Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Kawpow new.exe

Overview

General Information

Sample name:Kawpow new.exe
Analysis ID:1585413
MD5:fb6a3b436e9f9402937d95f755b62f91
SHA1:aea3a8a311c2b8b6fc7d9d263b952f95a30b180e
SHA256:4c9d878e35e7fd497c633a770d3359fb37447985450dc19f45db0925972c39e0
Tags:CoinMinerexeuser-aachum
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 6892 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6816 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • Kawpow new.exe (PID: 5520 cmdline: "C:\Users\user\Desktop\Kawpow new.exe" MD5: FB6A3B436E9F9402937D95F755B62F91)
    • powershell.exe (PID: 6372 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7252 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 7324 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7416 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 7332 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7432 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7480 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7528 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7576 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7624 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7632 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7648 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7664 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7692 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 632 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
        • svchost.exe (PID: 2524 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 912 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 976 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 356 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 704 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 932 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1044 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1080 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1188 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1212 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1344 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • sc.exe (PID: 7732 cmdline: C:\Windows\system32\sc.exe delete "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7848 cmdline: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7900 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7908 cmdline: C:\Windows\system32\sc.exe start "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 720 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • eejhedztifcv.exe (PID: 7984 cmdline: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe MD5: FB6A3B436E9F9402937D95F755B62F91)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Change of critical system settings

barindex
Sigma detected: Disable power options
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\Kawpow new.exe", ParentImage: C:\Users\user\Desktop\Kawpow new.exe, ParentProcessId: 5520, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7624, ProcessName: powercfg.exe

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Kawpow new.exe", ParentImage: C:\Users\user\Desktop\Kawpow new.exe, ParentProcessId: 5520, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6372, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Kawpow new.exe", ParentImage: C:\Users\user\Desktop\Kawpow new.exe, ParentProcessId: 5520, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6372, ProcessName: powershell.exe
Sigma detected: Uncommon Svchost Parent Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 7692, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 912, ProcessName: svchost.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\Kawpow new.exe", ParentImage: C:\Users\user\Desktop\Kawpow new.exe, ParentProcessId: 5520, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", ProcessId: 7848, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Kawpow new.exe", ParentImage: C:\Users\user\Desktop\Kawpow new.exe, ParentProcessId: 5520, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6372, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6892, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Stop EventLog
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\Kawpow new.exe", ParentImage: C:\Users\user\Desktop\Kawpow new.exe, ParentProcessId: 5520, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7900, ProcessName: sc.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeReversingLabs: Detection: 73%
Multi AV Scanner detection for submitted file
Source: Kawpow new.exeReversingLabs: Detection: 73%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: Kawpow new.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1EDCE0 FindFirstFileExW,37_2_000001CA7D1EDCE0
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD5DCE0 FindFirstFileExW,43_2_0000017D2DD5DCE0
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B92DCE0 FindFirstFileExW,44_2_0000022F4B92DCE0
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CDDCE0 FindFirstFileExW,45_2_00000262F1CDDCE0
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942B1DCE0 FindFirstFileExW,46_2_0000023942B1DCE0
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056DDCE0 FindFirstFileExW,47_2_000001EF056DDCE0
Source: C:\Windows\System32\svchost.exeCode function: 48_2_000002287AD4DCE0 FindFirstFileExW,48_2_000002287AD4DCE0
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DA9DCE0 FindFirstFileExW,49_2_000001B94DA9DCE0
Source: C:\Windows\System32\svchost.exeCode function: 50_2_000002520257DCE0 FindFirstFileExW,50_2_000002520257DCE0
Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001A9EBFCDCE0 FindFirstFileExW,51_2_000001A9EBFCDCE0
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF163DCE0 FindFirstFileExW,53_2_0000019FF163DCE0
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A1ADCE0 FindFirstFileExW,54_2_000002A76A1ADCE0
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E13DCE0 FindFirstFileExW,55_2_000002234E13DCE0
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D269CDCE0 FindFirstFileExW,56_2_0000014D269CDCE0
Source: svchost.exe, 00000000.00000002.1371387005.000001DC42C13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1370289694.000001DC42C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369251202.000001DC42C6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1370561544.000001DC42C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371645071.000001DC42C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369479480.000001DC42C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371511467.000001DC42C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1369251202.000001DC42C6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371645071.000001DC42C70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000003.1369407878.000001DC42C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371621084.000001DC42C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1371678039.000001DC42C77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369006554.000001DC42C75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1370289694.000001DC42C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371426876.000001DC42C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369479480.000001DC42C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1371426876.000001DC42C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369407878.000001DC42C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371621084.000001DC42C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000002.1371426876.000001DC42C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369479480.000001DC42C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000003.1370561544.000001DC42C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371511467.000001DC42C42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1369479480.000001DC42C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000003.1370561544.000001DC42C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1370689484.000001DC42C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&
Source: svchost.exe, 00000000.00000003.1370615655.000001DC42C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000002.1371511467.000001DC42C42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1369479480.000001DC42C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000003.1370561544.000001DC42C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371511467.000001DC42C42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1263586331.000001DC42C36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000002.1371426876.000001DC42C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369407878.000001DC42C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371621084.000001DC42C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1370561544.000001DC42C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1370376947.000001DC42C48000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371511467.000001DC42C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1370615655.000001DC42C39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1370615655.000001DC42C39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1263586331.000001DC42C36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1371426876.000001DC42C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

