb7130 448->469 449->418 450->451 452 2baaedb6b2a-2baaedb6b2c 450->452 453 2baaedb6b39-2baaedb6b43 451->453 454 2baaedb6b7e-2baaedb6b94 call 2baaedb268c 451->454 458 2baaedb6c1f-2baaedb6c2c 452->458 459 2baaedb6b45-2baaedb6b4d 453->459 460 2baaedb6b4f-2baaedb6b5d call 2baaedc5780 453->460 476 2baaedb6b96-2baaedb6b98 454->476 477 2baaedb6bcc-2baaedb6bce 454->477 465 2baaedb6b63-2baaedb6b78 call 2baaedb6910 459->465 460->465 480 2baaedb6c15-2baaedb6c1d 460->480 465->454 465->480 468->469 518 2baaedb69de-2baaedb69e5 __scrt_dllmain_after_initialize_c 468->518 469->435 489 2baaedb6a13-2baaedb6a1f call 2baaedb7180 469->489 476->477 485 2baaedb6b9a-2baaedb6bbc call 2baaedb268c call 2baaedb6a78 476->485 478 2baaedb6bd5-2baaedb6bea call 2baaedb6910 477->478 479 2baaedb6bd0-2baaedb6bd3 477->479 478->480 499 2baaedb6bec-2baaedb6bf6 478->499 479->478 479->480 480->458 485->477 510 2baaedb6bbe-2baaedb6bc6 call 2baaedc5780 485->510 507 2baaedb6a45-2baaedb6a50 489->507 508 2baaedb6a21-2baaedb6a2b call 2baaedb7098 489->508 504 2baaedb6bf8-2baaedb6bff 499->504 505 2baaedb6c01-2baaedb6c11 call 2baaedc5780 499->505 504->480 505->480 507->441 508->507 517 2baaedb6a2d-2baaedb6a3b 508->517 510->477 517->507 518->469 519 2baaedb69e7-2baaedb6a04 call 2baaedbabc8 518->519 519->469
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                  • API String ID: 190073905-1786718095
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: db06502468804a10a6d52ccdc558bc0b256419185f1c2abb0fa8126b17de5455
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: 3581EE2160020186FB50BB26949D39977B1EB89B80F748525AAED877D6FF39C885C733
                                  Function 000002BAAEDECE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetLastError.KERNEL32 ref: 000002BAAEDECE37
                                  • FlsGetValue.KERNEL32(?,?,?,000002BAAEDF0A6B,?,?,?,000002BAAEDF045C,?,?,?,000002BAAEDEC84F), ref: 000002BAAEDECE4C
                                  • FlsSetValue.KERNEL32(?,?,?,000002BAAEDF0A6B,?,?,?,000002BAAEDF045C,?,?,?,000002BAAEDEC84F), ref: 000002BAAEDECE6D
                                  • FlsSetValue.KERNEL32(?,?,?,000002BAAEDF0A6B,?,?,?,000002BAAEDF045C,?,?,?,000002BAAEDEC84F), ref: 000002BAAEDECE9A
                                  • FlsSetValue.KERNEL32(?,?,?,000002BAAEDF0A6B,?,?,?,000002BAAEDF045C,?,?,?,000002BAAEDEC84F), ref: 000002BAAEDECEAB
                                  • FlsSetValue.KERNEL32(?,?,?,000002BAAEDF0A6B,?,?,?,000002BAAEDF045C,?,?,?,000002BAAEDEC84F), ref: 000002BAAEDECEBC
                                  • SetLastError.KERNEL32 ref: 000002BAAEDECED7
                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDF0A6B,?,?,?,000002BAAEDF045C,?,?,?,000002BAAEDEC84F), ref: 000002BAAEDECF0D
                                  • FlsSetValue.KERNEL32(?,?,00000001,000002BAAEDEECCC,?,?,?,?,000002BAAEDEBF9F,?,?,?,?,?,000002BAAEDE7AB0), ref: 000002BAAEDECF2C
                                    • Part of subcall function 000002BAAEDED6CC: HeapAlloc.KERNEL32 ref: 000002BAAEDED721
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDF0A6B,?,?,?,000002BAAEDF045C,?,?,?,000002BAAEDEC84F), ref: 000002BAAEDECF54
                                    • Part of subcall function 000002BAAEDED744: HeapFree.KERNEL32 ref: 000002BAAEDED75A
                                    • Part of subcall function 000002BAAEDED744: GetLastError.KERNEL32 ref: 000002BAAEDED764
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDF0A6B,?,?,?,000002BAAEDF045C,?,?,?,000002BAAEDEC84F), ref: 000002BAAEDECF65
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDF0A6B,?,?,?,000002BAAEDF045C,?,?,?,000002BAAEDEC84F), ref: 000002BAAEDECF76
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                  • String ID:
                                  • API String ID: 570795689-0
                                  • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction ID: 8498d1ded09b7150ef329e00493d125eaf592a2360f748b7fdfc4fc2becf3b56
                                  • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction Fuzzy Hash: 344182203412C446FA78A735955D36D33B29B85BF4F344728A8FE0AAE6DF388841D233
                                  Function 000002BAAEDE2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                  • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                  • API String ID: 2171963597-1373409510
                                  • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction ID: 9f0e504748d655e8832e96595b2a88c0a6172e517f02ea09fd8de75270db3e4b
                                  • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction Fuzzy Hash: 0C211836614B4082EB20CB25F44875A77B1F789BA5F604219EAAD02BA8DF7CC149CB52
                                  Function 000002BAAEDB9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction ID: 48312824daa8a5788103a526f817439e5077e8980e8cae0df2db615d074f8859
                                  • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction Fuzzy Hash: F2E1CF72A04B808AFB60DF65D48839D77B4F785B98F201116EECD57B9AEB34C091C722
                                  Function 000002BAAEDEA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction ID: 36dcb96471721961921d849166af13caa4b6b1c5d9502988613b974aac41ab96
                                  • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction Fuzzy Hash: 87E1C172604B818AEB60DF65D48C39D77B0F795B98F60011AEECD5BB9ACB34C481C762
                                  Function 000002BAAEDEF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: AddressFreeLibraryProc
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3013587201-537541572
                                  • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction ID: a1c6589e4def007e23dbdd3f0b35aa69b41565b8292fd0b4b9f61d66e7192ca4
                                  • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction Fuzzy Hash: 9341E422311B0095FB26CB66A80C79533B1FB49BE0F3941299D9E8BB84EF3CC545C362
                                  Function 000002BAAEDE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                  • String ID: d
                                  • API String ID: 3743429067-2564639436
                                  • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction ID: 9eac824085179ff61554ba13fc397a7dd51a00114cad2fd1339557474c0c15a8
                                  • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction Fuzzy Hash: 82414C73214B84D6E760CF21E44879A77B1F388B98F548129DB8907B98DF3CC989CB51
                                  Function 000002BAAEDED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FlsGetValue.KERNEL32(?,?,?,000002BAAEDEC7DE,?,?,?,?,?,?,?,?,000002BAAEDECF9D,?,?,00000001), ref: 000002BAAEDED087
                                  • FlsSetValue.KERNEL32(?,?,?,000002BAAEDEC7DE,?,?,?,?,?,?,?,?,000002BAAEDECF9D,?,?,00000001), ref: 000002BAAEDED0A6
                                  • FlsSetValue.KERNEL32(?,?,?,000002BAAEDEC7DE,?,?,?,?,?,?,?,?,000002BAAEDECF9D,?,?,00000001), ref: 000002BAAEDED0CE
                                  • FlsSetValue.KERNEL32(?,?,?,000002BAAEDEC7DE,?,?,?,?,?,?,?,?,000002BAAEDECF9D,?,?,00000001), ref: 000002BAAEDED0DF
                                  • FlsSetValue.KERNEL32(?,?,?,000002BAAEDEC7DE,?,?,?,?,?,?,?,?,000002BAAEDECF9D,?,?,00000001), ref: 000002BAAEDED0F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID: 1%$Y%
                                  • API String ID: 3702945584-1395475152
                                  • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction ID: 84cc4477fabd3dc48b795036a67b920cc1512ff0ec08da69b20601f43df469ed
                                  • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction Fuzzy Hash: 7C11AB2070424442FA786735955D37973719B44BF4F384724A8FD0B7DADF28C442C623
                                  Function 000002BAAEDE7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID:
                                  • API String ID: 190073905-0
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: 80cdc7c49aa12fc1356009ab36547c88a6878e4bec5baa813558211bbc1b3e93
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: CF81D42170074186FBE0AB65A84D39933F0AB95784F788429EACC5B796EB38C845C773
                                  Function 000002BAAEDE9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                  • String ID: api-ms-
                                  • API String ID: 2559590344-2084034818
                                  • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction ID: 5593ce675e88a5232c9c560fd30a834f05f26ee968914b434cffa11d9b274ba3
                                  • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction Fuzzy Hash: 7331C621313B40E1EE26DB42A80C76D33B4B748FA0F7989259EAD0B794DF39C585C322
                                  Function 000002BAAEDF3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                  • String ID: CONOUT$
                                  • API String ID: 3230265001-3130406586
                                  • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction ID: 43f16c0442d3e74648a5aa99fb5f88d225eb17b5376616d35b99ca31488a400e
                                  • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction Fuzzy Hash: 1D116D21310B8086E7A0CB52E85831977B0F798FE4F644228EAAE87B94CF38C914C795
                                  Function 000002BAAEDE2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID: dialer
                                  • API String ID: 756756679-3528709123
                                  • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction ID: a3c5d8e7c0d344283d625baaecb5e54effd584b4bb5a54415779cb080a33cf80
                                  • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction Fuzzy Hash: AF318D22701B5182EA58DF1BE94C76A77B0FB45B84F2881249F8C47B55EF38C4A1C761
                                  Function 000002BAAEDECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction ID: 7ac99806cae4bd00125dfab4190f5c197c5f6dcca2affa581509ce51b2a6012f
                                  • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction Fuzzy Hash: F1114F2024168042FA68A731955D33D7372AB95BF4F344728A8FE47BDADF688841D622
                                  Function 000002BAAEDE199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                  • String ID:
                                  • API String ID: 517849248-0
                                  • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction ID: 63754c32d6fd7810252cfa55c40f336433f95584dd291c2630ab5916ff433969
                                  • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction Fuzzy Hash: A3011721300B4082EA64DB52A85C75973B5F788BC4FA84039DE9E53B95DF3CC98AC7A1
                                  Function 000002BAAEDE36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                  • String ID:
                                  • API String ID: 449555515-0
                                  • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction ID: a3b94c7a2f97bbdb0e22082914354fb0fb907d1c5ff2eaf379a7a8f208934f3e
                                  • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction Fuzzy Hash: 2F012965311B40D2EB64AB25E80C72A73B0BB49B86F680428DD9D07BA5EF3DC548C762
                                  Function 000002BAAEDE8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 2395640692-629598281
                                  • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                  • Instruction ID: 4c95cebfc9c893cdec082aeb3cd504485bb1071dda7b7f1d7f1e17995ebe8e3d
                                  • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                  • Instruction Fuzzy Hash: C951D1727026008AEB24CF25E84CB5937B6F344B88F708564EE9E47788EB35C841C762
                                  Function 000002BAAEDE1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: FinalHandleNamePathlstrlen
                                  • String ID: \\?\
                                  • API String ID: 2719912262-4282027825
                                  • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction ID: 2d63a29d2cf916e43857a866cbb3ad144c227843939d8d89140abbcef524f2c2
                                  • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction Fuzzy Hash: 41F04F22304B4192EB70CF21F88C7697770F748B88FA44028DA9D46958DF3CC68ECB51
                                  Function 000002BAAEDE3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CombinePath
                                  • String ID: \\.\pipe\
                                  • API String ID: 3422762182-91387939
                                  • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction ID: 46140b7dbc4fa388295ec1f1a0c735455dd77e91eeb042858c63b95a1b8edfe0
                                  • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction Fuzzy Hash: 8EF0F864614B8492EA148F52B91C22977B1AB48FD4F2C9124EE9E47B28DF28C495C7A1
                                  Function 000002BAAEDEBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction ID: 203f56eabf5839a6fd2636e979c3fb5f65bc5215fab28274bb6f968c30008fa1
                                  • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction Fuzzy Hash: A9F09061311B0581EB20CB24E84D3A97370FB88BA5F740219DAFE466E4DF3DC048C3A1
                                  Function 000002BAAEDE5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                  • Instruction ID: b464e748fef52a2bfffa925a70d7495e6b612eebc2595b4a2eec6b3537a4d78c
                                  • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                  • Instruction Fuzzy Hash: E461D836519B84C6E7A0DB15E48831AB7B1F388794F20051AFACE47BA8DB7CC554CF62
                                  Function 000002BAAEDC3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: 4822f2769f565f9cf764684b18e8c729750c13eff7b5f07d2f3616860e669cfe
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: 7E11A722670A5112FA961578E54E36B33B06BD93F4FB947B8A9EE063D6CB24C841C123
                                  Function 000002BAAEDF4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: c78ab4c87549a20d670cee724add984adcfde24f456056d984044bf7d25449b6
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: A8117332A10F5511F7A49768E45D3653B716B783B8F38C634A9FE0B7D6CB24C845D222
                                  Function 000002BAAEDBF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: _invalid_parameter_noinfo
                                  • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                  • API String ID: 3215553584-4202648911
                                  • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction ID: 5abea17d272e25f4a9fff92da231a79f2632ba4d3d3369d600197a506407524d
                                  • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction Fuzzy Hash: C561B036A0064046FA699B69E94C32A7BB1F785780F708925DADE977E4FB34C941C233
                                  Function 000002BAAEDEAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: 5f0d78b15c17110cbd445500e8c8267b9b92c3333c9013ad3dc85e4811cca122
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: BD615636601B848AEB20DF65D48839D77B0F348B88F244216EF8D1BB98DB38C595C711
                                  Function 000002BAAEDBA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 8ef89af0a847d6f344a08d5ba2288db114db0a7b9d3f711c71e60b81a032433e
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: DA518A32100380CAFB748FA6955835C77B0F355B94F289216DADD8BBD5EB39D4A0CB12
                                  Function 000002BAAEDEAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: c53cef780c3a171ff93f7c1c288c7d19e2320916ee5a7fdd147a5ce6ee4e2d9b
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: AF5190722047828AEB788F25958C35D77B0F754B85F289216EADD4BBD5CB38D890C712
                                  Function 000002BAAEDB8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction ID: 2e648ab5babbfbd578e74ee5cc385b61af56398a85e684c3d6b4e88b038d0cf6
                                  • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction Fuzzy Hash: C851BC3A7016008AFB15DF25E448B5A37F5F354B98F648124DA8E67788FB34D881CB26
                                  Function 000002BAAEDB83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction ID: 08198179b1e3f533aaa83f41b62cc101328bc519e2661691bf1e467442523176
                                  • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction Fuzzy Hash: 85319C3A2017409AFB15DF21E848B5A77B5F340BD8F258418EE9F17788EB38C941C726
                                  Function 000002BAAEDF2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                  • String ID:
                                  • API String ID: 2718003287-0
                                  • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction ID: 163833332be8cad1eadeae5ced862920e46ed2377924c8fb74c420d9330fa2d2
                                  • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction Fuzzy Hash: 34D1DF72B14B8089EB11CFB9D4483AC3BB1F354B98F248216DE9D9BB99DB38C506C751
                                  Function 000002BAAEDE14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Free
                                  • String ID:
                                  • API String ID: 3168794593-0
                                  • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                  • Instruction ID: c6eef808f36681c0b30ad42bf3e57f1d4a1805b8c2e3168117547d0aa4bbc118
                                  • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                  • Instruction Fuzzy Hash: 73118B76A00B90CAE714DF62A80824977B0F788F81F288029EBAD03B96DF38C050C791
                                  Function 000002BAAEDF2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorLastMode
                                  • String ID:
                                  • API String ID: 953036326-0
                                  • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction ID: f08ad26ad60ae813049dccd06cbe14ce968dd0d83ccd26136a11e037129706ee
                                  • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction Fuzzy Hash: 0F91E332700B5099F760DF6D94883AD3BB4F754B88F744109DE8E67A99DB39C886C722
                                  Function 000002BAAEDE7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction ID: 80bd6808d1dbff70633de32dae69fab56dfcc95ae80b52e2c7c2ba7c28a6b0fa
                                  • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction Fuzzy Hash: 31115E22710F418AEF50CF70E8583A833B4F719758F540E25EAAD46BA8DF78C298C391
                                  Function 000002BAAEDE253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction ID: 4d6e201527dcba3e1b831316f6021bc3322348051a9805a65c54fe2a55adf26d
                                  • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction Fuzzy Hash: 73718136200B8186E765EF29984C3BA77B4F389B84F640126DD8E57F89DF35CA45C711
                                  Function 000002BAAEDB9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: CallTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3163161869-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: 31cfc26015e30b70968a4c3378b457c49d28272c0e238a8002186e41b1119a46
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: 4A614436A01B848AFB20DF66D48439D77B0F748B98F248216EF8D17B99EB38D195C711
                                  Function 000002BAAEDE2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction ID: 16077a9af194bcc4a804d5d88512cb841f68d25a68e93f9a91c481c5abada13d
                                  • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction Fuzzy Hash: 0A51E03220478185E664DF2DA19C3BAB7B1F395780FA80125DEDE03B89DF39C504C7A2
                                  Function 000002BAAEDF26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: U
                                  • API String ID: 442123175-4171548499
                                  • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction ID: 884813c068f0c36a3547088f078522efc16d0a08fde3564b4c2b8d7c7f33f49a
                                  • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction Fuzzy Hash: 2F41D832715B8096DB60DF69E8483AAB7B0F798794F604025EE8D87B98EF3CC541C761
                                  Function 000002BAAEDE94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: ExceptionFileHeaderRaise
                                  • String ID: csm
                                  • API String ID: 2573137834-1018135373
                                  • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction ID: caa8dc06bccb0d526084a5713457d3394e8afede243d18092af321dfc0ec1533
                                  • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction Fuzzy Hash: AE11F836215B8082EB618B25E448359B7E5FB88B94F684265EECD07B69DF3CC551CB40
                                  Function 000002BAAEDB7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: ierarchy Descriptor'$riptor at (
                                  • API String ID: 592178966-758928094
                                  • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction ID: 2698d2d5b4670cde4d5c365018936b5eca4ca667901b17f542d6b94e8ff0722d
                                  • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction Fuzzy Hash: CAE08661640B4490DF029F31E84429833B4DB98B64B989122D99C06311FB38D1E9C312
                                  Function 000002BAAEDB73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166356161.000002BAAEDB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDB0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaedb0000_dwm.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: Locator'$riptor at (
                                  • API String ID: 592178966-4215709766
                                  • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction ID: 2a481a49046e7208eca83b90ad3710aea48e8f9ff441d5ae149402835243d50e
                                  • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction Fuzzy Hash: 40E08661600B4480DF029F31D8401987374E798B54F989162C98C06311FB38D1E5C311
                                  Function 000002BAAEDE1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID:
                                  • API String ID: 756756679-0
                                  • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction ID: 900a22c99e16b4c5a2d4cfb7e8dc3aafd86a455abc538d6942288a9936bcf439
                                  • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction Fuzzy Hash: 55119E25701B5481EA54DB66E80D369B3B1FB89FC0F284128DE8D83BA6DF39D442C361
                                  Function 000002BAAEDE1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.3166476882.000002BAAEDE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDE0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_2baaede0000_dwm.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction ID: 13d0fc8b7a20e7f9c7b021cdfc658666e0447f099026b18463c0586ef1c02db6
                                  • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction Fuzzy Hash: 60E0393560170486EB04CB62D80834A37E1EB89B06F1480288A9907791DF7E8499C7A1