System Summary

barindex
Uses powercfg.exe to modify the power settings
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\dialer.exeCode function: 31_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,31_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1E28C8 NtEnumerateValueKey,NtEnumerateValueKey,37_2_000001CA7D1E28C8
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD5202C NtQuerySystemInformation,StrCmpNIW,43_2_0000017D2DD5202C
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CD28C8 NtEnumerateValueKey,NtEnumerateValueKey,45_2_00000262F1CD28C8
Source: C:\Windows\System32\svchost.exeCode function: 48_2_000002287AD4202C NtQuerySystemInformation,StrCmpNIW,48_2_000002287AD4202C
Source: C:\Windows\System32\dialer.exeCode function: 31_2_000000014000226C31_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 31_2_00000001400014D831_2_00000001400014D8
Source: C:\Windows\System32\dialer.exeCode function: 31_2_000000014000256031_2_0000000140002560
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1C38A837_2_000001CA7D1C38A8
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1BD0E037_2_000001CA7D1BD0E0
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1B1F2C37_2_000001CA7D1B1F2C
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1F621837_2_000001CA7D1F6218
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1F44A837_2_000001CA7D1F44A8
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1EDCE037_2_000001CA7D1EDCE0
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1F610037_2_000001CA7D1F6100
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1F610037_2_000001CA7D1F6100
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1E2B2C37_2_000001CA7D1E2B2C
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD21F2C43_2_0000017D2DD21F2C
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD2D0E043_2_0000017D2DD2D0E0
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD338A843_2_0000017D2DD338A8
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD52B2C43_2_0000017D2DD52B2C
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD5DCE043_2_0000017D2DD5DCE0
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD644A843_2_0000017D2DD644A8
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B8F1F2C44_2_0000022F4B8F1F2C
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B8FD0E044_2_0000022F4B8FD0E0
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B9038A844_2_0000022F4B9038A8
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B922B2C44_2_0000022F4B922B2C
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B92DCE044_2_0000022F4B92DCE0
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B9344A844_2_0000022F4B9344A8
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CA1F2C45_2_00000262F1CA1F2C
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CB38A845_2_00000262F1CB38A8
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CAD0E045_2_00000262F1CAD0E0
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CD2B2C45_2_00000262F1CD2B2C
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CE621845_2_00000262F1CE6218
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CE610045_2_00000262F1CE6100
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CE610045_2_00000262F1CE6100
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CE44A845_2_00000262F1CE44A8
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CDDCE045_2_00000262F1CDDCE0
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942AE1F2C46_2_0000023942AE1F2C
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942AF38A846_2_0000023942AF38A8
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942AED0E046_2_0000023942AED0E0
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942B12B2C46_2_0000023942B12B2C
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942B244A846_2_0000023942B244A8
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942B1DCE046_2_0000023942B1DCE0
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056AD0E047_2_000001EF056AD0E0
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056B38A847_2_000001EF056B38A8
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056A1F2C47_2_000001EF056A1F2C
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056DDCE047_2_000001EF056DDCE0
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056E44A847_2_000001EF056E44A8
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056D2B2C47_2_000001EF056D2B2C
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056E621847_2_000001EF056E6218
Source: C:\Windows\System32\svchost.exeCode function: 48_2_000002287AD42B2C48_2_000002287AD42B2C
Source: C:\Windows\System32\svchost.exeCode function: 48_2_000002287AD544A848_2_000002287AD544A8
Source: C:\Windows\System32\svchost.exeCode function: 48_2_000002287AD4DCE048_2_000002287AD4DCE0
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DA61F2C49_2_000001B94DA61F2C
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DA738A849_2_000001B94DA738A8
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DA6D0E049_2_000001B94DA6D0E0
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DA92B2C49_2_000001B94DA92B2C
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DAA44A849_2_000001B94DAA44A8
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DA9DCE049_2_000001B94DA9DCE0
Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025202541F2C50_2_0000025202541F2C
Source: C:\Windows\System32\svchost.exeCode function: 50_2_000002520254D0E050_2_000002520254D0E0
Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000252025538A850_2_00000252025538A8
Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025202572B2C50_2_0000025202572B2C
Source: C:\Windows\System32\svchost.exeCode function: 50_2_000002520257DCE050_2_000002520257DCE0
Source: C:\Windows\System32\svchost.exeCode function: 50_2_00000252025844A850_2_00000252025844A8
Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001A9EBFCDCE051_2_000001A9EBFCDCE0
Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001A9EBFD44A851_2_000001A9EBFD44A8
Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001A9EBFC2B2C51_2_000001A9EBFC2B2C
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF1601F2C53_2_0000019FF1601F2C
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF160D0E053_2_0000019FF160D0E0
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF16138A853_2_0000019FF16138A8
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF1632B2C53_2_0000019FF1632B2C
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF163DCE053_2_0000019FF163DCE0
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF16444A853_2_0000019FF16444A8
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A1838A854_2_000002A76A1838A8
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A17D0E054_2_000002A76A17D0E0
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A171F2C54_2_000002A76A171F2C
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A1B44A854_2_000002A76A1B44A8
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A1ADCE054_2_000002A76A1ADCE0
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A1B60F054_2_000002A76A1B60F0
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A1A2B2C54_2_000002A76A1A2B2C
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E1138A855_2_000002234E1138A8
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E10D0E055_2_000002234E10D0E0
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E101F2C55_2_000002234E101F2C
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E1444A855_2_000002234E1444A8
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E13DCE055_2_000002234E13DCE0
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E132B2C55_2_000002234E132B2C
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D26991F2C56_2_0000014D26991F2C
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D269A38A856_2_0000014D269A38A8
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D2699D0E056_2_0000014D2699D0E0
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D269C2B2C56_2_0000014D269C2B2C
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D269D44A856_2_0000014D269D44A8
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D269CDCE056_2_0000014D269CDCE0
Source: Joe Sandbox ViewDropped File: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe 4C9D878E35E7FD497C633A770D3359FB37447985450DC19F45DB0925972C39E0
Source: classification engineClassification label: mal100.spyw.evad.winEXE@56/69@0/0
Source: C:\Windows\System32\dialer.exeCode function: 31_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,31_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 31_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,31_2_00000001400019C4
Source: C:\Windows\System32\dialer.exeCode function: 31_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,31_2_000000014000226C
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gs1rry12.jcn.ps1Jump to behavior
Source: Kawpow new.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Kawpow new.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Kawpow new.exeReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\Kawpow new.exeFile read: C:\Users\user\Desktop\Kawpow new.exeJump to behavior
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Users\user\Desktop\Kawpow new.exe "C:\Users\user\Desktop\Kawpow new.exe"
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CKTJZLMO"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CKTJZLMO"Jump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"Jump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Kawpow new.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Kawpow new.exeStatic file information: File size 5471744 > 1048576
Source: Kawpow new.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x52a800
Source: Kawpow new.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Kawpow new.exeStatic PE information: section name: .00cfg
Source: eejhedztifcv.exe.4.drStatic PE information: section name: .00cfg
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1CACDD push rcx; retf 003Fh37_2_000001CA7D1CACDE
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1FC6DD push rcx; retf 003Fh37_2_000001CA7D1FC6DE
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD3ACDD push rcx; retf 003Fh43_2_0000017D2DD3ACDE
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD6C6DD push rcx; retf 003Fh43_2_0000017D2DD6C6DE
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B90ACDD push rcx; retf 003Fh44_2_0000022F4B90ACDE
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B93C6DD push rcx; retf 003Fh44_2_0000022F4B93C6DE
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CBACDD push rcx; retf 003Fh45_2_00000262F1CBACDE
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CEC6DD push rcx; retf 003Fh45_2_00000262F1CEC6DE
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942AFACDD push rcx; retf 003Fh46_2_0000023942AFACDE
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942B2C6DD push rcx; retf 003Fh46_2_0000023942B2C6DE
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056BACDD push rcx; retf 003Fh47_2_000001EF056BACDE
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056EC6DD push rcx; retf 003Fh47_2_000001EF056EC6DE
Source: C:\Windows\System32\svchost.exeCode function: 48_2_000002287AD5C6DD push rcx; retf 003Fh48_2_000002287AD5C6DE
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DA7ACDD push rcx; retf 003Fh49_2_000001B94DA7ACDE
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DAAC6DD push rcx; retf 003Fh49_2_000001B94DAAC6DE
Source: C:\Windows\System32\svchost.exeCode function: 50_2_000002520255ACDD push rcx; retf 003Fh50_2_000002520255ACDE
Source: C:\Windows\System32\svchost.exeCode function: 50_2_000002520258C6DD push rcx; retf 003Fh50_2_000002520258C6DE
Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001A9EBFDC6DD push rcx; retf 003Fh51_2_000001A9EBFDC6DE
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF161ACDD push rcx; retf 003Fh53_2_0000019FF161ACDE
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF164C6DD push rcx; retf 003Fh53_2_0000019FF164C6DE
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A18ACDD push rcx; retf 003Fh54_2_000002A76A18ACDE
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A1BC6DD push rcx; retf 003Fh54_2_000002A76A1BC6DE
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E11ACDD push rcx; retf 003Fh55_2_000002234E11ACDE
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E14C6DD push rcx; retf 003Fh55_2_000002234E14C6DE
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D269AACDD push rcx; retf 003Fh56_2_0000014D269AACDE
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D269DC6DD push rcx; retf 003Fh56_2_0000014D269DC6DE