                                  Execution Graph

                                  Execution Coverage:48.5%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:226
                                  Total number of Limit Nodes:22
                                  execution_graph 384 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 385 140002b8e K32EnumProcesses 384->385 386 140002beb SleepEx 385->386 387 140002ba3 385->387 386->385 387->386 389 140002540 387->389 390 140002558 389->390 391 14000254d 389->391 390->387 393 1400010c0 391->393 431 1400018ac OpenProcess 393->431 396 1400014ba 396->390 397 140001122 OpenProcess 397->396 398 14000113e OpenProcess 397->398 399 140001161 K32GetModuleFileNameExW 398->399 400 1400011fd NtQueryInformationProcess 398->400 401 1400011aa CloseHandle 399->401 402 14000117a PathFindFileNameW lstrlenW 399->402 403 1400014b1 CloseHandle 400->403 404 140001224 400->404 401->400 406 1400011b8 401->406 402->401 405 140001197 StrCpyW 402->405 403->396 404->403 407 140001230 OpenProcessToken 404->407 405->401 406->400 408 1400011d8 StrCmpIW 406->408 407->403 409 14000124e GetTokenInformation 407->409 408->403 408->406 410 1400012f1 409->410 411 140001276 GetLastError 409->411 412 1400012f8 CloseHandle 410->412 411->410 413 140001281 LocalAlloc 411->413 412->403 418 14000130c 412->418 413->410 414 140001297 GetTokenInformation 413->414 415 1400012df 414->415 416 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 414->416 417 1400012e6 LocalFree 415->417 416->417 417->412 418->403 419 14000139b StrStrA 418->419 420 1400013c3 418->420 419->418 421 1400013c8 419->421 420->403 421->403 422 1400013f3 VirtualAllocEx 421->422 422->403 423 140001420 WriteProcessMemory 422->423 423->403 424 14000143b 423->424 436 14000211c 424->436 426 14000145b 426->403 427 140001478 WaitForSingleObject 426->427 430 140001471 CloseHandle 426->430 429 140001487 GetExitCodeThread 427->429 427->430 429->430 430->403 432 14000110e 431->432 433 1400018d8 IsWow64Process 431->433 432->396 432->397 434 1400018f8 CloseHandle 433->434 435 1400018ea 433->435 434->432 435->434 439 140001914 GetModuleHandleA 436->439 440 140001934 GetProcAddress 439->440 441 14000193d 439->441 440->441 442 140002bf8 443 140002c05 442->443 445 140002c25 ConnectNamedPipe 443->445 446 140002c1a Sleep 443->446 453 140001b54 AllocateAndInitializeSid 443->453 447 140002c83 Sleep 445->447 448 140002c34 ReadFile 445->448 446->443 450 140002c8e DisconnectNamedPipe 447->450 449 140002c57 448->449 448->450 460 140002524 449->460 450->445 454 140001bb1 SetEntriesInAclW 453->454 455 140001c6f 453->455 454->455 456 140001bf5 LocalAlloc 454->456 455->443 456->455 457 140001c09 InitializeSecurityDescriptor 456->457 457->455 458 140001c19 SetSecurityDescriptorDacl 457->458 458->455 459 140001c30 CreateNamedPipeW 458->459 459->455 461 140002531 460->461 462 140002539 WriteFile 460->462 463 1400010c0 30 API calls 461->463 462->450 463->462 464 140002258 467 14000226c 464->467 491 140001f2c 467->491 470 140001f2c 14 API calls 471 14000228f GetCurrentProcessId OpenProcess 470->471 472 140002321 FindResourceExA 471->472 473 1400022af OpenProcessToken 471->473 476 140002341 SizeofResource 472->476 477 140002261 ExitProcess 472->477 474 1400022c3 LookupPrivilegeValueW 473->474 475 140002318 CloseHandle 473->475 474->475 478 1400022da AdjustTokenPrivileges 474->478 475->472 476->477 479 14000235a LoadResource 476->479 478->475 480 140002312 GetLastError 478->480 479->477 481 14000236e LockResource GetCurrentProcessId 479->481 480->475 505 1400017ec GetProcessHeap HeapAlloc 481->505 483 14000238b RegCreateKeyExW 484 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 483->484 485 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 483->485 486 14000250f SleepEx 484->486 487 1400023f4 RegSetKeySecurity LocalFree 485->487 488 14000240e RegCreateKeyExW 485->488 486->486 487->488 489 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 488->489 490 14000247f RegCloseKey 488->490 489->490 490->484 492 140001f35 StrCpyW StrCatW GetModuleHandleW 491->492 493 1400020ff 491->493 492->493 494 140001f86 GetCurrentProcess K32GetModuleInformation 492->494 493->470 495 1400020f6 FreeLibrary 494->495 496 140001fb6 CreateFileW 494->496 495->493 496->495 497 140001feb CreateFileMappingW 496->497 498 140002014 MapViewOfFile 497->498 499 1400020ed CloseHandle 497->499 500 1400020e4 CloseHandle 498->500 501 140002037 498->501 499->495 500->499 501->500 502 140002050 lstrcmpiA 501->502 504 14000208e 501->504 502->501 503 140002090 VirtualProtect VirtualProtect 502->503 503->500 504->500 511 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 505->511 507 140001885 GetProcessHeap HeapFree 508 140001830 508->507 509 140001851 OpenProcess 508->509 509->508 510 140001867 TerminateProcess CloseHandle 509->510 510->508 512 140001565 511->512 513 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 511->513 512->513 514 14000157a OpenProcess 512->514 516 14000161a CloseHandle 512->516 517 1400015c9 ReadProcessMemory 512->517 513->508 514->512 515 140001597 K32EnumProcessModules 514->515 515->512 515->516 516->512 517->512 518 1400021d0 519 1400021dd 518->519 520 140001b54 6 API calls 519->520 521 1400021f2 Sleep 519->521 522 1400021fd ConnectNamedPipe 519->522 520->519 521->519 523 140002241 Sleep 522->523 524 14000220c ReadFile 522->524 525 14000224c DisconnectNamedPipe 523->525 524->525 526 14000222f 524->526 525->522 526->525 527 140002560 528 140002592 527->528 529 14000273a 527->529 530 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 528->530 531 140002598 528->531 532 140002748 529->532 533 14000297e ReadFile 529->533 534 140002633 530->534 536 140002704 530->536 537 1400025a5 531->537 538 1400026bd ExitProcess 531->538 539 140002751 532->539 540 140002974 532->540 533->534 535 1400029a8 533->535 535->534 548 1400018ac 3 API calls 535->548 536->534 550 1400010c0 30 API calls 536->550 544 1400025ae 537->544 545 140002660 RegOpenKeyExW 537->545 541 140002919 539->541 542 14000275c 539->542 543 14000175c 22 API calls 540->543 549 140001944 ReadFile 541->549 546 140002761 542->546 547 14000279d 542->547 543->534 544->534 560 1400025cb ReadFile 544->560 551 1400026a1 545->551 552 14000268d RegDeleteValueW 545->552 546->534 609 14000217c 546->609 612 140001944 547->612 553 1400029c7 548->553 555 140002928 549->555 550->536 596 1400019c4 SysAllocString SysAllocString CoInitializeEx 551->596 552->551 553->534 564 1400029db GetProcessHeap HeapAlloc 553->564 565 140002638 553->565 555->534 567 140001944 ReadFile 555->567 559 1400026a6 604 14000175c GetProcessHeap HeapAlloc 559->604 560->534 562 1400025f5 560->562 562->534 574 1400018ac 3 API calls 562->574 570 1400014d8 13 API calls 564->570 576 140002a90 4 API calls 565->576 566 1400027b4 ReadFile 566->534 571 1400027dc 566->571 572 14000293f 567->572 587 140002a14 570->587 571->534 577 1400027e9 GetProcessHeap HeapAlloc ReadFile 571->577 572->534 578 140002947 ShellExecuteW 572->578 580 140002614 574->580 576->534 582 14000290b GetProcessHeap 577->582 583 14000282d 577->583 578->534 580->534 580->565 586 140002624 580->586 581 140002a49 GetProcessHeap 584 140002a52 HeapFree 581->584 582->584 583->582 588 140002881 lstrlenW GetProcessHeap HeapAlloc 583->588 589 14000285e 583->589 584->534 590 1400010c0 30 API calls 586->590 587->581 636 1400016cc 587->636 630 140002a90 CreateFileW 588->630 589->582 616 140001c88 589->616 590->534 597 140001a11 CoInitializeSecurity 596->597 598 140001b2c SysFreeString SysFreeString 596->598 599 140001a59 CoCreateInstance 597->599 600 140001a4d 597->600 598->559 601 140001b26 CoUninitialize 599->601 602 140001a88 VariantInit 599->602 600->599 600->601 601->598 603 140001ade 602->603 603->601 605 1400014d8 13 API calls 604->605 607 14000179a 605->607 606 1400017c8 GetProcessHeap HeapFree 607->606 608 1400016cc 5 API calls 607->608 608->607 610 140001914 2 API calls 609->610 611 140002191 610->611 613 140001968 ReadFile 612->613 614 14000198b 613->614 615 1400019a5 613->615 614->613 614->615 615->534 615->566 617 140001cbb 616->617 618 140001cce CreateProcessW 617->618 620 140001e97 617->620 622 140001e62 OpenProcess 617->622 624 140001dd2 VirtualAlloc 617->624 626 140001d8c WriteProcessMemory 617->626 618->617 619 140001d2b VirtualAllocEx 618->619 619->617 621 140001d60 WriteProcessMemory 619->621 620->582 621->617 622->617 623 140001e78 TerminateProcess 622->623 623->617 624->617 625 140001df1 GetThreadContext 624->625 625->617 627 140001e09 WriteProcessMemory 625->627 626->617 627->617 628 140001e30 SetThreadContext 627->628 628->617 629 140001e4e ResumeThread 628->629 629->617 629->620 631 1400028f7 GetProcessHeap HeapFree 630->631 632 140002ada WriteFile 630->632 631->582 633 140002b1c CloseHandle 632->633 634 140002afe 632->634 633->631 634->633 635 140002b02 WriteFile 634->635 635->633 637 140001745 636->637 638 1400016eb OpenProcess 636->638 637->581 638->637 639 140001703 638->639 640 14000211c 2 API calls 639->640 641 140001723 640->641 642 14000173c CloseHandle 641->642 643 140001731 CloseHandle 641->643 642->637 643->642

                                  Callgraph

                                  Executed Functions

                                  Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                  • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                  • API String ID: 4177739653-1130149537
                                  • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                  • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                  • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                  • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                  Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                  • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                  • API String ID: 2561231171-3753927220
                                  • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                  • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                  • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                  • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                  Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                  • String ID:
                                  • API String ID: 4084875642-0
                                  • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                  • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                  • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                  • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                  Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                  • String ID: .text$C:\Windows\System32\
                                  • API String ID: 2721474350-832442975
                                  • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                  • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                  • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                  • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                  Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                  • String ID: M$\\.\pipe\dialerchildproc64
                                  • API String ID: 2203880229-3489460547
                                  • Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                  • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                  • Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                  • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                  Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                  • String ID: \\.\pipe\dialercontrol_redirect64
                                  • API String ID: 2071455217-3440882674
                                  • Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                  • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                  • Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                  • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                  Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                  • String ID:
                                  • API String ID: 3197395349-0
                                  • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                  • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                  • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                  • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                  Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 SleepEx 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess$EnumProcessesSleep
                                  • String ID:
                                  • API String ID: 3676546796-0
                                  • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                  • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                  • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                  • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                  Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                  • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                    • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                    • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                    • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                    • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                    • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                    • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                    • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                    • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                    • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                    • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                    • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                    • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                    • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                  • OpenProcess.KERNEL32 ref: 0000000140001859
                                  • TerminateProcess.KERNELBASE ref: 000000014000186C
                                  • CloseHandle.KERNEL32 ref: 0000000140001875
                                  • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                  • String ID:
                                  • API String ID: 1323846700-0
                                  • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                  • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                  • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                  • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                  Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Process$CloseHandleOpenWow64
                                  • String ID:
                                  • API String ID: 10462204-0
                                  • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                  • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                  • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                  • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                  Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
                                  APIs
                                    • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                    • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                    • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                    • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                    • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                    • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                    • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                    • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                    • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                    • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                    • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                    • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                    • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                    • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                    • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                    • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                  • ExitProcess.KERNEL32 ref: 0000000140002263
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                  • String ID:
                                  • API String ID: 3836936051-0
                                  • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                  • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                  • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                  • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                  Non-executed Functions

                                  Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                  • String ID: SOFTWARE$dialerstager$open
                                  • API String ID: 3276259517-3931493855
                                  • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                  • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                  • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                  • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                  Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                  • String ID: @
                                  • API String ID: 3462610200-2766056989
                                  • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                  • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                  • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                  • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                  Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                  • String ID: dialersvc64
                                  • API String ID: 4184240511-3881820561
                                  • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                  • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                  • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                  • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                  Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Delete$CloseEnumOpen
                                  • String ID: SOFTWARE\dialerconfig
                                  • API String ID: 3013565938-461861421
                                  • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                  • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                  • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                  • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                  Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: File$Write$CloseCreateHandle
                                  • String ID: \\.\pipe\dialercontrol_redirect64
                                  • API String ID: 148219782-3440882674
                                  • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                  • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                  • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                  • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                  Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000031.00000002.3112120885.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000031.00000002.3111702588.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112551272.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000031.00000002.3112843528.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_49_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: ntdll.dll
                                  • API String ID: 1646373207-2227199552
                                  • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                  • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                  • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                  • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                  Execution Graph