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeFile created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeJump to dropped file
Source: C:\Users\user\Desktop\Kawpow new.exeFile created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeJump to dropped file
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

barindex
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,31_2_00000001400010C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5624Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4150Jump to behavior
Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1759Jump to behavior
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 3948Jump to behavior
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 6051Jump to behavior
Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 8743Jump to behavior
Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 1192Jump to behavior
Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9867Jump to behavior
Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_43-15355
Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_44-14997
Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_31-422
Source: C:\Windows\System32\lsass.exeAPI coverage: 4.7 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 6.4 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 5.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.8 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 6.4 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.8 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.8 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1408Thread sleep count: 5624 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1008Thread sleep count: 4150 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7312Thread sleep count: 189 > 30Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7312Thread sleep time: -189000s >= -30000sJump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7696Thread sleep count: 1759 > 30Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7696Thread sleep time: -175900s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7996Thread sleep count: 3948 > 30Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7996Thread sleep time: -3948000s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7996Thread sleep count: 6051 > 30Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7996Thread sleep time: -6051000s >= -30000sJump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8012Thread sleep count: 8743 > 30Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8012Thread sleep time: -8743000s >= -30000sJump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8012Thread sleep count: 1192 > 30Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8012Thread sleep time: -1192000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8076Thread sleep count: 249 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8076Thread sleep time: -249000s >= -30000sJump to behavior
Source: C:\Windows\System32\dwm.exe TID: 8100Thread sleep count: 9867 > 30Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 8100Thread sleep time: -9867000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8108Thread sleep count: 249 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8108Thread sleep time: -249000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8116Thread sleep count: 256 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8116Thread sleep time: -256000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8124Thread sleep count: 195 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8124Thread sleep time: -195000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8132Thread sleep count: 81 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8132Thread sleep time: -81000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8140Thread sleep count: 77 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8140Thread sleep time: -77000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8176Thread sleep count: 242 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8176Thread sleep time: -242000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6912Thread sleep count: 241 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6912Thread sleep time: -241000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4340Thread sleep count: 237 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4340Thread sleep time: -237000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2964Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7452Thread sleep count: 208 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7452Thread sleep time: -208000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7300Thread sleep count: 248 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7300Thread sleep time: -248000s >= -30000sJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeLast function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1EDCE0 FindFirstFileExW,37_2_000001CA7D1EDCE0
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD5DCE0 FindFirstFileExW,43_2_0000017D2DD5DCE0
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B92DCE0 FindFirstFileExW,44_2_0000022F4B92DCE0
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CDDCE0 FindFirstFileExW,45_2_00000262F1CDDCE0
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942B1DCE0 FindFirstFileExW,46_2_0000023942B1DCE0
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056DDCE0 FindFirstFileExW,47_2_000001EF056DDCE0
Source: C:\Windows\System32\svchost.exeCode function: 48_2_000002287AD4DCE0 FindFirstFileExW,48_2_000002287AD4DCE0
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DA9DCE0 FindFirstFileExW,49_2_000001B94DA9DCE0
Source: C:\Windows\System32\svchost.exeCode function: 50_2_000002520257DCE0 FindFirstFileExW,50_2_000002520257DCE0
Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001A9EBFCDCE0 FindFirstFileExW,51_2_000001A9EBFCDCE0
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF163DCE0 FindFirstFileExW,53_2_0000019FF163DCE0
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A1ADCE0 FindFirstFileExW,54_2_000002A76A1ADCE0
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E13DCE0 FindFirstFileExW,55_2_000002234E13DCE0
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D269CDCE0 FindFirstFileExW,56_2_0000014D269CDCE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_31-468
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_000001CA7D1E7D90
Source: C:\Windows\System32\dialer.exeCode function: 31_2_00000001400017EC GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,31_2_00000001400017EC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_000001CA7D1E7D90
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1F6218 SetUnhandledExceptionFilter,37_2_000001CA7D1F6218
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_000001CA7D1ED2A4
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD5D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_0000017D2DD5D2A4
Source: C:\Windows\System32\lsass.exeCode function: 43_2_0000017D2DD57D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_0000017D2DD57D90
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B92D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,44_2_0000022F4B92D2A4
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000022F4B927D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,44_2_0000022F4B927D90
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_00000262F1CDD2A4
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CE6218 SetUnhandledExceptionFilter,45_2_00000262F1CE6218
Source: C:\Windows\System32\dwm.exeCode function: 45_2_00000262F1CD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_00000262F1CD7D90
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942B17D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,46_2_0000023942B17D90
Source: C:\Windows\System32\svchost.exeCode function: 46_2_0000023942B1D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,46_2_0000023942B1D2A4
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056D7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,47_2_000001EF056D7D90
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056E6218 SetUnhandledExceptionFilter,47_2_000001EF056E6218
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001EF056DD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,47_2_000001EF056DD2A4
Source: C:\Windows\System32\svchost.exeCode function: 48_2_000002287AD47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_000002287AD47D90
Source: C:\Windows\System32\svchost.exeCode function: 48_2_000002287AD4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_000002287AD4D2A4
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DA9D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_000001B94DA9D2A4
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B94DA97D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_000001B94DA97D90
Source: C:\Windows\System32\svchost.exeCode function: 50_2_000002520257D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,50_2_000002520257D2A4
Source: C:\Windows\System32\svchost.exeCode function: 50_2_0000025202577D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,50_2_0000025202577D90
Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001A9EBFC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_000001A9EBFC7D90
Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001A9EBFCD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_000001A9EBFCD2A4
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF163D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_0000019FF163D2A4
Source: C:\Windows\System32\svchost.exeCode function: 53_2_0000019FF1637D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_0000019FF1637D90
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A1A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,54_2_000002A76A1A7D90
Source: C:\Windows\System32\svchost.exeCode function: 54_2_000002A76A1AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,54_2_000002A76A1AD2A4
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E137D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,55_2_000002234E137D90
Source: C:\Windows\System32\svchost.exeCode function: 55_2_000002234E13D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,55_2_000002234E13D2A4
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D269CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_0000014D269CD2A4
Source: C:\Windows\System32\svchost.exeCode function: 56_2_0000014D269C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_0000014D269C7D90