                                  Execution Coverage:2.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:897
                                  Total number of Limit Nodes:2
                                  execution_graph 2986 140001ac3 2989 140001a70 2986->2989 2987 14000199e 2991 140001a0f 2987->2991 2993 1400019e9 VirtualProtect 2987->2993 2988 140001b36 2990 140001ba0 4 API calls 2988->2990 2989->2987 2989->2988 2992 140001b53 2989->2992 2990->2992 2993->2987 2090 140001ae4 2091 140001a70 2090->2091 2092 14000199e 2091->2092 2093 140001b36 2091->2093 2096 140001b53 2091->2096 2095 140001a0f 2092->2095 2097 1400019e9 VirtualProtect 2092->2097 2098 140001ba0 2093->2098 2097->2092 2101 140001bc2 2098->2101 2099 140001c04 memcpy 2099->2096 2101->2099 2102 140001c45 VirtualQuery 2101->2102 2103 140001cf4 2101->2103 2102->2103 2107 140001c72 2102->2107 2104 140001d23 GetLastError 2103->2104 2105 140001d37 2104->2105 2106 140001ca4 VirtualProtect 2106->2099 2106->2104 2107->2099 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006630 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtManageHotPatch 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2217 140002218 2212->2217 2215 14000220b LeaveCriticalSection 2213->2215 2220 14000212e 2213->2220 2214 140002272 2215->2217 2216 140002241 DeleteCriticalSection 2216->2214 2217->2214 2217->2216 2219 140002230 free 2217->2219 2218 14000214d TlsGetValue GetLastError 2218->2220 2219->2216 2219->2219 2220->2215 2220->2218 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2112 140001e99 2109->2112 2111 140001e82 signal 2110->2111 2110->2112 2111->2112 2994 140001f47 2995 140001e67 signal 2994->2995 2996 140001e99 2994->2996 2995->2996 2997 140001e7c 2995->2997 2997->2996 2998 140001e82 signal 2997->2998 2998->2996 2113 14000216f 2114 140002178 InitializeCriticalSection 2113->2114 2115 140002185 2113->2115 2114->2115 2116 140001a70 2119 14000199e 2116->2119 2120 140001a7d 2116->2120 2117 140001a0f 2118 1400019e9 VirtualProtect 2118->2119 2119->2117 2119->2118 2120->2116 2121 140001b53 2120->2121 2122 140001b36 2120->2122 2123 140001ba0 4 API calls 2122->2123 2123->2121 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2227 140001eb5 2222->2227 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2227 2225 140001ee4 2224->2225 2224->2227 2226 140001eea signal 2225->2226 2225->2227 2226->2227 2228->2227 2229 140001f12 signal 2228->2229 2229->2227 2999 140002050 3000 14000205e EnterCriticalSection 2999->3000 3001 1400020cf 2999->3001 3002 1400020c2 LeaveCriticalSection 3000->3002 3003 140002079 3000->3003 3002->3001 3003->3002 3004 1400020bd free 3003->3004 3004->3002 3005 140001fd0 3006 140001fe4 3005->3006 3007 140002033 3005->3007 3006->3007 3008 140001ffd EnterCriticalSection LeaveCriticalSection 3006->3008 3008->3007 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 14000199e 2239->2240 2241 140001b36 2239->2241 2244 140001b53 2239->2244 2243 140001a0f 2240->2243 2245 1400019e9 VirtualProtect 2240->2245 2242 140001ba0 4 API calls 2241->2242 2242->2244 2245->2240 2080 140001394 2084 140006630 2080->2084 2082 1400013b8 2083 1400013c6 NtManageHotPatch 2082->2083 2085 14000664e 2084->2085 2088 14000667b 2084->2088 2085->2082 2086 140006723 2087 14000673f malloc 2086->2087 2089 140006760 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006bd0 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2251 14000118b 2249->2251 2252 1400011d3 2250->2252 2253 1400011c7 _amsg_exit 2250->2253 2251->2250 2254 1400011a0 Sleep 2251->2254 2255 140001201 _initterm 2252->2255 2256 14000121a 2252->2256 2253->2252 2254->2250 2254->2251 2255->2256 2272 140001880 2256->2272 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003240 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 76 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2278 14000194d 2274->2278 2279 140001a20 2274->2279 2275 140001ba0 4 API calls 2275->2278 2276 14000199e 2276->2273 2277 1400019e9 VirtualProtect 2276->2277 2277->2276 2278->2275 2278->2276 2279->2276 2280 140001b36 2279->2280 2282 140001b53 2279->2282 2281 140001ba0 4 API calls 2280->2281 2281->2282 2286 140003256 2283->2286 2284 14000338a wcslen 2393 14000153f 2284->2393 2286->2284 2288 14000358e 2288->2265 2291 140003485 2294 1400034ab memset 2291->2294 2296 1400034dd 2294->2296 2297 14000352d wcslen 2296->2297 2298 140003543 2297->2298 2302 14000358c 2297->2302 2299 140003560 _wcsnicmp 2298->2299 2300 140003576 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003651 wcscpy wcscat memset 2304 140003690 2301->2304 2302->2301 2303 1400036d3 wcscpy wcscat memset 2305 140003716 2303->2305 2304->2303 2306 14000381e wcscpy wcscat memset 2305->2306 2307 140003860 2306->2307 2308 140003bab wcslen 2307->2308 2309 140003bb9 2308->2309 2313 140003beb 2308->2313 2310 140003bc0 _wcsnicmp 2309->2310 2311 140003bd6 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003cfa wcscpy wcscat memset 2314 140003d3c 2312->2314 2313->2312 2315 140003d7f wcscpy wcscat memset 2314->2315 2317 140003dc5 2315->2317 2316 140003df5 wcscpy wcscat 2318 1400061a2 memcpy 2316->2318 2319 140003e27 2316->2319 2317->2316 2318->2319 2320 140003f7a wcslen 2319->2320 2322 140003fbf 2320->2322 2321 140004024 wcslen memset 2533 14000157b 2321->2533 2322->2321 2324 1400046bf memset 2326 1400046ee 2324->2326 2325 140004733 wcscpy wcscat wcslen 2574 14000146d 2325->2574 2326->2325 2330 1400046a9 2331 14000145e 2 API calls 2330->2331 2334 1400046a4 2331->2334 2332 1400048d3 2339 140004912 memset 2332->2339 2333 14000157b 2 API calls 2367 14000414d 2333->2367 2334->2324 2337 140004843 2660 1400014a9 2337->2660 2338 1400048ef 2341 14000145e 2 API calls 2338->2341 2343 140006283 2339->2343 2344 140004936 wcscpy wcscat wcslen 2339->2344 2341->2332 2366 140004a60 2344->2366 2347 14000145e 2 API calls 2347->2367 2348 1400048df 2352 14000145e 2 API calls 2348->2352 2350 1400044d4 _wcsnicmp 2354 14000468c 2350->2354 2350->2367 2352->2332 2356 14000145e 2 API calls 2354->2356 2355 1400048c7 2357 14000145e 2 API calls 2355->2357 2360 140004698 2356->2360 2357->2332 2358 140004532 _wcsnicmp 2358->2354 2358->2367 2359 140004b59 wcslen 2361 14000153f 2 API calls 2359->2361 2362 14000145e 2 API calls 2360->2362 2361->2366 2362->2334 2363 140005d9f memcpy 2363->2366 2364 140004586 _wcsnicmp 2364->2354 2364->2367 2365 14000145e NtManageHotPatch malloc 2365->2366 2366->2359 2366->2363 2366->2365 2369 140004ccd wcslen 2366->2369 2371 14000513d wcslen 2366->2371 2372 140004ed9 wcslen 2366->2372 2375 140005a31 wcscpy wcscat wcslen 2366->2375 2376 140005f6d memcpy 2366->2376 2377 140004f5c memset 2366->2377 2379 140004fc6 wcslen 2366->2379 2383 14000502e _wcsnicmp 2366->2383 2384 140005b7c 2366->2384 2385 140005c27 wcslen 2366->2385 2387 1400057d5 memset 2366->2387 2388 1400027d0 11 API calls 2366->2388 2389 1400059d0 memset 2366->2389 2390 14000583b memset 2366->2390 2391 140005895 wcscpy wcscat wcslen 2366->2391 2776 1400014d6 2366->2776 2821 140001521 2366->2821 2919 140001431 2366->2919 2367->2324 2367->2330 2367->2333 2367->2347 2367->2350 2367->2358 2367->2364 2368 140004357 wcsstr 2367->2368 2550 140001599 2367->2550 2563 1400015a8 2367->2563 2368->2354 2368->2367 2370 14000153f 2 API calls 2369->2370 2370->2366 2373 14000153f 2 API calls 2371->2373 2374 14000157b 2 API calls 2372->2374 2373->2366 2374->2366 2378 140001422 2 API calls 2375->2378 2376->2366 2377->2366 2378->2366 2380 1400015a8 2 API calls 2379->2380 2380->2366 2383->2366 2384->2265 2386 1400015a8 2 API calls 2385->2386 2386->2366 2387->2366 2387->2389 2388->2366 2389->2366 2390->2366 2850 140001422 2391->2850 2394 140001394 2 API calls 2393->2394 2395 14000154e 2394->2395 2396 140001394 2 API calls 2395->2396 2397 14000155d 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000156c 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000157b 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000158a 2402->2403 2404 140001394 2 API calls 2403->2404 2405 140001599 2404->2405 2406 140001394 2 API calls 2405->2406 2407 1400015a8 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015b7 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015c6 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015d5 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015e4 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015f3 2416->2417 2417->2288 2418 140001503 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000150d 2419->2420 2421 140001394 2 API calls 2420->2421 2422 140001512 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001521 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001530 2425->2426 2427 140001394 2 API calls 2426->2427 2428 14000153f 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000154e 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000155d 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000156c 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000157b 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000158a 2437->2438 2439 140001394 2 API calls 2438->2439 2440 140001599 2439->2440 2441 140001394 2 API calls 2440->2441 2442 1400015a8 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015b7 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015c6 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015d5 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015e4 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015f3 2451->2452 2452->2291 2453 14000156c 2452->2453 2454 140001394 2 API calls 2453->2454 2455 14000157b 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000158a 2456->2457 2458 140001394 2 API calls 2457->2458 2459 140001599 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015a8 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015b7 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015c6 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015d5 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015e4 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015f3 2470->2471 2471->2291 2472 14000145e 2471->2472 2473 140001394 2 API calls 2472->2473 2474 14000146d 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000147c 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000148b 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000149a 2479->2480 2481 140001394 2 API calls 2480->2481 2482 1400014a9 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014b8 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014c7 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014d6 2487->2488 2489 1400014e5 2488->2489 2490 140001394 2 API calls 2488->2490 2491 140001394 2 API calls 2489->2491 2490->2489 2492 1400014ef 2491->2492 2493 1400014f4 2492->2493 2494 140001394 2 API calls 2492->2494 2495 140001394 2 API calls 2493->2495 2494->2493 2496 1400014fe 2495->2496 2497 140001503 2496->2497 2498 140001394 2 API calls 2496->2498 2499 140001394 2 API calls 2497->2499 2498->2497 2500 14000150d 2499->2500 2501 140001394 2 API calls 2500->2501 2502 140001512 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001521 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001530 2505->2506 2507 140001394 2 API calls 2506->2507 2508 14000153f 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000154e 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000155d 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000156c 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000157b 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000158a 2517->2518 2519 140001394 2 API calls 2518->2519 2520 140001599 2519->2520 2521 140001394 2 API calls 2520->2521 2522 1400015a8 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015b7 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015c6 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015d5 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015e4 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015f3 2531->2532 2532->2291 2534 140001394 2 API calls 2533->2534 2535 14000158a 2534->2535 2536 140001394 2 API calls 2535->2536 2537 140001599 2536->2537 2538 140001394 2 API calls 2537->2538 2539 1400015a8 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015b7 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015c6 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015d5 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015e4 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015f3 2548->2549 2549->2367 2551 140001394 2 API calls 2550->2551 2552 1400015a8 2551->2552 2553 140001394 2 API calls 2552->2553 2554 1400015b7 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015c6 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015d5 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015e4 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015f3 2561->2562 2562->2367 2564 140001394 2 API calls 2563->2564 2565 1400015b7 2564->2565 2566 140001394 2 API calls 2565->2566 2567 1400015c6 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015d5 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015e4 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015f3 2572->2573 2573->2367 2575 140001394 2 API calls 2574->2575 2576 14000147c 2575->2576 2577 140001394 2 API calls 2576->2577 2578 14000148b 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000149a 2579->2580 2581 140001394 2 API calls 2580->2581 2582 1400014a9 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014b8 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014c7 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014d6 2587->2588 2589 1400014e5 2588->2589 2590 140001394 2 API calls 2588->2590 2591 140001394 2 API calls 2589->2591 2590->2589 2592 1400014ef 2591->2592 2593 1400014f4 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 1400014fe 2595->2596 2597 140001503 2596->2597 2598 140001394 2 API calls 2596->2598 2599 140001394 2 API calls 2597->2599 2598->2597 2600 14000150d 2599->2600 2601 140001394 2 API calls 2600->2601 2602 140001512 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001521 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001530 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000153f 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000154e 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000155d 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000156c 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000157b 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000158a 2617->2618 2619 140001394 2 API calls 2618->2619 2620 140001599 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015a8 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015b7 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015c6 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015d5 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015e4 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015f3 2631->2632 2632->2332 2633 140001530 2632->2633 2634 140001394 2 API calls 2633->2634 2635 14000153f 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000154e 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000155d 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000156c 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000157b 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000158a 2644->2645 2646 140001394 2 API calls 2645->2646 2647 140001599 2646->2647 2648 140001394 2 API calls 2647->2648 2649 1400015a8 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015b7 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015c6 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015d5 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015e4 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015f3 2658->2659 2659->2337 2659->2338 2661 140001394 2 API calls 2660->2661 2662 1400014b8 2661->2662 2663 140001394 2 API calls 2662->2663 2664 1400014c7 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014d6 2665->2666 2667 1400014e5 2666->2667 2668 140001394 2 API calls 2666->2668 2669 140001394 2 API calls 2667->2669 2668->2667 2670 1400014ef 2669->2670 2671 1400014f4 2670->2671 2672 140001394 2 API calls 2670->2672 2673 140001394 2 API calls 2671->2673 2672->2671 2674 1400014fe 2673->2674 2675 140001503 2674->2675 2676 140001394 2 API calls 2674->2676 2677 140001394 2 API calls 2675->2677 2676->2675 2678 14000150d 2677->2678 2679 140001394 2 API calls 2678->2679 2680 140001512 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001521 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001530 2683->2684 2685 140001394 2 API calls 2684->2685 2686 14000153f 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000154e 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000155d 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000156c 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000157b 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000158a 2695->2696 2697 140001394 2 API calls 2696->2697 2698 140001599 2697->2698 2699 140001394 2 API calls 2698->2699 2700 1400015a8 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015b7 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015c6 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015d5 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015e4 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015f3 2709->2710 2710->2348 2711 140001440 2710->2711 2712 140001394 2 API calls 2711->2712 2713 14000144f 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000145e 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000146d 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000147c 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000148b 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000149a 2722->2723 2724 140001394 2 API calls 2723->2724 2725 1400014a9 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014b8 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014c7 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014d6 2730->2731 2732 1400014e5 2731->2732 2733 140001394 2 API calls 2731->2733 2734 140001394 2 API calls 2732->2734 2733->2732 2735 1400014ef 2734->2735 2736 1400014f4 2735->2736 2737 140001394 2 API calls 2735->2737 2738 140001394 2 API calls 2736->2738 2737->2736 2739 1400014fe 2738->2739 2740 140001503 2739->2740 2741 140001394 2 API calls 2739->2741 2742 140001394 2 API calls 2740->2742 2741->2740 2743 14000150d 2742->2743 2744 140001394 2 API calls 2743->2744 2745 140001512 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001521 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001530 2748->2749 2750 140001394 2 API calls 2749->2750 2751 14000153f 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000154e 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000155d 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000156c 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000157b 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000158a 2760->2761 2762 140001394 2 API calls 2761->2762 2763 140001599 2762->2763 2764 140001394 2 API calls 2763->2764 2765 1400015a8 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015b7 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015c6 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015d5 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015e4 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015f3 2774->2775 2775->2348 2775->2355 2777 1400014e5 2776->2777 2778 140001394 2 API calls 2776->2778 2779 140001394 2 API calls 2777->2779 2778->2777 2780 1400014ef 2779->2780 2781 1400014f4 2780->2781 2782 140001394 2 API calls 2780->2782 2783 140001394 2 API calls 2781->2783 2782->2781 2784 1400014fe 2783->2784 2785 140001503 2784->2785 2786 140001394 2 API calls 2784->2786 2787 140001394 2 API calls 2785->2787 2786->2785 2788 14000150d 2787->2788 2789 140001394 2 API calls 2788->2789 2790 140001512 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001521 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001530 2793->2794 2795 140001394 2 API calls 2794->2795 2796 14000153f 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000154e 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000155d 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000156c 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000157b 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000158a 2805->2806 2807 140001394 2 API calls 2806->2807 2808 140001599 2807->2808 2809 140001394 2 API calls 2808->2809 2810 1400015a8 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015b7 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015c6 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015d5 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015e4 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015f3 2819->2820 2820->2366 2822 140001394 2 API calls 2821->2822 2823 140001530 2822->2823 2824 140001394 2 API calls 2823->2824 2825 14000153f 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000154e 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000155d 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000156c 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000157b 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000158a 2834->2835 2836 140001394 2 API calls 2835->2836 2837 140001599 2836->2837 2838 140001394 2 API calls 2837->2838 2839 1400015a8 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015b7 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015c6 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015d5 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015e4 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015f3 2848->2849 2849->2366 2851 140001394 2 API calls 2850->2851 2852 140001431 2851->2852 2853 140001394 2 API calls 2852->2853 2854 140001440 2853->2854 2855 140001394 2 API calls 2854->2855 2856 14000144f 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000145e 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000146d 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000147c 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000148b 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000149a 2865->2866 2867 140001394 2 API calls 2866->2867 2868 1400014a9 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014b8 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014c7 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014d6 2873->2874 2875 1400014e5 2874->2875 2876 140001394 2 API calls 2874->2876 2877 140001394 2 API calls 2875->2877 2876->2875 2878 1400014ef 2877->2878 2879 1400014f4 2878->2879 2880 140001394 2 API calls 2878->2880 2881 140001394 2 API calls 2879->2881 2880->2879 2882 1400014fe 2881->2882 2883 140001503 2882->2883 2884 140001394 2 API calls 2882->2884 2885 140001394 2 API calls 2883->2885 2884->2883 2886 14000150d 2885->2886 2887 140001394 2 API calls 2886->2887 2888 140001512 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001521 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001530 2891->2892 2893 140001394 2 API calls 2892->2893 2894 14000153f 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000154e 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000155d 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000156c 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000157b 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000158a 2903->2904 2905 140001394 2 API calls 2904->2905 2906 140001599 2905->2906 2907 140001394 2 API calls 2906->2907 2908 1400015a8 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015b7 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015c6 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015d5 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015e4 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015f3 2917->2918 2918->2366 2920 140001394 2 API calls 2919->2920 2921 140001440 2920->2921 2922 140001394 2 API calls 2921->2922 2923 14000144f 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000145e 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000146d 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000147c 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000148b 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000149a 2932->2933 2934 140001394 2 API calls 2933->2934 2935 1400014a9 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014b8 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014c7 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014d6 2940->2941 2942 1400014e5 2941->2942 2943 140001394 2 API calls 2941->2943 2944 140001394 2 API calls 2942->2944 2943->2942 2945 1400014ef 2944->2945 2946 1400014f4 2945->2946 2947 140001394 2 API calls 2945->2947 2948 140001394 2 API calls 2946->2948 2947->2946 2949 1400014fe 2948->2949 2950 140001503 2949->2950 2951 140001394 2 API calls 2949->2951 2952 140001394 2 API calls 2950->2952 2951->2950 2953 14000150d 2952->2953 2954 140001394 2 API calls 2953->2954 2955 140001512 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001521 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001530 2958->2959 2960 140001394 2 API calls 2959->2960 2961 14000153f 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000154e 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000155d 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000156c 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000157b 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000158a 2970->2971 2972 140001394 2 API calls 2971->2972 2973 140001599 2972->2973 2974 140001394 2 API calls 2973->2974 2975 1400015a8 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015b7 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015c6 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015d5 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015e4 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015f3 2984->2985 2985->2366

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_00000001400026E1 1 Function_00000001400031E1 2 Function_00000001400063E1 3 Function_0000000140001AE4 35 Function_0000000140001D40 3->35 78 Function_0000000140001BA0 3->78 4 Function_00000001400014E5 74 Function_0000000140001394 4->74 5 Function_0000000140002FF0 61 Function_0000000140001370 5->61 6 Function_00000001400010F0 7 Function_00000001400062F1 8 Function_00000001400014F4 8->74 9 Function_0000000140001800 69 Function_0000000140002290 9->69 10 Function_0000000140006600 11 Function_0000000140003200 12 Function_0000000140002500 13 Function_0000000140001000 14 Function_0000000140001E00 13->14 42 Function_0000000140001750 13->42 87 Function_0000000140001FB0 13->87 92 Function_0000000140001FC0 13->92 15 Function_0000000140006401 16 Function_0000000140001503 16->74 17 Function_0000000140001404 17->74 18 Function_0000000140002104 19 Function_0000000140001E10 20 Function_0000000140006410 21 Function_0000000140006311 22 Function_0000000140001512 22->74 23 Function_0000000140003220 24 Function_0000000140002320 25 Function_0000000140002420 26 Function_0000000140006620 27 Function_0000000140001521 27->74 28 Function_0000000140001422 28->74 29 Function_0000000140001530 29->74 30 Function_0000000140006630 30->26 31 Function_0000000140001431 31->74 32 Function_0000000140006431 33 Function_0000000140006331 34 Function_000000014000153F 34->74 35->69 36 Function_0000000140001440 36->74 37 Function_0000000140001140 50 Function_0000000140001160 37->50 38 Function_0000000140003240 38->5 38->16 38->26 38->27 38->28 38->29 38->31 38->34 38->36 48 Function_000000014000145E 38->48 49 Function_0000000140002660 38->49 57 Function_000000014000156C 38->57 58 Function_000000014000146D 38->58 38->61 64 Function_000000014000157B 38->64 76 Function_0000000140001599 38->76 84 Function_00000001400015A8 38->84 85 Function_00000001400014A9 38->85 93 Function_00000001400016C0 38->93 99 Function_00000001400027D0 38->99 105 Function_00000001400014D6 38->105 39 Function_0000000140006541 40 Function_0000000140003141 41 Function_0000000140001F47 60 Function_0000000140001870 41->60 43 Function_0000000140001650 44 Function_0000000140002050 45 Function_0000000140002751 46 Function_0000000140006351 47 Function_000000014000155D 47->74 48->74 50->38 50->50 50->60 65 Function_0000000140001880 50->65 68 Function_0000000140001F90 50->68 50->93 51 Function_0000000140001760 107 Function_00000001400020E0 51->107 52 Function_0000000140002460 53 Function_0000000140003160 54 Function_0000000140006461 55 Function_0000000140006561 56 Function_0000000140001E65 56->60 57->74 58->74 59 Function_000000014000216F 62 Function_0000000140001A70 62->35 62->78 63 Function_0000000140002770 64->74 65->25 65->35 65->49 65->78 66 Function_0000000140003180 67 Function_0000000140006381 70 Function_0000000140002590 71 Function_0000000140002790 72 Function_0000000140002691 73 Function_0000000140006491 74->30 106 Function_00000001400068E0 74->106 75 Function_0000000140002194 75->60 76->74 77 Function_000000014000219E 78->35 86 Function_00000001400023B0 78->86 98 Function_00000001400024D0 78->98 79 Function_0000000140001FA0 80 Function_00000001400027A0 81 Function_00000001400031A1 82 Function_00000001400063A1 83 Function_00000001400065A1 84->74 85->74 88 Function_00000001400022B0 89 Function_00000001400026B0 90 Function_00000001400027B1 91 Function_0000000140001AB3 91->35 91->78 94 Function_00000001400062C1 95 Function_00000001400063C1 96 Function_0000000140001AC3 96->35 96->78 97 Function_00000001400014C7 97->74 99->4 99->8 99->16 99->22 99->26 99->47 99->48 99->49 99->61 99->85 99->97 100 Function_00000001400017D0 101 Function_0000000140001FD0 102 Function_00000001400026D0 103 Function_00000001400064D1 104 Function_0000000140001AD4 104->35 104->78 105->74 106->26 108 Function_00000001400017E0 108->107 109 Function_00000001400022E0