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 17D2DD20000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22F4B8F0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 262F1CA0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23942AE0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1EF056A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2287A7D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B94DA60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25202540000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A9EBF90000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19FF1600000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A76A170000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 14D26990000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2175D5C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B0AB960000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2129B2A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26384180000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25178730000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1495FCF0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22125D90000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 297A5D80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2D0F41C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C325340000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AEFC900000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 270F3530000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D326280000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16131E60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AE137C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C93A3B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E2E4190000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: 1450000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AB68FA0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 265951C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C263510000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2234E100000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 181985A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19E8E330000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B5A2950000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD340C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B653790000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B19A0E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24730B30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15F35DA0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 200792F0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18CE9170000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D959540000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18F1A9A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FF01350000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 221D2530000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D400530000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: 8650000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27844DD0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 258B00D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FA9A260000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1496A4A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 190043F0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B8E5260000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 189090B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1240000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24B0CB90000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 2A85C320000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1CC1F5B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2FC66280000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 275F4C50000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2D46A700000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CA63DC0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1CDF7340000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 165B0040000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1B4ABAE0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E657DE0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E657E10000 protect: page execute and read and writeJump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dialer.exeCode function: 31_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,31_2_0000000140001C88
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: 7D1B273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: 2DD2273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 4B8F273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\dwm.exe EIP: F1CA273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 42AE273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 56A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 7A7D273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 4DA6273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 254273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: EBF9273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: F160273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 6A17273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 2699273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5D5C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AB96273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9B2A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8418273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7873273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5FCF273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 25D9273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A5D8273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F41C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2534273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FC90273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F353273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2628273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 31E6273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 137C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3A3B273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E419273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 145273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 68FA273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 951C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6351273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 4E10273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 985A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3C5C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CFCF273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8E33273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A295273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 340C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5379273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9A0E273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 30B3273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 35DA273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 792F273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E917273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5954273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1A9A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 135273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D253273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 53273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 865273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 44DD273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B00D273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9A26273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B71A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8202273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 706E273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6A4A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 43F273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 15D3273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AD5E273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 570C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E526273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 90B273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B124273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 82CD273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9B7A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CB9273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5C32273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1F5B273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6628273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F4C5273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6A70273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 63DC273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F734273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\sc.exe EIP: B004273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: ABAE273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 57DE273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 57E1273CJump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 262F1CA0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2287A7D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEFC900000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E100000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181985A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5A2950000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D959540000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18F1A9A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 221D2530000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D400530000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 8650000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 258B00D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1240000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24B0CB90000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 2A85C320000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1CC1F5B0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2FC66280000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275F4C50000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2D46A700000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA63DC0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1CDF7340000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 165B0040000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1B4ABAE0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E657DE0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E657E10000 value starts with: 4D5AJump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dialer.exeMemory written: PID: 4056 base: 8650000 value: 4DJump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Kawpow new.exeThread register set: target process: 7692Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 17D2DD20000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 262F1CA0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23942AE0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF056A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2287A7D0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B94DA60000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25202540000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19FF1600000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A76A170000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14D26990000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2175D5C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0AB960000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2129B2A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26384180000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25178730000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1495FCF0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22125D90000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 297A5D80000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C325340000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEFC900000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 270F3530000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D326280000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16131E60000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AE137C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2E4190000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1450000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 265951C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C263510000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E100000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181985A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E8E330000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5A2950000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD340C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B653790000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24730B30000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15F35DA0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 200792F0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18CE9170000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D959540000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18F1A9A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FF01350000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 221D2530000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D400530000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 8650000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27844DD0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 258B00D0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA9A260000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1496A4A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 190043F0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8E5260000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 189090B0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1240000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24B0CB90000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 2A85C320000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1CC1F5B0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2FC66280000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275F4C50000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2D46A700000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA63DC0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1CDF7340000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 165B0040000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1B4ABAE0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E657DE0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E657E10000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E160000Jump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\dialer.exeCode function: 31_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,31_2_0000000140001B54
Source: C:\Windows\System32\dialer.exeCode function: 31_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,31_2_0000000140001B54
Source: winlogon.exe, 00000025.00000000.1351090659.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000025.00000002.2636822919.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000025.00000000.1351090659.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000025.00000002.2636822919.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: winlogon.exe, 00000025.00000000.1351090659.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000025.00000002.2636822919.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
Source: winlogon.exe, 00000025.00000000.1351090659.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000025.00000002.2636822919.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1C36F0 cpuid 37_2_000001CA7D1C36F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
Source: C:\Windows\System32\dialer.exeCode function: 31_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,31_2_0000000140001B54
Source: C:\Windows\System32\winlogon.exeCode function: 37_2_000001CA7D1E7960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,37_2_000001CA7D1E7960

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
Modifies power options to not sleep / hibernate
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Source: svchost.exe, 00000008.00000002.2630840838.0000025A87102000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.2630840838.0000025A87102000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		4
Rootkit		1
Credential API Hooking		1
System Time Discovery		Remote Services1
Credential API Hooking		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		2
Disable or Modify Tools		LSASS Memory24
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)713
Process Injection		1
Modify Registry		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		NTDS21
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Access Token Manipulation		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts713
Process Injection		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Hidden Files and Directories		DCSync22
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Obfuscated Files or Information		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Install Root Certificate		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
DLL Side-Loading		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1585413 Sample: Kawpow new.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 50 Multi AV Scanner detection for submitted file 2->50 52 Sigma detected: Stop EventLog 2->52 54 Sigma detected: Disable power options 2->54 56 9 other signatures 2->56 8 Kawpow new.exe 1 2 2->8         started        12 svchost.exe 2->12         started        14 eejhedztifcv.exe 2->14         started        16 2 other processes 2->16 process3 file4 48 C:\ProgramData\...\eejhedztifcv.exe, PE32+ 8->48 dropped 68 Modifies the context of a thread in another process (thread injection) 8->68 70 Adds a directory exclusion to Windows Defender 8->70 72 Modifies power options to not sleep / hibernate 8->72 18 dialer.exe 1 8->18         started        21 powershell.exe 23 8->21         started        23 cmd.exe 1 8->23         started        25 13 other processes 8->25 74 Changes security center settings (notifications, updates, antivirus, firewall) 12->74 76 Multi AV Scanner detection for dropped file 14->76 signatures5 process6 signatures7 58 Injects code into the Windows Explorer (explorer.exe) 18->58 60 Contains functionality to inject code into remote processes 18->60 62 Writes to foreign memory regions 18->62 66 4 other signatures 18->66 27 lsass.exe 18->27 injected 30 dwm.exe 18->30 injected 32 winlogon.exe 18->32 injected 42 10 other processes 18->42 64 Loading BitLocker PowerShell Module 21->64 34 WmiPrvSE.exe 21->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 wusa.exe 23->40         started        44 13 other processes 25->44 process8 signatures9 78 Installs new ROOT certificates 27->78 80 Writes to foreign memory regions 27->80 46 svchost.exe 27->46 injected process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Kawpow new.exe74%ReversingLabsWin64.Infostealer.Tinba

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe74%ReversingLabsWin64.Infostealer.Tinba

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&svchost.exe, 00000000.00000003.1370561544.000001DC42C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1370689484.000001DC42C46000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000000.00000003.1263586331.000001DC42C36000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000000.00000003.1369407878.000001DC42C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371621084.000001DC42C68000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000000.00000003.1370561544.000001DC42C41000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000000.00000002.1371678039.000001DC42C77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369006554.000001DC42C75000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000000.00000002.1371426876.000001DC42C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369407878.000001DC42C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371621084.000001DC42C68000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000000.00000002.1371426876.000001DC42C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369479480.000001DC42C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000000.00000003.1370615655.000001DC42C39000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000000.00000003.1370561544.000001DC42C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371511467.000001DC42C42000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000000.00000003.1369479480.000001DC42C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000000.00000003.1370376947.000001DC42C48000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371511467.000001DC42C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1370615655.000001DC42C39000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000000.00000003.1263586331.000001DC42C36000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1370289694.000001DC42C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369251202.000001DC42C6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1370561544.000001DC42C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371645071.000001DC42C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369479480.000001DC42C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371511467.000001DC42C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000000.00000002.1371426876.000001DC42C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000000.00000002.1371511467.000001DC42C42000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000000.00000003.1370561544.000001DC42C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371511467.000001DC42C42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://dynamic.tsvchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000000.00000003.1369479480.000001DC42C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.bingmapsportal.comsvchost.exe, 00000000.00000002.1371387005.000001DC42C13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000000.00000003.1370590097.000001DC42C57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371547103.000001DC42C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1370289694.000001DC42C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371426876.000001DC42C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369479480.000001DC42C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000002.1371426876.000001DC42C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369407878.000001DC42C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371621084.000001DC42C68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000000.00000003.1369251202.000001DC42C6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371645071.000001DC42C70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000000.00000003.1370615655.000001DC42C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371594263.000001DC42C63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      No contacted IP infos

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1585413
                                                                      Start date and time:2025-01-07 16:07:05 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 11m 13s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:43
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:14
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:Kawpow new.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.spyw.evad.winEXE@56/69@0/0
                                                                      EGA Information:
                                                                      • Successful, ratio: 88.2%
                                                                      HCA Information:
                                                                      • Successful, ratio: 96%
                                                                      • Number of executed functions: 58
                                                                      • Number of non-executed functions: 366
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 199.232.210.172, 40.126.32.140, 20.190.160.22, 40.126.32.133, 40.126.32.136, 40.126.32.138, 40.126.32.72, 20.190.160.20, 40.126.32.76, 13.107.246.45, 4.175.87.197
                                                                      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, login.live.com, www.tm.lg.prod.aadmsa.akadns.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, time.windows.com, wu-b-net.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target Kawpow new.exe, PID 5520 because it is empty
                                                                      • Execution Graph export aborted for target eejhedztifcv.exe, PID 7984 because it is empty
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                      • VT rate limit hit for: Kawpow new.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      10:08:02API Interceptor1x Sleep call for process: Kawpow new.exe modified
                                                                      10:08:05API Interceptor24x Sleep call for process: powershell.exe modified
                                                                      10:08:21API Interceptor2339x Sleep call for process: svchost.exe modified
                                                                      11:13:07API Interceptor387625x Sleep call for process: winlogon.exe modified
                                                                      11:13:08API Interceptor301082x Sleep call for process: lsass.exe modified
                                                                      11:13:13API Interceptor357159x Sleep call for process: dwm.exe modified
                                                                      11:13:16API Interceptor1682x Sleep call for process: dialer.exe modified
                                                                      11:13:23API Interceptor198x Sleep call for process: WmiPrvSE.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      No context

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      bg.microsoft.map.fastly.nethttps://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526Get hashmaliciousUnknownBrowse
                                                                      • 199.232.214.172
                                                                      Here is the completed and scanned document.emlGet hashmaliciousUnknownBrowse
                                                                      • 199.232.214.172
                                                                      file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
                                                                      • 199.232.214.172
                                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                                      • 199.232.210.172
                                                                      sfqbr.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                                                      • 199.232.214.172
                                                                      Vernales Restaurant-encrypted.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                      • 199.232.210.172
                                                                      KHK0987.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 199.232.214.172
                                                                      new.batGet hashmaliciousUnknownBrowse
                                                                      • 199.232.214.172
                                                                      fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                      • 199.232.210.172
                                                                      #Employee-Letter.pdfGet hashmaliciousUnknownBrowse
                                                                      • 199.232.210.172

                                                                      ASNs

                                                                      No context

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeSolara.exeGet hashmaliciousUnknownBrowse

                                                                        Created / dropped Files

                                                                        C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Kawpow new.exe
                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):5471744
                                                                        Entropy (8bit):6.525931537093555
                                                                        Encrypted:false
                                                                        SSDEEP:98304:gBybWc2fgjrlVrH3Y27fd2BY1z7QDkR3m1W:hic2GrrrH3Y2Bd1fIkR3m
                                                                        MD5:FB6A3B436E9F9402937D95F755B62F91
                                                                        SHA1:AEA3A8A311C2B8B6FC7D9D263B952F95A30B180E
                                                                        SHA-256:4C9D878E35E7FD497C633A770D3359FB37447985450DC19F45DB0925972C39E0
                                                                        SHA-512:7A3E2E42FE965DB1CEBC539235FEC88E277669C9A62BE2450EA4EFAF5DD93F1DE11740197FF26E697E9E9ACC499CBA2C30B64CFA5E5B35B28B9E0B93087EE2F8
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 74%
                                                                        Joe Sandbox View:
                                                                        • Filename: Solara.exe, Detection: malicious, Browse
                                                                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text.............................. ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......|S.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression
                                                                        Category:dropped
                                                                        Size (bytes):7796
                                                                        Entropy (8bit):7.971943145771426
                                                                        Encrypted:false
                                                                        SSDEEP:192:CPTIWKvNnUBBBL05O/b0evl2G6AXK+KMlYX82:CbevNUBDLlz0eN2dAXlKH
                                                                        MD5:FB60E1AFE48764E6BF78719C07813D32
                                                                        SHA1:A1DC74EF8495C9A1489DD937659B5C2875027E16
                                                                        SHA-256:EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D
                                                                        SHA-512:92BAA53445EC1A6EC049AF875783619D255AB4A46241B456BD87AE0043C117740BD117406E2CF5440840C68D0C573CBA7B40F58587CE7796D254D0B06E9B7973
                                                                        Malicious:false
                                                                        Preview:MSCF....t.......,...................I........E.........J.R .pinrules.stl..>N.#..ECK.[.T...O......l.$.)V.a...v.d.H...&.D.YA,(+Y...A.......c]."ka-.XW..I.....w..|..9.........{...|d..v.T..w.TMZ.|...).F.rtAm.....f......T.*.......n.z.:.t&.} EH.S.)2...SP.../~.Q..d..".@.5..r(..M.Zs..~{...>...p.p.^....[/p..~.....@......f..E0....9.i...Ds..^.d...N.R@..P%..9... .4Z)...z..h...@.......C<.]6....([.c=.9..l.....@..4......f.......z.!..0.`Jp.."$I..?`......H...].2...$....9v1./g.&.aIX.A..A.w*..p.*.`r.........'!e.. ..d...H.d.hu`.\!w.Z..E.$....$..|1..@.OC!c.......%.....p.uxC.~@....`...#.~ .P.!.Gb`)i...L..0.-.K.....xRx.e"..@.....5T..JP^.9.....#aH.E.@2..H..f.H..K...+x..$.WM..H}....=....`.PD:.qgn........I.....]uX..q...D...]n.4..0..b!.....m"a.Lz...d..S%P.I11,..^..".+At..To\@K.....c.h.C.....=...H.Xa...r.A.I..@!..0..eV...|.h..$."r..hL9TR..}.v%...4).H..[.....r..|]..+5..Y..I..hN...O=u..8.}U...#S...R..KQ..A..w....X|.....8b...GC.4..h....6gG.>..}.8....!ql..A..1..X.C.q.j....