                                  Executed Functions

                                  Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • NtManageHotPatch.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                  Memory Dump Source
                                  • Source File: 00000032.00000002.3112081035.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000032.00000002.3111660740.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112501360.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112893139.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3113332960.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_50_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: ManagePatch
                                  • String ID:
                                  • API String ID: 863949556-0
                                  • Opcode ID: 7499237b17bbcd1bcb6ebcadcdfb411da627e67431d6b901ef04fbd3b683fc4c
                                  • Instruction ID: 6e9c43e43475a5412bc82c74bb0b22b7dbbc15337bd8e373d78586065a7e04e3
                                  • Opcode Fuzzy Hash: 7499237b17bbcd1bcb6ebcadcdfb411da627e67431d6b901ef04fbd3b683fc4c
                                  • Instruction Fuzzy Hash: BFF05FB6608B408AEA16DF62F85179A77A5F79D7C0F009919BBC857735DB3CC1A0CB40

                                  Non-executed Functions

                                  Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 396 140002a43-140002a6b call 1400014c7 389->396 397 140002954-140002963 389->397 391->389 393 140002870-140002877 391->393 394 140002879-140002882 393->394 395 140002840-140002842 393->395 398 140002884-14000289b 394->398 399 1400028e8-1400028eb 394->399 403 14000284a-14000285e 395->403 412 140002a76-140002ab8 call 140001503 call 140006620 memset 396->412 413 140002a6d 396->413 401 140002fa7-140002fe4 call 140001370 397->401 402 140002969-140002978 397->402 405 1400028e5 398->405 406 14000289d-1400028b2 398->406 399->403 408 1400029d4-140002a3e wcsncmp call 1400014e5 402->408 409 14000297a-1400029cd 402->409 403->389 403->391 405->399 411 1400028c0-1400028c7 406->411 408->396 409->408 415 1400028c9-1400028e3 411->415 416 1400028f0-1400028f9 411->416 421 140002f39-140002f74 call 140001370 412->421 422 140002abe-140002ac5 412->422 413->412 415->405 415->411 416->403 425 140002ac7-140002afc 421->425 429 140002f7a 421->429 424 140002b03-140002b33 wcscpy wcscat wcslen 422->424 422->425 427 140002b35-140002b66 wcslen 424->427 428 140002b68-140002b95 424->428 425->424 430 140002b98-140002baf wcslen 427->430 428->430 429->424 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 433 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->433 434 140002bca-140002bde 431->434 432->401 453 140002eed-140002f0b call 140001512 433->453 454 140002f10-140002f38 call 14000145e 433->454 434->433 453->454
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000032.00000002.3112081035.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000032.00000002.3111660740.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112501360.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112893139.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3113332960.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_50_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                  • String ID: 0$X$\BaseNamedObjects\tdtnwhboinhjvqzo$`
                                  • API String ID: 780471329-3231034974
                                  • Opcode ID: ca53d6e8019bd571e400d263ffd5380c65dd55ae1dd545ee4db50b45edd5d238
                                  • Instruction ID: 56cd5b0c271acbbbc6751e4ae85c944112931b810d7e87b31a5b958615d570a5
                                  • Opcode Fuzzy Hash: ca53d6e8019bd571e400d263ffd5380c65dd55ae1dd545ee4db50b45edd5d238
                                  • Instruction Fuzzy Hash: 91125AB2608BC481E762CB26F8443EAB7A4F789794F414215EBA957BF5DF78C189C700
                                  Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000032.00000002.3112081035.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000032.00000002.3111660740.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112501360.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112893139.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3113332960.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_50_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                  • String ID:
                                  • API String ID: 2643109117-0
                                  • Opcode ID: b749f654d0317d9e24de8ca2bf6692fcf531ea681135a2e2bde356a6ec223b5a
                                  • Instruction ID: 145ef27ce15272fb8ed355f5aa63f0c9a1f5ede9e4593ea7d6eb0f0a7906d2e7
                                  • Opcode Fuzzy Hash: b749f654d0317d9e24de8ca2bf6692fcf531ea681135a2e2bde356a6ec223b5a
                                  • Instruction Fuzzy Hash: F55111F1611A4085FB16EF27F9947EA27A1BB8DBD0F449121FB4E873B2DE3884958700
                                  Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 499 140001ba0-140001bc0 500 140001bc2-140001bd7 499->500 501 140001c09 499->501 502 140001be9-140001bf1 500->502 503 140001c0c-140001c17 call 1400023b0 501->503 504 140001bf3-140001c02 502->504 505 140001be0-140001be7 502->505 510 140001cf4-140001cfe call 140001d40 503->510 511 140001c1d-140001c6c call 1400024d0 VirtualQuery 503->511 504->505 507 140001c04 504->507 505->502 505->503 509 140001cd7-140001cf3 memcpy 507->509 515 140001d03-140001d1e call 140001d40 510->515 511->515 517 140001c72-140001c79 511->517 518 140001d23-140001d38 GetLastError call 140001d40 515->518 519 140001c7b-140001c7e 517->519 520 140001c8e-140001c97 517->520 522 140001cd1 519->522 523 140001c80-140001c83 519->523 524 140001ca4-140001ccf VirtualProtect 520->524 525 140001c99-140001c9c 520->525 522->509 523->522 527 140001c85-140001c8a 523->527 524->518 524->522 525->522 528 140001c9e 525->528 527->522 529 140001c8c 527->529 528->524 529->528
                                  APIs
                                  • VirtualQuery.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                  • VirtualProtect.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                  • memcpy.MSVCRT ref: 0000000140001CE0
                                  • GetLastError.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000032.00000002.3112081035.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000032.00000002.3111660740.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112501360.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112893139.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3113332960.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_50_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                  • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                  • API String ID: 2595394609-2123141913
                                  • Opcode ID: 28aadb8de5dc709acd0a0e5d247f6037aa628613dfc42422a511b90ca232dc4a
                                  • Instruction ID: 2ed46510ed1d0a58bb00a12b4a38f7601a8ffa55d26e4d8577210080af0f0105
                                  • Opcode Fuzzy Hash: 28aadb8de5dc709acd0a0e5d247f6037aa628613dfc42422a511b90ca232dc4a
                                  • Instruction Fuzzy Hash: 064132B1601A4486FA66DF57F884BE927A0F78DBC4F554126EF0E877B1DA38C586C700
                                  Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 530 140002104-14000210b 531 140002111-140002128 EnterCriticalSection 530->531 532 140002218-140002221 530->532 535 14000220b-140002212 LeaveCriticalSection 531->535 536 14000212e-14000213c 531->536 533 140002272-140002280 532->533 534 140002223-14000222d 532->534 537 140002241-140002263 DeleteCriticalSection 534->537 538 14000222f 534->538 535->532 539 14000214d-140002159 TlsGetValue GetLastError 536->539 537->533 540 140002230-14000223f free 538->540 541 14000215b-14000215e 539->541 542 140002140-140002147 539->542 540->537 540->540 541->542 543 140002160-14000216d 541->543 542->535 542->539 543->542
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000032.00000002.3112081035.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000032.00000002.3111660740.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112501360.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112893139.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3113332960.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_50_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                  • String ID:
                                  • API String ID: 3326252324-0
                                  • Opcode ID: dc48a205a360e40ccc39e5e09ba110344913a208c188809db43705c9a7f6a856
                                  • Instruction ID: 9494385bac82c96470a5ad2ca80031d016a952209e6f2660f35a807c86e33b41
                                  • Opcode Fuzzy Hash: dc48a205a360e40ccc39e5e09ba110344913a208c188809db43705c9a7f6a856
                                  • Instruction Fuzzy Hash: 9121F5B0305A0192FA6BDB53F9483E823A4BB6CBD0F444121FF5A476B4DB79C986C300
                                  Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 545 140001e10-140001e2d 546 140001e3e-140001e48 545->546 547 140001e2f-140001e38 545->547 549 140001ea3-140001ea8 546->549 550 140001e4a-140001e53 546->550 547->546 548 140001f60-140001f69 547->548 549->548 553 140001eae-140001eb3 549->553 551 140001e55-140001e60 550->551 552 140001ecc-140001ed1 550->552 551->549 554 140001f23-140001f2d 552->554 555 140001ed3-140001ee2 signal 552->555 556 140001eb5-140001eba 553->556 557 140001efb-140001f0a call 140006be0 553->557 560 140001f43-140001f45 554->560 561 140001f2f-140001f3f 554->561 555->554 558 140001ee4-140001ee8 555->558 556->548 562 140001ec0 556->562 557->554 566 140001f0c-140001f10 557->566 563 140001eea-140001ef9 signal 558->563 564 140001f4e-140001f53 558->564 560->548 561->560 562->554 563->548 567 140001f5a 564->567 568 140001f12-140001f21 signal 566->568 569 140001f55 566->569 567->548 568->548 569->567
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000032.00000002.3112081035.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000032.00000002.3111660740.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112501360.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112893139.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3113332960.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_50_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: CCG
                                  • API String ID: 0-1584390748
                                  • Opcode ID: e97456c2db4c566f3d7dc493090a254b32206473731b29f9c59ef8b921ac1576
                                  • Instruction ID: 0d0cdd76e27464eab58c3101b34b7ecc2a8ef26ebffc61dfa6a838f535d4530f
                                  • Opcode Fuzzy Hash: e97456c2db4c566f3d7dc493090a254b32206473731b29f9c59ef8b921ac1576
                                  • Instruction Fuzzy Hash: 0E2159B1A0510542FA77DA2BB5903F92182ABCC7E4F258635FF19873F5DF7888C28241
                                  Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 570 140001880-14000189c 571 1400018a2-1400018f9 call 140002420 call 140002660 570->571 572 140001a0f-140001a1f 570->572 571->572 577 1400018ff-140001910 571->577 578 140001912-14000191c 577->578 579 14000193e-140001941 577->579 581 14000194d-140001954 578->581 582 14000191e-140001929 578->582 580 140001943-140001947 579->580 579->581 580->581 584 140001a20-140001a26 580->584 585 140001956-140001961 581->585 586 14000199e-1400019a6 581->586 582->581 583 14000192b-14000193a 582->583 583->579 589 140001b87-140001b98 call 140001d40 584->589 590 140001a2c-140001a37 584->590 587 140001970-14000199c call 140001ba0 585->587 586->572 588 1400019a8-1400019c1 586->588 587->586 594 1400019df-1400019e7 588->594 590->586 591 140001a3d-140001a5f 590->591 595 140001a7d-140001a97 591->595 596 1400019e9-140001a0d VirtualProtect 594->596 597 1400019d0-1400019dd 594->597 600 140001b74-140001b82 call 140001d40 595->600 601 140001a9d-140001afa 595->601 596->597 597->572 597->594 600->589 607 140001b22-140001b26 601->607 608 140001afc-140001b0e 601->608 611 140001b2c-140001b30 607->611 612 140001a70-140001a77 607->612 609 140001b5c-140001b6c 608->609 610 140001b10-140001b20 608->610 609->600 614 140001b6f call 140001d40 609->614 610->607 610->609 611->612 613 140001b36-140001b57 call 140001ba0 611->613 612->586 612->595 613->609 614->600
                                  APIs
                                  • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000032.00000002.3112081035.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000032.00000002.3111660740.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112501360.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112893139.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3113332960.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_50_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                  • API String ID: 544645111-395989641
                                  • Opcode ID: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                  • Instruction ID: 78106683dca420d487733eb45b5c7fb140555e26720c20ee5b0ca44718aa059e
                                  • Opcode Fuzzy Hash: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                  • Instruction Fuzzy Hash: F05105B6B11544DAEB16CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                  Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 618 140001800-140001810 619 140001812-140001822 618->619 620 140001824 618->620 621 14000182b-140001867 call 140002290 fprintf 619->621 620->621
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000032.00000002.3112081035.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000032.00000002.3111660740.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112501360.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112893139.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3113332960.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_50_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: fprintf
                                  • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                  • API String ID: 383729395-3474627141
                                  • Opcode ID: ca6b003e7d5e4c1f7dddf901e9dd9bc29e86f15a224b0f641e9277e05f257cb0
                                  • Instruction ID: 497f2bda4b805bebb598d258fe75f44a47035596d1a2b2a7541446a23c8471c2
                                  • Opcode Fuzzy Hash: ca6b003e7d5e4c1f7dddf901e9dd9bc29e86f15a224b0f641e9277e05f257cb0
                                  • Instruction Fuzzy Hash: 61F0F671A14A4482E212EF2AB9413ED6360E74D3C0F40D211FF4DA32A1DF3CD182C310
                                  Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 624 14000219e-1400021a5 625 140002272-140002280 624->625 626 1400021ab-1400021c2 EnterCriticalSection 624->626 627 140002265-14000226c LeaveCriticalSection 626->627 628 1400021c8-1400021d6 626->628 627->625 629 1400021e9-1400021f5 TlsGetValue GetLastError 628->629 630 1400021f7-1400021fa 629->630 631 1400021e0-1400021e7 629->631 630->631 632 1400021fc-140002209 630->632 631->627 631->629 632->631
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000032.00000002.3112081035.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000032.00000002.3111660740.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112501360.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3112893139.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000032.00000002.3113332960.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_50_2_140000000_dialer.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterErrorLastLeaveValue
                                  • String ID:
                                  • API String ID: 682475483-0
                                  • Opcode ID: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                  • Instruction ID: 8e95c5bf1582c2fa6f49c61d441952bd59d504a178f2dce2e4bc026802320bcf
                                  • Opcode Fuzzy Hash: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                  • Instruction Fuzzy Hash: 6501F2B5305A0082FA2BDB53FE083D82364BB6CBD0F454021EF0943AB4DB79C996C300

                                  Execution Graph

                                  Execution Coverage:0.7%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:73
                                  Total number of Limit Nodes:2
                                  execution_graph 14791 26a8799273c 14794 26a8799276a 14791->14794 14792 26a87992858 LoadLibraryA 14792->14794 14793 26a879928d4 14794->14792 14794->14793 14795 26a879c1abc 14800 26a879c1628 GetProcessHeap 14795->14800 14797 26a879c1ad2 Sleep SleepEx 14798 26a879c1acb 14797->14798 14798->14797 14799 26a879c1598 StrCmpIW StrCmpW 14798->14799 14799->14798 14801 26a879c1648 __std_exception_copy 14800->14801 14845 26a879c1268 GetProcessHeap 14801->14845 14803 26a879c1650 14804 26a879c1268 2 API calls 14803->14804 14805 26a879c1661 14804->14805 14806 26a879c1268 2 API calls 14805->14806 14807 26a879c166a 14806->14807 14808 26a879c1268 2 API calls 14807->14808 14809 26a879c1673 14808->14809 14810 26a879c168e RegOpenKeyExW 14809->14810 14811 26a879c18a6 14810->14811 14812 26a879c16c0 RegOpenKeyExW 14810->14812 14811->14798 14813 26a879c16e9 14812->14813 14814 26a879c16ff RegOpenKeyExW 14812->14814 14849 26a879c12bc RegQueryInfoKeyW 14813->14849 14816 26a879c1723 14814->14816 14817 26a879c173a RegOpenKeyExW 14814->14817 14860 26a879c104c RegQueryInfoKeyW 14816->14860 14820 26a879c1775 RegOpenKeyExW 14817->14820 14821 26a879c175e 14817->14821 14824 26a879c1799 14820->14824 14825 26a879c17b0 RegOpenKeyExW 14820->14825 14823 26a879c12bc 13 API calls 14821->14823 14826 26a879c176b RegCloseKey 14823->14826 14827 26a879c12bc 13 API calls 14824->14827 14828 26a879c17d4 14825->14828 14829 26a879c17eb RegOpenKeyExW 14825->14829 14826->14820 14833 26a879c17a6 RegCloseKey 14827->14833 14830 26a879c12bc 13 API calls 14828->14830 14831 26a879c1826 RegOpenKeyExW 14829->14831 14832 26a879c180f 14829->14832 14834 26a879c17e1 RegCloseKey 14830->14834 14836 26a879c1861 RegOpenKeyExW 14831->14836 14837 26a879c184a 14831->14837 14835 26a879c104c 5 API calls 14832->14835 14833->14825 14834->14829 14838 26a879c181c RegCloseKey 14835->14838 14840 26a879c1885 14836->14840 14841 26a879c189c RegCloseKey 14836->14841 14839 26a879c104c 5 API calls 14837->14839 14838->14831 14842 26a879c1857 RegCloseKey 14839->14842 14843 26a879c104c 5 API calls 14840->14843 14841->14811 14842->14836 14844 26a879c1892 RegCloseKey 14843->14844 14844->14841 14866 26a879d6168 14845->14866 14847 26a879c1283 GetProcessHeap 14848 26a879c12ae __std_exception_copy 14847->14848 14848->14803 14850 26a879c1327 GetProcessHeap 14849->14850 14851 26a879c148a RegCloseKey 14849->14851 14854 26a879c133e __std_exception_copy 14850->14854 14851->14814 14852 26a879c1476 GetProcessHeap HeapFree 14852->14851 14853 26a879c1352 RegEnumValueW 14853->14854 14854->14852 14854->14853 14856 26a879c13d3 GetProcessHeap 14854->14856 14857 26a879c141e lstrlenW GetProcessHeap 14854->14857 14858 26a879c13f3 GetProcessHeap HeapFree 14854->14858 14859 26a879c1443 StrCpyW 14854->14859 14867 26a879c152c 14854->14867 14856->14854 14857->14854 14858->14857 14859->14854 14861 26a879c11b5 RegCloseKey 14860->14861 14864 26a879c10bf __std_exception_copy 14860->14864 14861->14817 14862 26a879c10cf RegEnumValueW 14862->14864 14863 26a879c114e GetProcessHeap 14863->14864 14864->14861 14864->14862 14864->14863 14865 26a879c116e GetProcessHeap HeapFree 14864->14865 14865->14864 14868 26a879c1546 14867->14868 14871 26a879c157c 14867->14871 14869 26a879c1565 StrCmpW 14868->14869 14870 26a879c155d StrCmpIW 14868->14870 14868->14871 14869->14868 14870->14868 14871->14854