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):330
                                                                        Entropy (8bit):3.31809439621491
                                                                        Encrypted:false
                                                                        SSDEEP:6:kKM81wNSWsCN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:00FkPlE99Si1QyIeek
                                                                        MD5:947EBB6083EB8A1516879E5CF70F2F87
                                                                        SHA1:E8A0F268982AFB56410388CCDF73C630D126EBD9
                                                                        SHA-256:924ABC76DF892878225FCCA693A8C702DFD407E8C3BDC12D2C94F56CF43EAB6C
                                                                        SHA-512:910D0F9CA4DD371580AA014A5A043CA818913DE8D87F03CC03ADA236BEAAF6DB6833F8B622746C90A25F93A27DD410EBD139F8D7C546281C8DE1F6E7E518FB85
                                                                        Malicious:false
                                                                        Preview:p...... ........}.X..a..(....................................................... ........B@!........(....0."....t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1940658735648508
                                                                        Encrypted:false
                                                                        SSDEEP:3:NlllulnmWllZ:NllUmWl
                                                                        MD5:3EBBEC2F920D055DAC842B4FF84448FA
                                                                        SHA1:52D2AD86C481FAED6187FC7E6655C5BD646CA663
                                                                        SHA-256:32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
                                                                        SHA-512:163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
                                                                        Malicious:false
                                                                        Preview:@...e................................................@..........

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14lxb2me.xns.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gs1rry12.jcn.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvbm5klb.omy.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ox3wzhkj.oev.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:modified
                                                                        Size (bytes):4680
                                                                        Entropy (8bit):3.7115837743379414
                                                                        Encrypted:false
                                                                        SSDEEP:96:pYMguQII4i5q6h4aGdinipV9ll7UY5HAmzQ+:9A4g/xne7HO+
                                                                        MD5:B3E9F094612A0553E5747C4AB01131D8
                                                                        SHA1:0A944E858D9AEA935E349994CD696E597E905139
                                                                        SHA-256:1FFBD472D1A785A02DA260FF16F6CA247945429E743D6D60B585D0C482EB0865
                                                                        SHA-512:57CEF46655722DD7C53A706D0395BF6FCFAB395B89302DC856D24C75C9484D028CDA6289478DD32F2B538A07251AAD98AD1A1A1E023958449BF270E484EB934C
                                                                        Malicious:false
                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):338
                                                                        Entropy (8bit):3.9579464662814963
                                                                        Encrypted:false
                                                                        SSDEEP:6:kKZHCbhu9tLqJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:R0ufdkPlE99SCQl2DUevat
                                                                        MD5:E69E1492E3F86E2355254FE344052511
                                                                        SHA1:E98AC00B092E2D4A91651D4772344DFDB3826026
                                                                        SHA-256:A1D6DCB03D344A97F48971C35DF02422E04E41F9E73C525283051A25F37D95DE
                                                                        SHA-512:84315BAAB316B901456AFDD4EE830160CBCA9A4304FE9D32B442C42500C76CA9EFA50E0713E5A20693C650F5A2D92DEB546358CCBF9D5D6F61F5C50C8812ED2F
                                                                        Malicious:false
                                                                        Preview:p...... ............Z...(...................a...S...a...\U.a...........S...a.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                        C:\Windows\System32\winevt\Logs\Application.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:dBase III DBT, next free block index 1130785861, 1st item "**"
                                                                        Category:dropped
                                                                        Size (bytes):4192
                                                                        Entropy (8bit):4.013976946005677
                                                                        Encrypted:false
                                                                        SSDEEP:96:3IXYOF0OLC8cD1qJEC0DeVAJrOa0iHoeVA2rQR:3IIOF1CD1qJEWVSf0iH5VJ0
                                                                        MD5:46E8D697C55D60A250D7BFB716DD124C
                                                                        SHA1:D63873C5DB85D776EDF2ADAD2D01CABEDDD1B922
                                                                        SHA-256:FA6B2CF7344486EA681E292D56774FAF1FEA27BC4B9672A60C8B3311F8108173
                                                                        SHA-512:E4F47D870412839D9C71A0D97EA5B7A20F01DE5A59030B5A4366DE0FAF92C05FAB8A1043192DC9CAEE9C5AB44976649D56E76420301856C780A69CBC1D7AFDC9
                                                                        Malicious:false
                                                                        Preview:ElfChnk.................F.......H...........`...`.....B.......................................................................C.............................................=.......................................................................................................................J...g...............@...........................n...................M...]...........................p...............F...............................................................&.......................................**.. ...F.........^..a........D.o.&.......D.o.#.X_F...."}........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7....=.......K...N.a.m.e.......S.e.c.u.r.i.t.y.C.e.n.t.e.r..A..M...{........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 329, DIRTY
                                                                        Category:dropped
                                                                        Size (bytes):123792
                                                                        Entropy (8bit):4.090092478950178
                                                                        Encrypted:false
                                                                        SSDEEP:1536:kHi6xadptrX9WP+gqHi6xadptrX9WP+g:JptrX9WP+gHptrX9WP+g
                                                                        MD5:1E5F6C42DF8692D031E38FC90F2F4DFE
                                                                        SHA1:E7EFF5D41D080BF5D56A313B53E961F17E0FEAF5
                                                                        SHA-256:0931D9F7207CAE219D4EBB8F429479112C53059CBF9D79B99655F38AF25E8BEA
                                                                        SHA-512:9CEF0055F6ABBF3C4EAA7CF39278061556FDDF9AAB4D2120808355EE94A783C8902F36A7181017AE2E6127EE9D595AAF529D0FC86FE69521AE83461466C0AE52
                                                                        Malicious:false
                                                                        Preview:ElfFile.................I....................................................................................................2..ElfChnk.........J...............J...........x.......-........................................................................6..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.396148699263237
                                                                        Encrypted:false
                                                                        SSDEEP:384:jhONk2SCNCrN0KNoBNoiNKNosaNjN4N9NRNCN8NoNjNUNONXN6N6LNvgN1NkNWzP:jgS5itAsZ2DCIEzVFNtPp
                                                                        MD5:1714E9F375BF402E9FF7644ED82EC285
                                                                        SHA1:ECB3A4495CEBE4F270C8D94553F027A36F50C42B
                                                                        SHA-256:20C6A11A8C455A4E4077CC61001BED7C0DD4E6F4FAADBCAD8DDF9A31406F1051
                                                                        SHA-512:A376B10C14E4EF653991874DE0D730768CC8D9BD49D8C348EED40CD184DA0C2AB47022B0AF6841B0F260598927C63271550A9B2C30F6A0DB1F6A3F830FC16576
                                                                        Malicious:false
                                                                        Preview:ElfChnk.v...............v...................p.......T..q......................................................................D&................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...................}.......................}.......................&...M.......M...........................}...................m...................**......v........^.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):66960
                                                                        Entropy (8bit):4.277181178775586
                                                                        Encrypted:false
                                                                        SSDEEP:384:XVUV8hpVAVqVjVWVscVcVtVrV51VgVTV/VZVXKVNVjVyVlF/vVIVtVQVwVEV+VpE:/b8xf4BsuMgkk
                                                                        MD5:7C90A7B907F804A9F8D829EA83A81462
                                                                        SHA1:B29A6DF9855B07ACA251E3AA6E416980CD47135D
                                                                        SHA-256:88518498527ECAC297161AD6945F16F0D58B07412381631F71FA3B728E4D97C9
                                                                        SHA-512:5FEFF2B53CDEFBAF417346DD456B9854BD399348C0E5184DD144044BBF3EBF59DF53E4DE47CA7C951DED17F521C96EEE669D0A5B563CDFA0039E02DBBC76F967
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........G...............G.............................................................................................................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F....................................................'..............&.......................................................................%......**......F.......Zgv..a..........E!&...............................................................@.......X...a.!.....E..........@Zgv..a.....`...ey..`...........F....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....O.p....**......G............a..........