                                  Executed Functions

                                  Function 0000026A879C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                  • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                  • API String ID: 106492572-2879589442
                                  • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction ID: 8b3f40dc757b03efebebe1ec2b21d8ee4b81ef9a05be350be4598fcd48a0c6e5
                                  • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                  • Instruction Fuzzy Hash: 99715D76310E1086EF90DF66E89869D3BB4FB85B88F405111EE4E67B68EF3AC444CB45
                                  Function 0000026A879C328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                  • String ID:
                                  • API String ID: 1683269324-0
                                  • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction ID: bbd561d3a30add4c1150a9458a01d63078364739115671f5aea34e55c8598808
                                  • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction Fuzzy Hash: 0211807261064182FFE0AB22F90D35D36A4A7D4385FD04124EA0EA3696EFBBC0849F13
                                  Function 0000026A879C1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0000026A879C1628: GetProcessHeap.KERNEL32 ref: 0000026A879C1633
                                    • Part of subcall function 0000026A879C1628: HeapAlloc.KERNEL32 ref: 0000026A879C1642
                                    • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16B2
                                    • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16DF
                                    • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C16F9
                                    • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1719
                                    • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1734
                                    • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1754
                                    • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C176F
                                    • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C178F
                                    • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C17AA
                                    • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C17CA
                                  • Sleep.KERNEL32 ref: 0000026A879C1AD7
                                  • SleepEx.KERNELBASE ref: 0000026A879C1ADD
                                    • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C17E5
                                    • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1805
                                    • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1820
                                    • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1840
                                    • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C185B
                                    • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C187B
                                    • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1896
                                    • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C18A0
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CloseOpen$HeapSleep$AllocProcess
                                  • String ID:
                                  • API String ID: 1534210851-0
                                  • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction ID: 5eed58e8f7c032d1df488f6ec5371d2936970acb8e97615792f8d803c15a43b0
                                  • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction Fuzzy Hash: 2931E5F5240A4581FFD0AB26DA493BD73A4ABC4BD0F0454219E09A77DAFF26C491CE1A
                                  Function 0000026A8799273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 110 26a8799273c-26a879927a4 call 26a879929d4 * 4 119 26a879929b2 110->119 120 26a879927aa-26a879927ad 110->120 121 26a879929b4-26a879929d0 119->121 120->119 122 26a879927b3-26a879927b6 120->122 122->119 123 26a879927bc-26a879927bf 122->123 123->119 124 26a879927c5-26a879927e6 123->124 124->119 126 26a879927ec-26a8799280c 124->126 127 26a87992838-26a8799283f 126->127 128 26a8799280e-26a87992836 126->128 129 26a87992845-26a87992852 127->129 130 26a879928df-26a879928e6 127->130 128->127 128->128 129->130 133 26a87992858-26a8799286a LoadLibraryA 129->133 131 26a87992992-26a879929b0 130->131 132 26a879928ec-26a87992901 130->132 131->121 132->131 134 26a87992907 132->134 135 26a879928ca-26a879928d2 133->135 136 26a8799286c-26a87992878 133->136 137 26a8799290d-26a87992921 134->137 135->133 139 26a879928d4-26a879928d9 135->139 138 26a879928c5-26a879928c8 136->138 141 26a87992923-26a87992934 137->141 142 26a87992982-26a8799298c 137->142 138->135 143 26a8799287a-26a8799287d 138->143 139->130 145 26a87992936-26a8799293d 141->145 146 26a8799293f-26a87992943 141->146 142->131 142->137 147 26a879928a7-26a879928b7 143->147 148 26a8799287f-26a879928a5 143->148 149 26a87992970-26a87992980 145->149 150 26a87992945-26a8799294b 146->150 151 26a8799294d-26a87992951 146->151 152 26a879928ba-26a879928c1 147->152 148->152 149->141 149->142 150->149 153 26a87992963-26a87992967 151->153 154 26a87992953-26a87992961 151->154 152->138 153->149 156 26a87992969-26a8799296c 153->156 154->149 156->149
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction ID: 57387411ffdeb412b963753acb60f61000c0759ef6c355c86f1a01fa76b5fc3d
                                  • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction Fuzzy Hash: B5613532B016908BFB94CF15D10872DF3A6FB54BA4F588121DF59277C8DA39D892CB01