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):67008
                                                                        Entropy (8bit):4.402715961435219
                                                                        Encrypted:false
                                                                        SSDEEP:384:jmImJhImkmAymRvmVkcmhTiYmBmgmUmWmBmbm4my7mcEZmZmtmZ4mRmKmdm5mqm1:uxkrTiZz+9hZ/67TSPnSKn
                                                                        MD5:E2BB424352742839259C05ECCA817DB2
                                                                        SHA1:33BAE4DD356B9F3149485F47FEA5BC468785269C
                                                                        SHA-256:8E42E049A6C9B6A2B28D66D0F217DF2E956F90B249A4AA8E9096667ADFB8CDC1
                                                                        SHA-512:C1EFC807D0E4D168F081548625CFE48A5B14D92AF36148DAF2AED502C513B218F5CC2FBCA48CF152DFB3B3EDCA9006CA5DAAC64414B01761EC7F8E8EA2CF5231
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................0...............................................................................<Wc.................b...........................=...........................................................................................................................f...............?...........................m...................M...F................................i...&...,...........................7..................................;...c#..{1..k:...................v..........**..............R....a..........E!&...............................................................N.......d..._.!.....[..........@R....a.....`.......`................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.-.S.e.r.v.e.r.9.G?...J...]..-CM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.S.e.r.v.e.r./.O.p.e.r.a.t.i.o.n.a.l...e$W..R......................(.....................s.v.c.h.o.s.t...e.x.e.,.S.t.o.r.S.v.c.......r.v....**......