                                  Non-executed Functions

                                  Function 0000026A879C2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 363 26a879c2b2c-26a879c2ba5 call 26a879e2ce0 366 26a879c2ee0-26a879c2f03 363->366 367 26a879c2bab-26a879c2bb1 363->367 367->366 368 26a879c2bb7-26a879c2bba 367->368 368->366 369 26a879c2bc0-26a879c2bc3 368->369 369->366 370 26a879c2bc9-26a879c2bd9 GetModuleHandleA 369->370 371 26a879c2bdb-26a879c2beb call 26a879d6090 370->371 372 26a879c2bed 370->372 373 26a879c2bf0-26a879c2c0e 371->373 372->373 373->366 377 26a879c2c14-26a879c2c33 StrCmpNIW 373->377 377->366 378 26a879c2c39-26a879c2c3d 377->378 378->366 379 26a879c2c43-26a879c2c4d 378->379 379->366 380 26a879c2c53-26a879c2c5a 379->380 380->366 381 26a879c2c60-26a879c2c73 380->381 382 26a879c2c83 381->382 383 26a879c2c75-26a879c2c81 381->383 384 26a879c2c86-26a879c2c8a 382->384 383->384 385 26a879c2c9a 384->385 386 26a879c2c8c-26a879c2c98 384->386 387 26a879c2c9d-26a879c2ca7 385->387 386->387 388 26a879c2d9d-26a879c2da1 387->388 389 26a879c2cad-26a879c2cb0 387->389 392 26a879c2da7-26a879c2daa 388->392 393 26a879c2ed2-26a879c2eda 388->393 390 26a879c2cc2-26a879c2ccc 389->390 391 26a879c2cb2-26a879c2cbf call 26a879c199c 389->391 395 26a879c2cce-26a879c2cdb 390->395 396 26a879c2d00-26a879c2d0a 390->396 391->390 397 26a879c2dbb-26a879c2dc5 392->397 398 26a879c2dac-26a879c2db8 call 26a879c199c 392->398 393->366 393->381 395->396 402 26a879c2cdd-26a879c2cea 395->402 403 26a879c2d3a-26a879c2d3d 396->403 404 26a879c2d0c-26a879c2d19 396->404 399 26a879c2dc7-26a879c2dd4 397->399 400 26a879c2df5-26a879c2df8 397->400 398->397 399->400 406 26a879c2dd6-26a879c2de3 399->406 407 26a879c2e05-26a879c2e12 lstrlenW 400->407 408 26a879c2dfa-26a879c2e03 call 26a879c1bbc 400->408 409 26a879c2ced-26a879c2cf3 402->409 411 26a879c2d3f-26a879c2d49 call 26a879c1bbc 403->411 412 26a879c2d4b-26a879c2d58 lstrlenW 403->412 404->403 410 26a879c2d1b-26a879c2d28 404->410 415 26a879c2de6-26a879c2dec 406->415 421 26a879c2e14-26a879c2e1e 407->421 422 26a879c2e35-26a879c2e3f call 26a879c3844 407->422 408->407 426 26a879c2e4a-26a879c2e55 408->426 419 26a879c2cf9-26a879c2cfe 409->419 420 26a879c2d93-26a879c2d98 409->420 423 26a879c2d2b-26a879c2d31 410->423 411->412 411->420 416 26a879c2d5a-26a879c2d64 412->416 417 26a879c2d7b-26a879c2d8d call 26a879c3844 412->417 425 26a879c2dee-26a879c2df3 415->425 415->426 416->417 427 26a879c2d66-26a879c2d79 call 26a879c152c 416->427 417->420 430 26a879c2e42-26a879c2e44 417->430 419->396 419->409 420->430 421->422 431 26a879c2e20-26a879c2e33 call 26a879c152c 421->431 422->430 423->420 432 26a879c2d33-26a879c2d38 423->432 425->400 425->415 435 26a879c2e57-26a879c2e5b 426->435 436 26a879c2ecc-26a879c2ed0 426->436 427->417 427->420 430->393 430->426 431->422 431->426 432->403 432->423 440 26a879c2e63-26a879c2e7d call 26a879c85c0 435->440 441 26a879c2e5d-26a879c2e61 435->441 436->393 444 26a879c2e80-26a879c2e83 440->444 441->440 441->444 447 26a879c2ea6-26a879c2ea9 444->447 448 26a879c2e85-26a879c2ea3 call 26a879c85c0 444->448 447->436 450 26a879c2eab-26a879c2ec9 call 26a879c85c0 447->450 448->447 450->436
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                  • API String ID: 2119608203-3850299575
                                  • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction ID: 28832ac34e84ece53f7b50bb78eaf8a37b486e288825972d32e086a5872c7075
                                  • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                  • Instruction Fuzzy Hash: 42B17A76210A9082EFE8DF25D4487AD77A5FB94B84F445026EE0977798EF36CC80CB42
                                  Function 0000026A879C7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 3140674995-0
                                  • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction ID: 938e5285386ac3705a1524c506204be3636963da77c64c4e1ce6b6d8eddc6828
                                  • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction Fuzzy Hash: 50315072205B808AEBA0DF60E8847ED7B64F785744F44442AEB4D67B98EF39C548CB11
                                  Function 0000026A879CD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                  • String ID:
                                  • API String ID: 1239891234-0
                                  • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction ID: d1d1b9292f01f4f5fbfa14a2dc646865464e2607e4ff46e76a86c3c994235719
                                  • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                  • Instruction Fuzzy Hash: DC318132214F8086EBA0DF25E88439E7BA4F7C9798F540126EA9D53B98EF39C545CF01
                                  Function 0000026A879C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                  • String ID: d
                                  • API String ID: 2005889112-2564639436
                                  • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction ID: 07cfe981894990384c0c086665b30c926e9edc38e061a20603f020415e03ff94
                                  • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                  • Instruction Fuzzy Hash: 70514A76204B8486EB94CF62E54835EBFA1F78AFD9F048124EA4A57758EF3DC049CB01
                                  Function 0000026A879C1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentThread$AddressHandleModuleProc
                                  • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                  • API String ID: 4175298099-1975688563
                                  • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction ID: dfe63a10a49480e1aef6057fb1ce33c2d81f6763df8e5d6cfa68f1b74ee8636c
                                  • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                  • Instruction Fuzzy Hash: EF31C8B5144A4AA0FE94EF65E85A7EC3B24F784348FC04013954933176AFBEC289CF92
                                  Function 0000026A87996910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 205 26a87996910-26a87996916 206 26a87996918-26a8799691b 205->206 207 26a87996951-26a8799695b 205->207 209 26a87996945-26a87996984 call 26a87996fc0 206->209 210 26a8799691d-26a87996920 206->210 208 26a87996a78-26a87996a8d 207->208 214 26a87996a9c-26a87996ab6 call 26a87996e54 208->214 215 26a87996a8f 208->215 228 26a87996a52 209->228 229 26a8799698a-26a8799699f call 26a87996e54 209->229 212 26a87996922-26a87996925 210->212 213 26a87996938 __scrt_dllmain_crt_thread_attach 210->213 220 26a87996927-26a87996930 212->220 221 26a87996931-26a87996936 call 26a87996f04 212->221 218 26a8799693d-26a87996944 213->218 226 26a87996ab8-26a87996aed call 26a87996f7c call 26a87996e1c call 26a87997318 call 26a87997130 call 26a87997154 call 26a87996fac 214->226 227 26a87996aef-26a87996b20 call 26a87997190 214->227 216 26a87996a91-26a87996a9b 215->216 221->218 226->216 237 26a87996b22-26a87996b28 227->237 238 26a87996b31-26a87996b37 227->238 232 26a87996a54-26a87996a69 228->232 240 26a879969a5-26a879969b6 call 26a87996ec4 229->240 241 26a87996a6a-26a87996a77 call 26a87997190 229->241 237->238 242 26a87996b2a-26a87996b2c 237->242 243 26a87996b39-26a87996b43 238->243 244 26a87996b7e-26a87996b94 call 26a8799268c 238->244 255 26a87996a07-26a87996a11 call 26a87997130 240->255 256 26a879969b8-26a879969dc call 26a879972dc call 26a87996e0c call 26a87996e38 call 26a8799ac0c 240->256 241->208 249 26a87996c1f-26a87996c2c 242->249 250 26a87996b45-26a87996b4d 243->250 251 26a87996b4f-26a87996b5d call 26a879a5780 243->251 262 26a87996b96-26a87996b98 244->262 263 26a87996bcc-26a87996bce 244->263 258 26a87996b63-26a87996b78 call 26a87996910 250->258 251->258 272 26a87996c15-26a87996c1d 251->272 255->228 276 26a87996a13-26a87996a1f call 26a87997180 255->276 256->255 308 26a879969de-26a879969e5 __scrt_dllmain_after_initialize_c 256->308 258->244 258->272 262->263 269 26a87996b9a-26a87996bbc call 26a8799268c call 26a87996a78 262->269 270 26a87996bd5-26a87996bea call 26a87996910 263->270 271 26a87996bd0-26a87996bd3 263->271 269->263 302 26a87996bbe-26a87996bc6 call 26a879a5780 269->302 270->272 290 26a87996bec-26a87996bf6 270->290 271->270 271->272 272->249 295 26a87996a45-26a87996a50 276->295 296 26a87996a21-26a87996a2b call 26a87997098 276->296 292 26a87996bf8-26a87996bff 290->292 293 26a87996c01-26a87996c11 call 26a879a5780 290->293 292->272 293->272 295->232 296->295 307 26a87996a2d-26a87996a3b 296->307 302->263 307->295 308->255 309 26a879969e7-26a87996a04 call 26a8799abc8 308->309 309->255
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                  • API String ID: 190073905-1786718095
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: b047a768bb49e332fa12a0d509f504b7dc68172f8f015219012fb81a31179565
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: DB81D23170524186FBD0EF65944D39D72E1EB87780F588425AA0977796EF3BC9868F03
                                  Function 0000026A879CCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetLastError.KERNEL32 ref: 0000026A879CCE37
                                  • FlsGetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE4C
                                  • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE6D
                                  • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE9A
                                  • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCEAB
                                  • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCEBC
                                  • SetLastError.KERNEL32 ref: 0000026A879CCED7
                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF0D
                                  • FlsSetValue.KERNEL32(?,?,00000001,0000026A879CECCC,?,?,?,?,0000026A879CBF9F,?,?,?,?,?,0000026A879C7AB0), ref: 0000026A879CCF2C
                                    • Part of subcall function 0000026A879CD6CC: HeapAlloc.KERNEL32 ref: 0000026A879CD721
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF54
                                    • Part of subcall function 0000026A879CD744: HeapFree.KERNEL32 ref: 0000026A879CD75A
                                    • Part of subcall function 0000026A879CD744: GetLastError.KERNEL32 ref: 0000026A879CD764
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF65
                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF76
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast$Heap$AllocFree
                                  • String ID:
                                  • API String ID: 570795689-0
                                  • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction ID: fbbfd203b105abf8085660589179a2c6459f60e277cac02fd6d43f7fad114619
                                  • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                  • Instruction Fuzzy Hash: F941B13234164882FEF8A735565E37D36965BC67B0F640724A936377E6EE2BC8019E03
                                  Function 0000026A879C2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                  • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                  • API String ID: 2171963597-1373409510
                                  • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction ID: b02012d5428b01c1f3b2143805af3d2ef8a5ba1a4c44cc927d8b5d08adb94f93
                                  • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                  • Instruction Fuzzy Hash: 8C213836618A4082EB50CB25F44836E7BA1F78ABE4F544215EA5913AA8DF7DC189CF02
                                  Function 0000026A879CA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 584 26a879ca544-26a879ca5ac call 26a879cb414 587 26a879ca5b2-26a879ca5b5 584->587 588 26a879caa13-26a879caa1b call 26a879cc748 584->588 587->588 589 26a879ca5bb-26a879ca5c1 587->589 591 26a879ca5c7-26a879ca5cb 589->591 592 26a879ca690-26a879ca6a2 589->592 591->592 596 26a879ca5d1-26a879ca5dc 591->596 594 26a879ca6a8-26a879ca6ac 592->594 595 26a879ca963-26a879ca967 592->595 594->595 599 26a879ca6b2-26a879ca6bd 594->599 597 26a879ca969-26a879ca970 595->597 598 26a879ca9a0-26a879ca9aa call 26a879c9634 595->598 596->592 600 26a879ca5e2-26a879ca5e7 596->600 597->588 601 26a879ca976-26a879ca99b call 26a879caa1c 597->601 598->588 611 26a879ca9ac-26a879ca9cb call 26a879c7940 598->611 599->595 603 26a879ca6c3-26a879ca6ca 599->603 600->592 604 26a879ca5ed-26a879ca5f7 call 26a879c9634 600->604 601->598 607 26a879ca894-26a879ca8a0 603->607 608 26a879ca6d0-26a879ca707 call 26a879c9a10 603->608 604->611 615 26a879ca5fd-26a879ca628 call 26a879c9634 * 2 call 26a879c9d24 604->615 607->598 612 26a879ca8a6-26a879ca8aa 607->612 608->607 620 26a879ca70d-26a879ca715 608->620 617 26a879ca8ba-26a879ca8c2 612->617 618 26a879ca8ac-26a879ca8b8 call 26a879c9ce4 612->618 652 26a879ca648-26a879ca652 call 26a879c9634 615->652 653 26a879ca62a-26a879ca62e 615->653 617->598 619 26a879ca8c8-26a879ca8d5 call 26a879c98b4 617->619 618->617 632 26a879ca8db-26a879ca8e3 618->632 619->598 619->632 625 26a879ca719-26a879ca74b 620->625 629 26a879ca887-26a879ca88e 625->629 630 26a879ca751-26a879ca75c 625->630 629->607 629->625 630->629 633 26a879ca762-26a879ca77b 630->633 634 26a879ca9f6-26a879caa12 call 26a879c9634 * 2 call 26a879cc6a8 632->634 635 26a879ca8e9-26a879ca8ed 632->635 637 26a879ca874-26a879ca879 633->637 638 26a879ca781-26a879ca7c6 call 26a879c9cf8 * 2 633->638 634->588 639 26a879ca8ef-26a879ca8fe call 26a879c9ce4 635->639 640 26a879ca900 635->640 643 26a879ca884 637->643 665 26a879ca7c8-26a879ca7ee call 26a879c9cf8 call 26a879cac38 638->665 666 26a879ca804-26a879ca80a 638->666 648 26a879ca903-26a879ca90d call 26a879cb4ac 639->648 640->648 643->629 648->598 663 26a879ca913-26a879ca961 call 26a879c9944 call 26a879c9b50 648->663 652->592 669 26a879ca654-26a879ca674 call 26a879c9634 * 2 call 26a879cb4ac 652->669 653->652 657 26a879ca630-26a879ca63b 653->657 657->652 662 26a879ca63d-26a879ca642 657->662 662->588 662->652 663->598 685 26a879ca815-26a879ca872 call 26a879ca470 665->685 686 26a879ca7f0-26a879ca802 665->686 670 26a879ca87b 666->670 671 26a879ca80c-26a879ca810 666->671 690 26a879ca676-26a879ca680 call 26a879cb59c 669->690 691 26a879ca68b 669->691 676 26a879ca880 670->676 671->638 676->643 685->676 686->665 686->666 694 26a879ca686-26a879ca9ef call 26a879c92ac call 26a879caff4 call 26a879c94a0 690->694 695 26a879ca9f0-26a879ca9f5 call 26a879cc6a8 690->695 691->592 694->695 695->634
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction ID: 444f81f33de08ab68ee44032b3efa5b7945037919697de8df49d031d9224469b
                                  • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                  • Instruction Fuzzy Hash: E2E1C172604B80CAEFA0DF65D58939D77A0F799BA8F100116EE8967B99CB35C581CF02
                                  Function 0000026A87999944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 463 26a87999944-26a879999ac call 26a8799a814 466 26a87999e13-26a87999e1b call 26a8799bb48 463->466 467 26a879999b2-26a879999b5 463->467 467->466 468 26a879999bb-26a879999c1 467->468 470 26a879999c7-26a879999cb 468->470 471 26a87999a90-26a87999aa2 468->471 470->471 475 26a879999d1-26a879999dc 470->475 473 26a87999d63-26a87999d67 471->473 474 26a87999aa8-26a87999aac 471->474 478 26a87999d69-26a87999d70 473->478 479 26a87999da0-26a87999daa call 26a87998a34 473->479 474->473 476 26a87999ab2-26a87999abd 474->476 475->471 477 26a879999e2-26a879999e7 475->477 476->473 481 26a87999ac3-26a87999aca 476->481 477->471 482 26a879999ed-26a879999f7 call 26a87998a34 477->482 478->466 483 26a87999d76-26a87999d9b call 26a87999e1c 478->483 479->466 489 26a87999dac-26a87999dcb call 26a87996d40 479->489 486 26a87999c94-26a87999ca0 481->486 487 26a87999ad0-26a87999b07 call 26a87998e10 481->487 482->489 497 26a879999fd-26a87999a28 call 26a87998a34 * 2 call 26a87999124 482->497 483->479 486->479 490 26a87999ca6-26a87999caa 486->490 487->486 501 26a87999b0d-26a87999b15 487->501 494 26a87999cba-26a87999cc2 490->494 495 26a87999cac-26a87999cb8 call 26a879990e4 490->495 494->479 500 26a87999cc8-26a87999cd5 call 26a87998cb4 494->500 495->494 508 26a87999cdb-26a87999ce3 495->508 531 26a87999a48-26a87999a52 call 26a87998a34 497->531 532 26a87999a2a-26a87999a2e 497->532 500->479 500->508 505 26a87999b19-26a87999b4b 501->505 510 26a87999c87-26a87999c8e 505->510 511 26a87999b51-26a87999b5c 505->511 512 26a87999df6-26a87999e12 call 26a87998a34 * 2 call 26a8799baa8 508->512 513 26a87999ce9-26a87999ced 508->513 510->486 510->505 511->510 514 26a87999b62-26a87999b7b 511->514 512->466 516 26a87999cef-26a87999cfe call 26a879990e4 513->516 517 26a87999d00 513->517 518 26a87999c74-26a87999c79 514->518 519 26a87999b81-26a87999bc6 call 26a879990f8 * 2 514->519 527 26a87999d03-26a87999d0d call 26a8799a8ac 516->527 517->527 523 26a87999c84 518->523 544 26a87999c04-26a87999c0a 519->544 545 26a87999bc8-26a87999bee call 26a879990f8 call 26a8799a038 519->545 523->510 527->479 542 26a87999d13-26a87999d61 call 26a87998d44 call 26a87998f50 527->542 531->471 548 26a87999a54-26a87999a74 call 26a87998a34 * 2 call 26a8799a8ac 531->548 532->531 536 26a87999a30-26a87999a3b 532->536 536->531 541 26a87999a3d-26a87999a42 536->541 541->466 541->531 542->479 552 26a87999c7b 544->552 553 26a87999c0c-26a87999c10 544->553 563 26a87999c15-26a87999c72 call 26a87999870 545->563 564 26a87999bf0-26a87999c02 545->564 569 26a87999a76-26a87999a80 call 26a8799a99c 548->569 570 26a87999a8b 548->570 554 26a87999c80 552->554 553->519 554->523 563->554 564->544 564->545 573 26a87999a86-26a87999def call 26a879986ac call 26a8799a3f4 call 26a879988a0 569->573 574 26a87999df0-26a87999df5 call 26a8799baa8 569->574 570->471 573->574 574->512
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                  • String ID: csm$csm$csm
                                  • API String ID: 849930591-393685449
                                  • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction ID: 1f6ce65c737b67c16a74770dcca6a547431568ee9d47403595349a7bcceb887e
                                  • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                  • Instruction Fuzzy Hash: 97E1D572605B408AFBA0DF65D48839D77B4F7A97A8F100116EE8D67B99DB36C091CF02
                                  Function 0000026A879CF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: AddressFreeLibraryProc
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3013587201-537541572
                                  • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction ID: e22ce2f0d6908cfb41650f8e3b1f78ec9287b8d585868ecd0f1c06e4ba5b9ad5
                                  • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                  • Instruction Fuzzy Hash: 5D41E633311A0091FE96DB56A80CB5D3BA6F785BE0F5941299D0DAB784EE3AC4458B02
                                  Function 0000026A879C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 735 26a879c104c-26a879c10b9 RegQueryInfoKeyW 736 26a879c11b5-26a879c11d0 735->736 737 26a879c10bf-26a879c10c9 735->737 737->736 738 26a879c10cf-26a879c111f RegEnumValueW 737->738 739 26a879c11a5-26a879c11af 738->739 740 26a879c1125-26a879c112a 738->740 739->736 739->738 740->739 741 26a879c112c-26a879c1135 740->741 742 26a879c1147-26a879c114c 741->742 743 26a879c1137 741->743 745 26a879c1199-26a879c11a3 742->745 746 26a879c114e-26a879c1193 GetProcessHeap call 26a879d6168 GetProcessHeap HeapFree 742->746 744 26a879c113b-26a879c113f 743->744 744->739 747 26a879c1141-26a879c1145 744->747 745->739 746->745 747->742 747->744
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                  • String ID: d
                                  • API String ID: 3743429067-2564639436
                                  • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction ID: f1e6073484f6787d024fb048a9424189236bd7d4ebebf72dc42381622d64dea6
                                  • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                  • Instruction Fuzzy Hash: 76417173214B84C6EBA0CF61E44839E7BA1F389B98F448129EA8917758EF3DC585CB01
                                  Function 0000026A879CD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • FlsGetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD087
                                  • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0A6
                                  • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0CE
                                  • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0DF
                                  • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID: 1%$Y%
                                  • API String ID: 3702945584-1395475152
                                  • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction ID: 7de55e3907eeb61d84b2ec02f2a106e95853d66b6f36fb83176ce734d1449b23
                                  • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                  • Instruction Fuzzy Hash: EC11823170868481FEF8A7395A5E37D715A5BC47F0F644324A839277EAEE6AC5028F02
                                  Function 0000026A879C7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                  • String ID:
                                  • API String ID: 190073905-0
                                  • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction ID: 4ecf39c6d282c13922bf66bcab5b528d166167323d1dc1c22cdb0ae5698a6f63
                                  • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                  • Instruction Fuzzy Hash: CA81D43160064186FFD0AB2AA94D3AD7B90ABC97C0F5C4425EA4877796EB7BC9458F03
                                  Function 0000026A879C9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                  • String ID: api-ms-
                                  • API String ID: 2559590344-2084034818
                                  • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction ID: 95f3983436fef2e635cbbbb6f4cfe75cb904a5ec283e5a170f3328164d622b80
                                  • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction Fuzzy Hash: FE312731316A00E1EF92DB46A80875C3BA4B7A9BB0F590525DD2E2B390EF3AC145CB02
                                  Function 0000026A879D3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                  • String ID: CONOUT$
                                  • API String ID: 3230265001-3130406586
                                  • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction ID: b5a7c8e5866d3be681c7c72b6341fd08360724eb52cb5406520433ec029d227b
                                  • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction Fuzzy Hash: A6116D32310B4086E7E0DB56F84831DBEA0F789FE5F444224EA5E97794DF79C8148B41
                                  Function 0000026A879C3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                  • String ID: wr
                                  • API String ID: 1092925422-2678910430
                                  • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction ID: d5baf2fdec3915ccb6d5ba03a26523055d6eaf36c073b9562141c2a23a4540a2
                                  • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                  • Instruction Fuzzy Hash: 91115B36704B4182EF949B62F50826D7AB0FB8ABC5F440029EE8D27794EF3EC505CB06
                                  Function 0000026A879C5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Thread$Current$Context
                                  • String ID:
                                  • API String ID: 1666949209-0
                                  • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                  • Instruction ID: d9bcf84c3bd1533dc594d755c904efc893949546bab9f2d4fefad5fd87b2f6ed
                                  • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                  • Instruction Fuzzy Hash: 23D18776208B8882DBB0DB0AE49835E7BA0F3D8B84F540116EA8D57BA9DF7DC541CF41
                                  Function 0000026A879C2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID: dialer
                                  • API String ID: 756756679-3528709123
                                  • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction ID: 8cc78c2e0b9a0818aac4479415df311af9c6568ae4cde8b4077327d37afdd94e
                                  • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                  • Instruction Fuzzy Hash: 2231B032701B5582FA94DF16E54876DBBA4FB85BC0F084020EE4867B55EF36C4A18B42
                                  Function 0000026A879CCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Value$ErrorLast
                                  • String ID:
                                  • API String ID: 2506987500-0
                                  • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction ID: a51daef424c37a2d87d3f48ae78d9347c480c631925ac01d6e6589b89c5644b5
                                  • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                  • Instruction Fuzzy Hash: E611B13130468082FEF4A735965E33D36666BC97F0F500324A83667BDAEE6BC4018E02
                                  Function 0000026A879C199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                  • String ID:
                                  • API String ID: 517849248-0
                                  • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction ID: 9a315eb257f643b679e19e597653428afdd5a9ed67b0f0b7c202793297a7241d
                                  • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction Fuzzy Hash: CB016931300A4082EB94DB52A84C35DBBA1F789BC0F884035EE4963755DF3EC989CB01
                                  Function 0000026A879C36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                  • String ID:
                                  • API String ID: 449555515-0
                                  • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction ID: 0005ef61f3f4758259884e0c528835bf75180136e8c964115b40faba9de71eb2
                                  • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                  • Instruction Fuzzy Hash: AE012D75211B4482EFA4DB62E80D31D7BB0BB86B86F444428DE4D27754EF7EC1488F02
                                  Function 0000026A879C9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 2395640692-629598281
                                  • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction ID: 92aa7bb9b2b6dfa6ad1a732484a25b6d845d725c4ad4245d6686fe6e64f0842d
                                  • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction Fuzzy Hash: 2D51BD32701640CEEF94DF15E84DB5D3BA6F3A4BA8F518124DA0767788EB76C981CB06
                                  Function 0000026A879C8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 2395640692-629598281
                                  • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction ID: 1ab68a51141d201d9d3457faa14e522c8d132673c329719a63e2eaa97f42be49
                                  • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction Fuzzy Hash: 4331DF32200680CAEB94DF12E84CB1D7BA5F3A4BE8F458014EE4727789DB3AC941CF06
                                  Function 0000026A879C1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: FinalHandleNamePathlstrlen
                                  • String ID: \\?\
                                  • API String ID: 2719912262-4282027825
                                  • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction ID: f116469fb9c2a0e448e9d2de76ad660752bf9178b15ca800e2592a53e1aade34
                                  • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                  • Instruction Fuzzy Hash: 93F03C7230464192EBA0CB21F88875D7F60F789BC8F888021DA4957958DA6EC68DCF05
                                  Function 0000026A879C3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CombinePath
                                  • String ID: \\.\pipe\
                                  • API String ID: 3422762182-91387939
                                  • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction ID: 8951257b2819e3fd8c3a1e414e7e6c4bb950c718772d34c177490584403dd16d
                                  • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                  • Instruction Fuzzy Hash: D7F01C75718B8482FA94CF53B91C11DBE65AB89FD0F089131EE4A67B18DF7DC4458B02
                                  Function 0000026A879CBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction ID: 3b089b17eef97f58e315832727781e6d96eaf58a468135795a3cb71de5b836e2
                                  • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                  • Instruction Fuzzy Hash: 19F06271211A0481EF50CF29E44C35D7F20EB867A5F940219DA6A571E4DF2EC544CB02
                                  Function 0000026A879C50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                  • Instruction ID: e84d3f95ef50d0da7100aa3763a05495aa81dff1962d31d5224108d669eafd74
                                  • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                  • Instruction Fuzzy Hash: EF02B632219B8486EBA0CB59E49875EB7A1F3D4794F204015EB8E97BA9DF7DC484CF01
                                  Function 0000026A879C5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                  • Instruction ID: 67d3c669d68eaeb62026641d81c2ba8ade1a21c8528e3319f6dd4d7c6ecb65f5
                                  • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                  • Instruction Fuzzy Hash: EE61EA36519B44C6EBA0DB15E54832EB7A0F3D8784F600115FA8E57BA8DB7EC580CF02
                                  Function 0000026A879D4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: 951121f1d836c29066c475965dea384ba1a895c4e71a86b8b5a2b369afc9a8fb
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: FC117036A10A9131FAE4D568E85E36D3D516B783F8F280724AD76376F6CA2AC8414E03
                                  Function 0000026A879A3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: _set_statfp
                                  • String ID:
                                  • API String ID: 1156100317-0
                                  • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction ID: aeaa6a3608324816b59301e751e5f347b5c67f5421315ed83d7c14011e8581c2
                                  • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                  • Instruction Fuzzy Hash: 9711C232A12F1111FEE4152CE85E36DB9D06B58374F48A738AD7E277E6CA2AC8415E02
                                  Function 0000026A8799F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: _invalid_parameter_noinfo
                                  • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                  • API String ID: 3215553584-4202648911
                                  • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction ID: eebbbc8525f68246a3b0a6a29bd4a3cb681badd0c78307970aab721f545df6c1
                                  • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                  • Instruction Fuzzy Hash: 4861D372604640C2FAF9CB68E54C36EBAA2F785784F544425CA1A377A4DB37C885CF43
                                  Function 0000026A879CAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CallEncodePointerTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3544855599-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: 91175b491b7fc14e3f1a7658fd3bfdb3fb1216593f4870ebf483384664c1c76e
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: 26619D33A00B84CAEB60DF65D48439D7BA1F398BACF084215EF4927B98DB39C595CB41
                                  Function 0000026A879CAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 893e4d8dc827b760fc59cebf5f18d00e76e891684a4649e14e6d9b3ac1800f38
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: 2D51BF72100380CAEFB48F65958835D77A4F3D5BA5F188216EB8967BD5CB3AD490DF02
                                  Function 0000026A8799A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 24b885a40865372f2d4962931c6dd4c13311282acb065aa2b8f2b100d7f859d2
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: A251A032100380CAFBF48F25954839C77A0F355BA4F189216DB99A7BD5CB3AD490DF02
                                  Function 0000026A87998405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction ID: 8bc6e4c2ed6fb3d0b116afd45bb950e03d86cb73ff22765c23392437f1fb0b44
                                  • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                  • Instruction Fuzzy Hash: 8051DD327122009BFB94CF15E488F1C37A9F354B98F568168DA0A67788EB36D885CF07
                                  Function 0000026A879983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                  • String ID: csm$f
                                  • API String ID: 3242871069-629598281
                                  • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction ID: 6434e668c18de7f899a849f0e788a6f9301be5892d0fc4d1102cc1fdd749815e
                                  • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                  • Instruction Fuzzy Hash: A1319C32211740AAF794DF11E888F1D77A9F740B98F568018EE5B67788DB3AC945CB06
                                  Function 0000026A879D2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                  • String ID:
                                  • API String ID: 2718003287-0
                                  • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction ID: 3076751dc3de790d1c224386df8ee1f4e5ab8c71f6f65ab3a3bed05673c9e6dc
                                  • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                  • Instruction Fuzzy Hash: 88D10132B14A8089EB51CFB9D4483AC3FB1F754BD8F108216DE5DA7B99DA3AC446CB41
                                  Function 0000026A879C14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Free
                                  • String ID:
                                  • API String ID: 3168794593-0
                                  • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                  • Instruction ID: 8a01ecca636f93bdf911fe9301806ba74427497ad84442dbc2d131ee4094cafd
                                  • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                  • Instruction Fuzzy Hash: 9F115B76604A91D6E794DFA6A80814D7FA0FB8AFC5F084025EA4963716EE39C451CB41
                                  Function 0000026A879D2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorLastMode
                                  • String ID:
                                  • API String ID: 953036326-0
                                  • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction ID: a659f95e0478c9a379e7c93a59f58379ea217171002cffd52b577c1c22c3c908
                                  • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction Fuzzy Hash: 9391D032700A5085FBA0DF7594883AD3FA0F759B98F644109DE4A77A94DB7EC8C2CB02
                                  Function 0000026A879C7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction ID: 4e80524f35fcef7bad59f85813724d52d64db0f3f33ffe74409acc95bda1e77e
                                  • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                  • Instruction Fuzzy Hash: A4115A32710F018AEB90DF60E8583AC37B4F31A758F440E21EA6D537A4EB78C1988780
                                  Function 0000026A879C253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction ID: 97ea5c88fb40b65250efba85239deb6fe808c8ef7dc44d6fea174178200e4e45
                                  • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                  • Instruction Fuzzy Hash: E671B636200B8186EFB5DF25D8993AE77A4F3C9B84F550026DD0963B89DE36D685CB02
                                  Function 0000026A87999E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: CallTranslator
                                  • String ID: MOC$RCC
                                  • API String ID: 3163161869-2084237596
                                  • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction ID: e083ef4e6a99dc2faf5a08287110857988fabb0183ff147dc1fcf3667f8f1dd1
                                  • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                  • Instruction Fuzzy Hash: 33618B33A05B848AFBA0DFA5D48439D77B0F398B98F044215EF4927B98DB3AD595CB01
                                  Function 0000026A879C2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID: \\.\pipe\
                                  • API String ID: 3081899298-91387939
                                  • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction ID: a2f76bc1a186076cee4736489c3d4438f40eba79840f7ba633a66ebf323134d9
                                  • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                  • Instruction Fuzzy Hash: EA51C43220478182FFB4DB2AA45C3AEBB91F3D5780F450125DE5A27B99DA3BC585CF42
                                  Function 0000026A879D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: U
                                  • API String ID: 442123175-4171548499
                                  • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction ID: 5c34eae6179e8718e065711947d23fa5df45d25b207243dff04b03615aa00afe
                                  • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                  • Instruction Fuzzy Hash: 8541A433715A8086DBA0DF25E8483ADBFA1F798794F944021EE4D97794EB7DC441CB41
                                  Function 0000026A879C94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: ExceptionFileHeaderRaise
                                  • String ID: csm
                                  • API String ID: 2573137834-1018135373
                                  • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction ID: 516278ab517d9276ea0f4953800809262020678c9f6335137ecd7ce881f65308
                                  • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                  • Instruction Fuzzy Hash: 3D112836214B8082EBA18B15E44835DBBE5FB99BA4F584225EF8C17B68DF3DC551CB00
                                  Function 0000026A87997356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: ierarchy Descriptor'$riptor at (
                                  • API String ID: 592178966-758928094
                                  • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction ID: 290368697319c93d0959a6d4aceff4e73c937a6d0c9df6ff90baa51795892e9d
                                  • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                  • Instruction Fuzzy Hash: CFE08671741B4490DF418F21E88469C73A1DBA8B64F889122995C1B311FA38D1E9C702
                                  Function 0000026A879973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122379675.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a87990000_svchost.jbxd
                                  Similarity
                                  • API ID: __std_exception_copy
                                  • String ID: Locator'$riptor at (
                                  • API String ID: 592178966-4215709766
                                  • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction ID: 57ea791ecea9af06e65d832b1adcba3d40aeefbf742ffe7567ba952dade77035
                                  • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                  • Instruction Fuzzy Hash: 19E08671701B4490DF418F21E48069C7361E7A8B54F889122C94C1B311EA38D1E5C701
                                  Function 0000026A879C1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID:
                                  • API String ID: 756756679-0
                                  • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction ID: 7016fa5795a79e5502fdc21d921c24760b1a256b601511705076004f3255fffb
                                  • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                  • Instruction Fuzzy Hash: A8119175641B4482EE94DF66A40C22D7BA1FBCAFC0F184025EE4D63766EF3AC442C741
                                  Function 0000026A879C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000033.00000002.3122927215.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_51_2_26a879c0000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction ID: b1c6b37d2b3670007f77e6ad3635e51a98d0f2eb219863f2620388776d6560d5
                                  • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction Fuzzy Hash: 08E06D3560160486EB44CFA2D80C34E3EE1FB8AF86F04C024C90907351DF7EC499CB51

                                  Execution Graph

                                  Execution Coverage:56.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:87.5%
                                  Total number of Nodes:8
                                  Total number of Limit Nodes:1

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_0000000140846321 1 Function_00000001408460B2 2 Function_00000001408460F0 2->0 2->1 3 Function_0000000140846070 3->2

                                  Executed Functions

                                  Function 00000001408460F0 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 1408460f0-1408460f3 1 1408460fd-140846101 0->1 2 140846103-14084610b 1->2 3 14084610d 1->3 2->3 4 1408460f5-1408460fa 3->4 5 14084610f-140846112 3->5 4->1 6 14084611b-140846122 5->6 8 140846124-14084612c 6->8 9 14084612e 6->9 8->9 10 140846114-140846119 9->10 11 140846130-140846133 9->11 10->6 12 140846135-140846143 11->12 13 14084614e-140846150 11->13 15 140846145-14084614a 12->15 16 14084619d-1408461bc 12->16 17 140846152-140846158 13->17 18 14084615a 13->18 20 140846184-140846187 15->20 22 14084614c 15->22 19 1408461ed-1408461f0 16->19 17->18 18->20 21 14084615c-140846160 18->21 25 1408461f5-1408461fb 19->25 26 1408461f2-1408461f3 19->26 33 140846189-140846198 call 1408460b2 20->33 23 140846162-140846168 21->23 24 14084616a 21->24 22->21 23->24 24->20 27 14084616c-140846173 24->27 30 140846202-140846206 25->30 28 1408461d4-1408461d8 26->28 44 140846175-14084617b 27->44 45 14084617d 27->45 31 1408461be-1408461c1 28->31 32 1408461da-1408461dd 28->32 34 140846208-140846220 LoadLibraryA 30->34 35 14084625e-140846266 30->35 31->25 36 1408461c3 31->36 32->25 39 1408461df-1408461e3 32->39 33->1 41 140846222-140846229 34->41 38 14084626a-140846273 35->38 43 1408461c4-1408461c8 36->43 46 140846275-140846277 38->46 47 1408462a2-140846302 VirtualProtect * 2 call 140846321 38->47 39->43 48 1408461e5-1408461ec 39->48 41->30 42 14084622b 41->42 50 140846237-14084623f 42->50 51 14084622d-140846235 42->51 43->28 52 1408461ca-1408461cc 43->52 44->45 45->27 53 14084617f-140846182 45->53 54 140846279-140846288 46->54 55 14084628a-140846298 46->55 60 140846307-14084630c 47->60 48->19 57 140846241-14084624d GetProcAddressForCaller 50->57 51->57 52->28 58 1408461ce-1408461d2 52->58 53->33 54->38 55->54 59 14084629a-1408462a0 55->59 61 140846258 ExitProcess 57->61 62 14084624f-140846256 57->62 58->28 58->32 59->54 63 140846311-140846316 60->63 62->41 63->63 64 140846318 63->64
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000034.00000002.3112146916.0000000140840000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                  • Associated: 00000034.00000002.3111659079.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000034.00000002.3112146916.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000034.00000002.3112146916.00000001404DC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000034.00000002.3112146916.0000000140500000.00000040.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000034.00000002.3112146916.0000000140503000.00000040.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000034.00000002.3112146916.000000014078B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000034.00000002.3112146916.000000014080D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                  • Associated: 00000034.00000002.3122336123.0000000140847000.00000004.00000001.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                  • String ID:
                                  • API String ID: 1941872368-0
                                  • Opcode ID: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                  • Instruction ID: 1d24a93eb9004fb9ff5f788f669610d725ede0fbeb3cf7fc7a03e9414d8a6cfe
                                  • Opcode Fuzzy Hash: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                  • Instruction Fuzzy Hash: FE611A32F4026255EB274BB6AF843E87751931D7B4F49433DCB79423E6FA7488668B02

                                  Execution Graph

                                  Execution Coverage:0.8%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:471
                                  Total number of Limit Nodes:3
                                  execution_graph 14923 179537ac0e4 14924 179537ac0fd 14923->14924 14925 179537ac0f9 14923->14925 14938 179537aec90 14924->14938 14930 179537ac11b 14969 179537ac158 14930->14969 14931 179537ac10f 14964 179537ad744 14931->14964 14935 179537ad744 __free_lconv_num 5 API calls 14936 179537ac142 14935->14936 14937 179537ad744 __free_lconv_num 5 API calls 14936->14937 14937->14925 14939 179537ac102 14938->14939 14940 179537aec9d 14938->14940 14944 179537af1ec GetEnvironmentStringsW 14939->14944 14988 179537acefc 14940->14988 14942 179537aeccc 15005 179537ae968 14942->15005 14945 179537ac107 14944->14945 14946 179537af21c 14944->14946 14945->14930 14945->14931 14947 179537af10c WideCharToMultiByte 14946->14947 14948 179537af26d 14947->14948 14949 179537af274 FreeEnvironmentStringsW 14948->14949 14950 179537aca0c 5 API calls 14948->14950 14949->14945 14951 179537af287 14950->14951 14952 179537af298 14951->14952 14953 179537af28f 14951->14953 14955 179537af10c WideCharToMultiByte 14952->14955 14954 179537ad744 __free_lconv_num 5 API calls 14953->14954 14956 179537af296 14954->14956 14957 179537af2bb 14955->14957 14956->14949 14958 179537af2c9 14957->14958 14959 179537af2bf 14957->14959 14960 179537ad744 __free_lconv_num 5 API calls 14958->14960 14961 179537ad744 __free_lconv_num 5 API calls 14959->14961 14962 179537af2c7 FreeEnvironmentStringsW 14960->14962 14961->14962 14962->14945 14965 179537ad749 HeapFree 14964->14965 14966 179537ad77a 14964->14966 14965->14966 14967 179537ad764 __free_lconv_num 14965->14967 14966->14925 14968 179537ad6ac __std_exception_copy 4 API calls 14967->14968 14968->14966 14970 179537ac17d 14969->14970 14971 179537ad6cc __std_exception_copy 5 API calls 14970->14971 14984 179537ac1b3 14971->14984 14972 179537ac1bb 14973 179537ad744 __free_lconv_num 5 API calls 14972->14973 14974 179537ac123 14973->14974 14974->14935 14975 179537ac22e 14976 179537ad744 __free_lconv_num 5 API calls 14975->14976 14976->14974 14977 179537ad6cc __std_exception_copy 5 API calls 14977->14984 14978 179537ac21d 15455 179537ac268 14978->15455 14982 179537ad744 __free_lconv_num 5 API calls 14982->14972 14983 179537ac253 14985 179537ad590 _invalid_parameter_noinfo 10 API calls 14983->14985 14984->14972 14984->14975 14984->14977 14984->14978 14984->14983 14986 179537ad744 __free_lconv_num 5 API calls 14984->14986 15446 179537ac6e8 14984->15446 14987 179537ac266 14985->14987 14986->14984 14989 179537acf28 FlsSetValue 14988->14989 14990 179537acf0d FlsGetValue 14988->14990 14991 179537acf35 14989->14991 14994 179537acf1a 14989->14994 14992 179537acf22 14990->14992 14990->14994 15028 179537ad6cc 14991->15028 14992->14989 14994->14942 14996 179537acf62 FlsSetValue 14999 179537acf80 14996->14999 15000 179537acf6e FlsSetValue 14996->15000 14997 179537acf52 FlsSetValue 14998 179537acf5b 14997->14998 15001 179537ad744 __free_lconv_num 5 API calls 14998->15001 15032 179537acb94 14999->15032 15000->14998 15001->14994 15004 179537ad744 __free_lconv_num 5 API calls 15004->14994 15175 179537aebd8 15005->15175 15010 179537ae9ba 15010->14939 15013 179537ae9d3 15014 179537ad744 __free_lconv_num 5 API calls 15013->15014 15014->15010 15015 179537ae9e2 15015->15015 15194 179537aed0c 15015->15194 15018 179537aeade 15019 179537ad6ac __std_exception_copy 5 API calls 15018->15019 15021 179537aeae3 15019->15021 15020 179537aeb39 15027 179537aeba0 15020->15027 15205 179537ae498 15020->15205 15022 179537ad744 __free_lconv_num 5 API calls 15021->15022 15022->15010 15023 179537aeaf8 15023->15020 15024 179537ad744 __free_lconv_num 5 API calls 15023->15024 15024->15020 15026 179537ad744 __free_lconv_num 5 API calls 15026->15010 15027->15026 15031 179537ad6dd __std_exception_copy 15028->15031 15030 179537acf44 15030->14996 15030->14997 15031->15030 15036 179537ad6ac 15031->15036 15033 179537acc46 __std_exception_copy 15032->15033 15055 179537acaec 15033->15055 15035 179537acc5b 15035->15004 15039 179537acfa0 15036->15039 15038 179537ad6b5 15038->15030 15042 179537acfb5 __free_lconv_num 15039->15042 15040 179537acfe1 FlsSetValue 15041 179537acff3 15040->15041 15045 179537acfd1 __CxxCallCatchBlock 15040->15045 15043 179537ad6cc __std_exception_copy HeapFree 15041->15043 15042->15040 15042->15045 15044 179537ad002 15043->15044 15046 179537ad020 FlsSetValue 15044->15046 15047 179537ad010 FlsSetValue 15044->15047 15045->15038 15049 179537ad02c FlsSetValue 15046->15049 15050 179537ad03e 15046->15050 15048 179537ad019 15047->15048 15051 179537ad744 __free_lconv_num HeapFree 15048->15051 15049->15048 15052 179537acb94 __std_exception_copy HeapFree 15050->15052 15051->15045 15053 179537ad046 15052->15053 15054 179537ad744 __free_lconv_num HeapFree 15053->15054 15054->15045 15056 179537acb08 15055->15056 15059 179537acd7c 15056->15059 15058 179537acb1e 15058->15035 15060 179537acdc4 Concurrency::details::SchedulerProxy::DeleteThis 15059->15060 15061 179537acd98 Concurrency::details::SchedulerProxy::DeleteThis 15059->15061 15060->15058 15061->15060 15063 179537b07b4 15061->15063 15064 179537b07d7 15063->15064 15065 179537b0850 15063->15065 15064->15065 15069 179537b0816 15064->15069 15074 179537ad744 __free_lconv_num 5 API calls 15064->15074 15066 179537b08a3 15065->15066 15068 179537ad744 __free_lconv_num 5 API calls 15065->15068 15129 179537b0954 15066->15129 15070 179537b0874 15068->15070 15071 179537b0838 15069->15071 15077 179537ad744 __free_lconv_num 5 API calls 15069->15077 15072 179537ad744 __free_lconv_num 5 API calls 15070->15072 15073 179537ad744 __free_lconv_num 5 API calls 15071->15073 15075 179537b0888 15072->15075 15079 179537b0844 15073->15079 15080 179537b080a 15074->15080 15076 179537ad744 __free_lconv_num 5 API calls 15075->15076 15081 179537b0897 15076->15081 15082 179537b082c 15077->15082 15078 179537b090e 15083 179537ad744 __free_lconv_num 5 API calls 15079->15083 15089 179537b2fc8 15080->15089 15086 179537ad744 __free_lconv_num 5 API calls 15081->15086 15117 179537b30d4 15082->15117 15083->15065 15085 179537ad744 5 API calls __free_lconv_num 15088 179537b08af 15085->15088 15086->15066 15088->15078 15088->15085 15090 179537b2fd1 15089->15090 15115 179537b30cc 15089->15115 15091 179537b2feb 15090->15091 15092 179537ad744 __free_lconv_num 5 API calls 15090->15092 15093 179537b2ffd 15091->15093 15095 179537ad744 __free_lconv_num 5 API calls 15091->15095 15092->15091 15094 179537b300f 15093->15094 15096 179537ad744 __free_lconv_num 5 API calls 15093->15096 15097 179537b3021 15094->15097 15098 179537ad744 __free_lconv_num 5 API calls 15094->15098 15095->15093 15096->15094 15099 179537b3033 15097->15099 15100 179537ad744 __free_lconv_num 5 API calls 15097->15100 15098->15097 15101 179537ad744 __free_lconv_num 5 API calls 15099->15101 15102 179537b3045 15099->15102 15100->15099 15101->15102 15103 179537b3057 15102->15103 15104 179537ad744 __free_lconv_num 5 API calls 15102->15104 15105 179537b3069 15103->15105 15106 179537ad744 __free_lconv_num 5 API calls 15103->15106 15104->15103 15107 179537b307b 15105->15107 15108 179537ad744 __free_lconv_num 5 API calls 15105->15108 15106->15105 15109 179537b308d 15107->15109 15110 179537ad744 __free_lconv_num 5 API calls 15107->15110 15108->15107 15111 179537b30a2 15109->15111 15112 179537ad744 __free_lconv_num 5 API calls 15109->15112 15110->15109 15113 179537b30b7 15111->15113 15114 179537ad744 __free_lconv_num 5 API calls 15111->15114 15112->15111 15113->15115 15116 179537ad744 __free_lconv_num 5 API calls 15113->15116 15114->15113 15115->15069 15116->15115 15118 179537b313a 15117->15118 15120 179537b30d9 15117->15120 15118->15071 15119 179537b30f2 15122 179537b3104 15119->15122 15123 179537ad744 __free_lconv_num 5 API calls 15119->15123 15120->15119 15121 179537ad744 __free_lconv_num 5 API calls 15120->15121 15121->15119 15124 179537b3116 15122->15124 15126 179537ad744 __free_lconv_num 5 API calls 15122->15126 15123->15122 15125 179537b3128 15124->15125 15127 179537ad744 __free_lconv_num 5 API calls 15124->15127 15125->15118 15128 179537ad744 __free_lconv_num 5 API calls 15125->15128 15126->15124 15127->15125 15128->15118 15130 179537b0959 15129->15130 15131 179537b0985 15129->15131 15130->15131 15135 179537b3174 15130->15135 15131->15088 15134 179537ad744 __free_lconv_num 5 API calls 15134->15131 15136 179537b097d 15135->15136 15137 179537b317d 15135->15137 15136->15134 15171 179537b3140 15137->15171 15140 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15141 179537b31a6 15140->15141 15142 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15141->15142 15143 179537b31b4 15142->15143 15144 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15143->15144 15145 179537b31c2 15144->15145 15146 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15145->15146 15147 179537b31d1 15146->15147 15148 179537ad744 __free_lconv_num 5 API calls 15147->15148 15149 179537b31dd 15148->15149 15150 179537ad744 __free_lconv_num 5 API calls 15149->15150 15151 179537b31e9 15150->15151 15152 179537ad744 __free_lconv_num 5 API calls 15151->15152 15153 179537b31f5 15152->15153 15154 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15153->15154 15155 179537b3203 15154->15155 15156 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15155->15156 15157 179537b3211 15156->15157 15158 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15157->15158 15159 179537b321f 15158->15159 15160 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15159->15160 15161 179537b322d 15160->15161 15162 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15161->15162 15163 179537b323c 15162->15163 15164 179537ad744 __free_lconv_num 5 API calls 15163->15164 15165 179537b3248 15164->15165 15166 179537ad744 __free_lconv_num 5 API calls 15165->15166 15167 179537b3254 15166->15167 15168 179537ad744 __free_lconv_num 5 API calls 15167->15168 15169 179537b3260 15168->15169 15170 179537ad744 __free_lconv_num 5 API calls 15169->15170 15170->15136 15172 179537b3167 15171->15172 15173 179537b3156 15171->15173 15172->15140 15173->15172 15174 179537ad744 __free_lconv_num 5 API calls 15173->15174 15174->15173 15176 179537aebfb 15175->15176 15177 179537aec05 15176->15177 15178 179537ad744 __free_lconv_num 5 API calls 15176->15178 15179 179537ae99d 15177->15179 15180 179537acefc 10 API calls 15177->15180 15178->15177 15183 179537ae668 15179->15183 15181 179537aeccc 15180->15181 15182 179537ae968 45 API calls 15181->15182 15182->15179 15217 179537ae1b4 15183->15217 15186 179537ae688 GetOEMCP 15188 179537ae6af 15186->15188 15187 179537ae69a 15187->15188 15189 179537ae69f GetACP 15187->15189 15188->15010 15190 179537aca0c 15188->15190 15189->15188 15193 179537aca1b __std_exception_copy 15190->15193 15191 179537ad6ac __std_exception_copy 5 API calls 15192 179537aca55 15191->15192 15192->15013 15192->15015 15193->15191 15193->15192 15195 179537ae668 17 API calls 15194->15195 15196 179537aed39 15195->15196 15197 179537aed76 IsValidCodePage 15196->15197 15203 179537aee8f 15196->15203 15204 179537aed90 15196->15204 15199 179537aed87 15197->15199 15197->15203 15201 179537aedb6 GetCPInfo 15199->15201 15199->15204 15200 179537aead5 15200->15018 15200->15023 15201->15203 15201->15204 15291 179537a7940 15203->15291 15280 179537ae780 15204->15280 15207 179537ae4b4 15205->15207 15206 179537ad6ac __std_exception_copy 5 API calls 15208 179537ae550 15206->15208 15207->15206 15210 179537ae4e1 15207->15210 15376 179537ad570 15208->15376 15211 179537ad6ac __std_exception_copy 5 API calls 15210->15211 15214 179537ae593 15210->15214 15212 179537ae5f1 15211->15212 15213 179537ad570 _invalid_parameter_noinfo 28 API calls 15212->15213 15213->15214 15215 179537ae62d 15214->15215 15216 179537ad744 __free_lconv_num 5 API calls 15214->15216 15215->15027 15216->15215 15218 179537ae1d8 15217->15218 15219 179537ae1d3 15217->15219 15218->15219 15225 179537ace28 15218->15225 15219->15186 15219->15187 15221 179537ae1f3 15260 179537b03fc 15221->15260 15226 179537ace3d __free_lconv_num 15225->15226 15227 179537ace4c FlsGetValue 15226->15227 15228 179537ace69 FlsSetValue 15226->15228 15229 179537ace63 15227->15229 15242 179537ace59 __CxxCallCatchBlock 15227->15242 15230 179537ace7b 15228->15230 15228->15242 15229->15228 15231 179537ad6cc __std_exception_copy 5 API calls 15230->15231 15232 179537ace8a 15231->15232 15233 179537acea8 FlsSetValue 15232->15233 15234 179537ace98 FlsSetValue 15232->15234 15235 179537aceb4 FlsSetValue 15233->15235 15236 179537acec6 15233->15236 15238 179537acea1 15234->15238 15235->15238 15239 179537acb94 __std_exception_copy 5 API calls 15236->15239 15237 179537acee2 15237->15221 15240 179537ad744 __free_lconv_num 5 API calls 15238->15240 15241 179537acece 15239->15241 15240->15242 15243 179537ad744 __free_lconv_num 5 API calls 15241->15243 15242->15237 15244 179537acf28 FlsSetValue 15242->15244 15245 179537acf0d FlsGetValue 15242->15245 15243->15242 15246 179537acf35 15244->15246 15249 179537acf1a 15244->15249 15247 179537acf22 15245->15247 15245->15249 15248 179537ad6cc __std_exception_copy 5 API calls 15246->15248 15247->15244 15250 179537acf44 15248->15250 15249->15221 15251 179537acf62 FlsSetValue 15250->15251 15252 179537acf52 FlsSetValue 15250->15252 15254 179537acf80 15251->15254 15255 179537acf6e FlsSetValue 15251->15255 15253 179537acf5b 15252->15253 15256 179537ad744 __free_lconv_num 5 API calls 15253->15256 15257 179537acb94 __std_exception_copy 5 API calls 15254->15257 15255->15253 15256->15249 15258 179537acf88 15257->15258 15259 179537ad744 __free_lconv_num 5 API calls 15258->15259 15259->15249 15261 179537b0411 15260->15261 15263 179537ae216 15260->15263 15261->15263 15268 179537b0a5c 15261->15268 15264 179537b0468 15263->15264 15265 179537b0490 15264->15265 15266 179537b047d 15264->15266 15265->15219 15266->15265 15277 179537aecf0 15266->15277 15269 179537ace28 _invalid_parameter_noinfo 15 API calls 15268->15269 15270 179537b0a6b 15269->15270 15272 179537b0aa4 15270->15272 15273 179537b0acc 15270->15273 15272->15263 15274 179537b0aeb 15273->15274 15275 179537b0ade Concurrency::details::SchedulerProxy::DeleteThis 15273->15275 15274->15272 15275->15274 15276 179537b07b4 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15275->15276 15276->15274 15278 179537ace28 _invalid_parameter_noinfo 15 API calls 15277->15278 15279 179537aecf9 15278->15279 15281 179537ae7bd GetCPInfo 15280->15281 15290 179537ae8b3 15280->15290 15287 179537ae7d0 15281->15287 15281->15290 15282 179537a7940 _log10_special 3 API calls 15284 179537ae952 15282->15284 15284->15203 15298 179537b1544 15287->15298 15290->15282 15292 179537a7949 15291->15292 15293 179537a7954 15292->15293 15294 179537a812c IsProcessorFeaturePresent 15292->15294 15293->15200 15295 179537a8144 15294->15295 15372 179537a8320 RtlCaptureContext 15295->15372 15297 179537a8157 15297->15200 15299 179537ae1b4 15 API calls 15298->15299 15300 179537b1586 15299->15300 15318 179537af07c 15300->15318 15319 179537af085 MultiByteToWideChar 15318->15319 15373 179537a833a capture_previous_context 15372->15373 15374 179537a8389 15373->15374 15375 179537a8350 RtlVirtualUnwind 15373->15375 15374->15297 15375->15373 15375->15374 15379 179537ad408 15376->15379 15380 179537ad433 15379->15380 15387 179537ad4a4 15380->15387 15382 179537ad45a 15385 179537ad47d 15382->15385 15395 179537ac7a0 15382->15395 15384 179537ad492 15384->15210 15385->15384 15386 179537ac7a0 _invalid_parameter_noinfo 18 API calls 15385->15386 15386->15384 15406 179537ad1ec 15387->15406 15389 179537ad4ce _invalid_parameter_noinfo 15391 179537ad4df _invalid_parameter_noinfo 15389->15391 15410 179537ad590 IsProcessorFeaturePresent 15389->15410 15391->15382 15396 179537ac7f8 15395->15396 15397 179537ac7af __free_lconv_num 15395->15397 15396->15385 15398 179537ad068 _invalid_parameter_noinfo 8 API calls 15397->15398 15399 179537ac7de __CxxCallCatchBlock 15398->15399 15399->15396 15400 179537ac7a0 _invalid_parameter_noinfo 18 API calls 15399->15400 15401 179537ac827 15400->15401 15438 179537b0430 15401->15438 15407 179537ad208 __free_lconv_num 15406->15407 15409 179537ad233 __CxxCallCatchBlock 15406->15409 15415 179537ad068 15407->15415 15409->15389 15411 179537ad5a3 15410->15411 15429 179537ad2a4 15411->15429 15413 179537ad5be _invalid_parameter_noinfo 15414 179537ad5c4 TerminateProcess 15413->15414 15416 179537ad087 FlsGetValue 15415->15416 15417 179537ad09c 15415->15417 15416->15417 15418 179537ad094 15416->15418 15417->15418 15419 179537ad6cc __std_exception_copy 5 API calls 15417->15419 15418->15409 15420 179537ad0be 15419->15420 15421 179537ad0dc FlsSetValue 15420->15421 15425 179537ad0cc 15420->15425 15422 179537ad0e8 FlsSetValue 15421->15422 15423 179537ad0fa 15421->15423 15422->15425 15424 179537acb94 __std_exception_copy 5 API calls 15423->15424 15426 179537ad102 15424->15426 15427 179537ad744 __free_lconv_num 5 API calls 15425->15427 15428 179537ad744 __free_lconv_num 5 API calls 15426->15428 15427->15418 15428->15418 15430 179537ad2de _invalid_parameter_noinfo 15429->15430 15431 179537ad306 RtlCaptureContext 15430->15431 15432 179537ad33b capture_previous_context 15431->15432 15433 179537ad376 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15432->15433 15434 179537ad340 RtlVirtualUnwind 15432->15434 15435 179537ad3c8 _invalid_parameter_noinfo 15433->15435 15434->15433 15436 179537a7940 _log10_special 3 API calls 15435->15436 15437 179537ad3e7 15436->15437 15437->15413 15439 179537b0449 15438->15439 15440 179537ac84f 15438->15440 15439->15440 15441 179537b0a5c _invalid_parameter_noinfo 15 API calls 15439->15441 15442 179537b049c 15440->15442 15441->15440 15443 179537b04b5 15442->15443 15444 179537ac85f 15442->15444 15443->15444 15445 179537aecf0 _invalid_parameter_noinfo 15 API calls 15443->15445 15444->15385 15445->15444 15447 179537ac6ff 15446->15447 15448 179537ac6f5 15446->15448 15449 179537ad6ac __std_exception_copy 5 API calls 15447->15449 15448->15447 15453 179537ac71a 15448->15453 15450 179537ac706 15449->15450 15451 179537ad570 _invalid_parameter_noinfo 28 API calls 15450->15451 15452 179537ac712 15451->15452 15452->14984 15453->15452 15454 179537ad6ac __std_exception_copy 5 API calls 15453->15454 15454->15450 15456 179537ac26d 15455->15456 15460 179537ac225 15455->15460 15457 179537ac296 15456->15457 15458 179537ad744 __free_lconv_num 5 API calls 15456->15458 15459 179537ad744 __free_lconv_num 5 API calls 15457->15459 15458->15456 15459->15460 15460->14982 15461 1795377273c 15463 1795377276a 15461->15463 15462 17953772858 LoadLibraryA 15462->15463 15463->15462 15464 179537728d4 15463->15464 15465 179537a1abc 15470 179537a1628 GetProcessHeap 15465->15470 15467 179537a1ad2 Sleep SleepEx 15468 179537a1acb 15467->15468 15468->15467 15469 179537a1598 StrCmpIW StrCmpW 15468->15469 15469->15468 15471 179537a1648 __std_exception_copy 15470->15471 15515 179537a1268 GetProcessHeap 15471->15515 15473 179537a1650 15474 179537a1268 2 API calls 15473->15474 15475 179537a1661 15474->15475 15476 179537a1268 2 API calls 15475->15476 15477 179537a166a 15476->15477 15478 179537a1268 2 API calls 15477->15478 15479 179537a1673 15478->15479 15480 179537a168e RegOpenKeyExW 15479->15480 15481 179537a18a6 15480->15481 15482 179537a16c0 RegOpenKeyExW 15480->15482 15481->15468 15483 179537a16e9 15482->15483 15484 179537a16ff RegOpenKeyExW 15482->15484 15519 179537a12bc RegQueryInfoKeyW 15483->15519 15485 179537a1723 15484->15485 15486 179537a173a RegOpenKeyExW 15484->15486 15530 179537a104c RegQueryInfoKeyW 15485->15530 15489 179537a1775 RegOpenKeyExW 15486->15489 15490 179537a175e 15486->15490 15494 179537a1799 15489->15494 15495 179537a17b0 RegOpenKeyExW 15489->15495 15493 179537a12bc 13 API calls 15490->15493 15496 179537a176b RegCloseKey 15493->15496 15497 179537a12bc 13 API calls 15494->15497 15498 179537a17d4 15495->15498 15499 179537a17eb RegOpenKeyExW 15495->15499 15496->15489 15502 179537a17a6 RegCloseKey 15497->15502 15503 179537a12bc 13 API calls 15498->15503 15500 179537a1826 RegOpenKeyExW 15499->15500 15501 179537a180f 15499->15501 15505 179537a1861 RegOpenKeyExW 15500->15505 15506 179537a184a 15500->15506 15504 179537a104c 5 API calls 15501->15504 15502->15495 15507 179537a17e1 RegCloseKey 15503->15507 15508 179537a181c RegCloseKey 15504->15508 15510 179537a1885 15505->15510 15511 179537a189c RegCloseKey 15505->15511 15509 179537a104c 5 API calls 15506->15509 15507->15499 15508->15500 15512 179537a1857 RegCloseKey 15509->15512 15513 179537a104c 5 API calls 15510->15513 15511->15481 15512->15505 15514 179537a1892 RegCloseKey 15513->15514 15514->15511 15536 179537b6168 15515->15536 15517 179537a1283 GetProcessHeap 15518 179537a12ae __std_exception_copy 15517->15518 15518->15473 15520 179537a1327 GetProcessHeap 15519->15520 15521 179537a148a RegCloseKey 15519->15521 15525 179537a133e __std_exception_copy 15520->15525 15521->15484 15522 179537a1352 RegEnumValueW 15522->15525 15523 179537a1476 GetProcessHeap HeapFree 15523->15521 15525->15522 15525->15523 15526 179537a13d3 GetProcessHeap 15525->15526 15527 179537a141e lstrlenW GetProcessHeap 15525->15527 15528 179537a13f3 GetProcessHeap HeapFree 15525->15528 15529 179537a1443 StrCpyW 15525->15529 15537 179537a152c 15525->15537 15526->15525 15527->15525 15528->15527 15529->15525 15531 179537a11b5 RegCloseKey 15530->15531 15532 179537a10bf __std_exception_copy 15530->15532 15531->15486 15532->15531 15533 179537a10cf RegEnumValueW 15532->15533 15534 179537a114e GetProcessHeap 15532->15534 15535 179537a116e GetProcessHeap HeapFree 15532->15535 15533->15532 15534->15532 15535->15532 15538 179537a157c 15537->15538 15541 179537a1546 15537->15541 15538->15525 15539 179537a1565 StrCmpW 15539->15541 15540 179537a155d StrCmpIW 15540->15541 15541->15538 15541->15539 15541->15540

                                  Executed Functions

                                  Function 00000179537A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction ID: e4bf16918a7cacbca0db979268ad85abf1fead3538016a29a4f8caa0c503e4bd
                                  • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                  • Instruction Fuzzy Hash: 6AE06D35A0161886EB058F62D82838A37F1FB8AF0AF04C024CA8D47351EF7D8499C750
                                  Function 00000179537AF1EC Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
                                  • String ID:
                                  • API String ID: 3331406755-0
                                  • Opcode ID: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
                                  • Instruction ID: e89af08d413403d6e5d7482309db2184f3715486d0e1cd70b0b3824db1cad727
                                  • Opcode Fuzzy Hash: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
                                  • Instruction Fuzzy Hash: 4C31B431A6876081EA269F226C502DE77B4B786BD8F48422BEA9E43BC5DF38C5458704
                                  Function 00000179537A328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                  • String ID:
                                  • API String ID: 1683269324-0
                                  • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction ID: ca808a076cef636c667c28671c52d662c11ceeea05346f25545d2e4f9369c430
                                  • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                  • Instruction Fuzzy Hash: 5F116130E3C66482FB629FB1F8557D923B4E76A34DF544127DA4E42B91EF78C04C8610
                                  Function 00000179537A1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00000179537A1628: GetProcessHeap.KERNEL32 ref: 00000179537A1633
                                    • Part of subcall function 00000179537A1628: HeapAlloc.KERNEL32 ref: 00000179537A1642
                                    • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16B2
                                    • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16DF
                                    • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A16F9
                                    • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1719
                                    • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1734
                                    • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1754
                                    • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A176F
                                    • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A178F
                                    • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A17AA
                                    • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A17CA
                                  • Sleep.KERNEL32 ref: 00000179537A1AD7
                                  • SleepEx.KERNELBASE ref: 00000179537A1ADD
                                    • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A17E5
                                    • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1805
                                    • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1820
                                    • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1840
                                    • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A185B
                                    • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A187B
                                    • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1896
                                    • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A18A0
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID: CloseOpen$HeapSleep$AllocProcess
                                  • String ID:
                                  • API String ID: 1534210851-0
                                  • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction ID: b6c2e1d6c864596a4c04fdf18bbbf5071076cb135f023add6302ffefab344da2
                                  • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                  • Instruction Fuzzy Hash: 04313271F2866582FF529B36DA413E923F4AB46BC8F8854239E0D873D5FF24C859C610
                                  Function 00000179537A3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 89 179537a3844-179537a384f 90 179537a3851-179537a3864 StrCmpNIW 89->90 91 179537a3869-179537a3870 89->91 90->91 92 179537a3866 90->92 92->91
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: dialer
                                  • API String ID: 0-3528709123
                                  • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                  • Instruction ID: dbbf6158d5080c7e4a12ec2d32b33ddd1bdad48742ffa41caff3c02827982d81
                                  • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                  • Instruction Fuzzy Hash: 7AD0A770B252558BFF56DFE688D46E02370EB0974CF884032C90802750EB1CD98DA720
                                  Function 000001795377273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 93 1795377273c-179537727a4 call 179537729d4 * 4 102 179537727aa-179537727ad 93->102 103 179537729b2 93->103 102->103 104 179537727b3-179537727b6 102->104 105 179537729b4-179537729d0 103->105 104->103 106 179537727bc-179537727bf 104->106 106->103 107 179537727c5-179537727e6 106->107 107->103 109 179537727ec-1795377280c 107->109 110 1795377280e-17953772836 109->110 111 17953772838-1795377283f 109->111 110->110 110->111 112 179537728df-179537728e6 111->112 113 17953772845-17953772852 111->113 115 179537728ec-17953772901 112->115 116 17953772992-179537729b0 112->116 113->112 114 17953772858-1795377286a LoadLibraryA 113->114 117 1795377286c-17953772878 114->117 118 179537728ca-179537728d2 114->118 115->116 119 17953772907 115->119 116->105 120 179537728c5-179537728c8 117->120 118->114 121 179537728d4-179537728d9 118->121 123 1795377290d-17953772921 119->123 120->118 124 1795377287a-1795377287d 120->124 121->112 125 17953772923-17953772934 123->125 126 17953772982-1795377298c 123->126 129 1795377287f-179537728a5 124->129 130 179537728a7-179537728b7 124->130 127 1795377293f-17953772943 125->127 128 17953772936-1795377293d 125->128 126->116 126->123 133 1795377294d-17953772951 127->133 134 17953772945-1795377294b 127->134 132 17953772970-17953772980 128->132 135 179537728ba-179537728c1 129->135 130->135 132->125 132->126 136 17953772963-17953772967 133->136 137 17953772953-17953772961 133->137 134->132 135->120 136->132 139 17953772969-1795377296c 136->139 137->132 139->132
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3120706212.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_17953770000_svchost.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction ID: aa063f8f75c6740ade699a4d29bdcc33ceee5f26798b0015945cd0de14dc5192
                                  • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                  • Instruction Fuzzy Hash: E6613532F096A087DB56CF15D0007ADB3F2F756BA8F188122CE6D17788DA38D866DB00

                                  Non-executed Functions

                                  Function 00000179537A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                  • String ID:
                                  • API String ID: 3140674995-0
                                  • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction ID: 58b78ca673e8f1c025eb56569f683145776f8da21aff7224e17a305cb7f8da99
                                  • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                  • Instruction Fuzzy Hash: FC317072619B908AEB619F60E8503EE7371F785748F44402ADB8D57B94EF38C54CC714
                                  Function 00000179537A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                  • String ID: api-ms-
                                  • API String ID: 2559590344-2084034818
                                  • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction ID: 1c35a6318a95a9f66357ff113d1e6293aa460ab4329f98c61122d8ffc54845e1
                                  • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                  • Instruction Fuzzy Hash: 5731D832B2E664E1EE13DB02A400BD963F4B74BBA8F5905279D5E47791EF38C45D8300
                                  Function 00000179537B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                  • String ID: CONOUT$
                                  • API String ID: 3230265001-3130406586
                                  • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction ID: 1d5e788c20f4153e52296bcb8cadabdf0028e11074e208d04bdcdd6a952d3e19
                                  • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                  • Instruction Fuzzy Hash: 1C11C431B18BA482F7518B52E864359B3B4F389FE8F044226EA9E87794EF38C4488744
                                  Function 00000179537A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                  • String ID:
                                  • API String ID: 517849248-0
                                  • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction ID: 56b2cd84fcc0e7ced0197c83fadfe9882c07905c38d9d912c2a518943b9c5019
                                  • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                  • Instruction Fuzzy Hash: 51016931B08A5482FB11DB52A8A879963B5F789BC8F888036DE8D43754EF3CC98DC704
                                  Function 00000179537AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                  • String ID: csm$csm
                                  • API String ID: 3896166516-3733052814
                                  • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction ID: 643f0b19000955fd4531acc435b5a4dff8720e58fb8e76c4df4d970b4f056407
                                  • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                  • Instruction Fuzzy Hash: 4F51B072928BA0CAEBB98F25948439D77B0F756B8DF184117DA9D47BD9CB38C468C700
                                  Function 00000179537B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000035.00000002.3121161238.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_53_2_179537a0000_svchost.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorLastMode
                                  • String ID:
                                  • API String ID: 953036326-0
                                  • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction ID: aa35c425ef9fc4d6b2506b4269cbb304a299e5433bf6d60ac2d50f473d078f8f
                                  • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                  • Instruction Fuzzy Hash: D191A032F1966485FB629F6594A03EE2BB0B746B8CF14410BDE4E67B95EF35C48AC700