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.4578852372743866
                                                                        Encrypted:false
                                                                        SSDEEP:96:vNVaO8sMa3Z85ZMLgrjjIZ3Z85ZQu3Z85ZW3Z85Zu:1V7pp8nMLEvUp8nDp8nWp8n
                                                                        MD5:9C160BC0171DFD3595B31163B5C606C6
                                                                        SHA1:BD6AD35A3770A1332EACA6141DEF524DA7D9DA3A
                                                                        SHA-256:EFB59BCC5B918874707C52AC858F2A713C77C1807E665E48E3B2E713917F2AAF
                                                                        SHA-512:130C93D51F01ACB704E117E0BEEF45FED54C2DB4D398531A2A5BDB6534AA010F4B5B6683AC10A607CD2AAEEBB8741556036B8E20C88DD26EE5C055C792B61268
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................P........&*.....................................................................S+..............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.248110473220085
                                                                        Encrypted:false
                                                                        SSDEEP:1536:YbBN2A4VD7VAx8whAGU2woJQghYAxgRzAlUnF9:
                                                                        MD5:87681F2AD6FCB19982924DCE6A2D7A27
                                                                        SHA1:6C4D49C5504D6DE6E63B44753C607B3362B79B57
                                                                        SHA-256:1CA289F8F7FD7DD1D67EDA5691EF4B083120E456204CC8F6923AFCCD700183BC
                                                                        SHA-512:8F1309E5DD7B017945ABF5EB7E869AA1C04A27C37DB7C3A735A2CB31D815B67643D37DAD93FB89FFF2B6BC213EAE1E55201075DAEAFA39A6B1656A214990DEBA
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........]...............]...............0...........................................................................>...............................................=...................................................................................%.......................................X...............?...............................................M...F.......................................................................................>...........................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.625347651139654
                                                                        Encrypted:false
                                                                        SSDEEP:1536:+XY5nVYIyyqED5BVZUevOBtNPhPVwCRPvf:+XY5nVYIyyqED5BVZUevOBtNPhPVwChf
                                                                        MD5:890CA9963C766DA05E491710E1CD9D7F
                                                                        SHA1:3F95AB4363D5DB533E60748F69A364196BAC8920
                                                                        SHA-256:47523E0AC40BC366CD0A86BE9A72ECEF3A72EE7D430B25A61D8DF55341C19531
                                                                        SHA-512:C2D739AE5ABF76C627DA8B863CC73FF31F7C7733138DB2954A3102377FD0270F69FE269EEAE0DE4172E53E194C3B71791CD09B36F880DC726665004FD9C6A07F
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........................................`....:..........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......v.......................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):101248
                                                                        Entropy (8bit):2.6781643993762594
                                                                        Encrypted:false
                                                                        SSDEEP:384:loEKBoHoiAhoT+yRozAMgoqy2oUoqykoaoqy3o1oqy8hdo69CcoTorNorWorbvoI:1hMSDCRbhM4DCRbhMye
                                                                        MD5:3825F9F43EB1F2BB8C26923DF6DC201E
                                                                        SHA1:9AD5EAC6FC9F592ED88965550BCD1638B1BB587B
                                                                        SHA-256:2DA67E61CF16868246C7FB0A8B67921A1DA129110C52D123D28B6C36117F9EC8
                                                                        SHA-512:FE532C7F310F5A3B45A566B589DA9B56D434BFC538DA7E2C8AAB44B14BBFB78B1A1155016006318783030620C8A288952963A9B6A8EA393ACA923E8521637DE1
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................hJ...L..9-y9.....................................................................1..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................E/..............])..............................**...............F...a..........E!................................................................>.......V...X.!..e...............F...a.....`...@..`....... ........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.])......!>....[.U.....i...........|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:DIY-Thermocam raw data (Lepton 2.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, calibration: offset 0.000000, slope 207715216474546355539665747968.000000
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.8526226240352849
                                                                        Encrypted:false
                                                                        SSDEEP:384:YhAiPA5PNPxPEPHPhPEPmPSPRP3PoPqP7DPfPqP/P:Y2NP
                                                                        MD5:585F5E645713292DF375B49B2BDC28EA
                                                                        SHA1:42531DC7FEDA50E16705A1260EC70B5AD7015FCB
                                                                        SHA-256:E16C3A02C9E22074AE98621BB170E12D41A54187FCC6D53B5600F5712F37A9FF
                                                                        SHA-512:0C0008188EC621D5FE00CF9211729347A941AF2DE55DA3333114D83B4D181FB8792C64FA0F62309660F51FF26349684D35EAC0A4E0FE98898D1C03CAAB65B434
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................%...&...A..................................................................... p..................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.8442469423268683
                                                                        Encrypted:false
                                                                        SSDEEP:384:DhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lk:DWXSYieD+tvgzmMvB2R387
                                                                        MD5:A12D2A18D158FA0E4EBA801B76795EAC
                                                                        SHA1:22C6C36D8E0ACD32735F5C0D25929CD734A2DB9F
                                                                        SHA-256:4A2A9FFE44AB14DE2504B3632FBDDC8EC4E3B35AFF6C5CCA75AB5095E164E39E
                                                                        SHA-512:729117B98F2FA8D18DD3A9B0A373EA5CD36A9B88BA54A45579DE0C50C68DABAB50096CC3078DDA1C11A7483D95CD6B39A54AF35282B1C2550F0AAE4A80F8BEA9
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................$...&.....i....................................................................x..(................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................&...............................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.1949548850023466
                                                                        Encrypted:false
                                                                        SSDEEP:384:4KhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh2I:4KbCyhLfI931Q
                                                                        MD5:54F488D8C354C7E6382EC57543BF33E8
                                                                        SHA1:58AE9E68A1C2344FE5A8FB8033567463C19C5997
                                                                        SHA-256:DDCF67543FFE2BF3042B5995694BEDC1E444D710A70E5A9FF0EA4A040689E175
                                                                        SHA-512:AFFCBCB5036C629BA0F12226A60FA470E6124C25904BF49381D9A249009CD1E3FFA2421E699A9011F47779EB489186A0075D85504BBF49E1707EA08A8C7A617B
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........N...............N.....................h........................................................................7................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n.......6t..............................................................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.3895763915665986
                                                                        Encrypted:false
                                                                        SSDEEP:768:TcMhFBuyKskZljdoKXjtT/r18rQXn8uwgSj70FTP:gMhFBuV80
                                                                        MD5:1D8BE61A76EB65AD20811E2A3EBD8D8B
                                                                        SHA1:65BCCD165D3CF1461160CB66C599C27292F5CFAE
                                                                        SHA-256:3A422D3D5B358379363C1C04D81DDC636AB1EE1E1B9ACC78C43CF02BDCD438CD
                                                                        SHA-512:2150FFB459D6F9B9AC6DE5274E96C59803240F3C6CFD820C565B892B10FD7DF152B223D05A01433A15DB737C688D4451DD78B07BB42F9774C18CC64E48D23FC4
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........O...............O...........0........~......................................................................O.".................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.897824852235771
                                                                        Encrypted:false
                                                                        SSDEEP:768:UtvigYdNYvAzBCBao/F6Cf2SEqEhwaK41HZalMIq9Iz6IOTLGfFXN/E:WQH+dqWzrhFXN/E
                                                                        MD5:81E27C8411597973E644100B4779620A
                                                                        SHA1:BC96F6D7472174051BC5A7A10CCDB46738AB75A3
                                                                        SHA-256:3DF7FBEBAF30A4A63374A0431ED383B11B470576563B6A257A3401D70D12A04B
                                                                        SHA-512:A6E60CCDAB188DBD32904BE97E2C95C0A10C13C0A0BCAC230B0C526FD105A4791BAF9DC50779FAC3B2CC16671A1573DDA86872A5C4B80685E8AF90D6CAA574B7
                                                                        Malicious:false
                                                                        Preview:ElfChnk.w...............w...........................L4.........................................................................`................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..H...w...........`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 27, DIRTY
                                                                        Category:dropped
                                                                        Size (bytes):93416
                                                                        Entropy (8bit):2.772194224962589
                                                                        Encrypted:false
                                                                        SSDEEP:384:2uh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkza:9MAP1Qa5AgfQQhCPMAP1Qa5AgfQQhC
                                                                        MD5:A8D94CD4632EAA07DE2CA1DC0C77BC9F
                                                                        SHA1:5DC5E75F264D82EE10FE50B7CD9F2A915242FE7C
                                                                        SHA-256:C099D98D4C0FFE7DAF2D33B1B13138781E73CAC8AABF5D424EC7EC19ACA6550E
                                                                        SHA-512:3FD4D1FC6E13B2613A9425D09063534EADA10C66FA2CBF5533E52B08A6DCF0EE712F8574F250928C40B0AE04B124B91CC96D1D0F69E403D3FD57308373595C89
                                                                        Malicious:false
                                                                        Preview:ElfFile.....................................................................................................................|.~2ElfChnk.....................................@j..hl....9......................................................................A.................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........Y...............................&..............;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.441475404183629
                                                                        Encrypted:false
                                                                        SSDEEP:768:ZbM5eahvB94LSAoiMTQMrj+/IVvu4mJY0YCOO:dMAaZBLzn6fYZO
                                                                        MD5:B7F318BB9FA336235CCBE5A391775D8E
                                                                        SHA1:F7F7CFF57A6BB00B4E6F17E39BAAF2443E08878D
                                                                        SHA-256:D59515423F15D3618746447E1333945BF1432B9B4C20B54849050CE17C72311D
                                                                        SHA-512:1C8FA8FD31BC4A3C6815A473C00187497E7E71CAF1FAD61F5A6D73DBEB6AE9D551A3DAA6B39B76A4D1401A061844036D5D06469A3942BC030B276D4E186C7289
                                                                        Malicious:false
                                                                        Preview:ElfChnk.r...............r...................0.......A..@....................................................................k...................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F....................+...............)......55......................&.......E....@......M#..............u7.......1.........../...........!..]>......**......r.......R...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:DIY-Thermocam raw data (Lepton 3.x), scale 8448-4108, spot sensor temperature 0.000000, unit celsius, color scheme 1, show spot sensor, calibration: offset 0.000000, slope 308596736.000000
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.4699263306571524
                                                                        Encrypted:false
                                                                        SSDEEP:384:6hYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Klq:61T4hu7OJscMmza
                                                                        MD5:86173450A7EE15BC5B6A2C667DD3B040
                                                                        SHA1:200635B7FB3137AB9A33A6551182F4BA05BDCE84
                                                                        SHA-256:AEDE5AAE515D2A3C78BA23C631D178DCCB3E775CD3B4FB6F0406887FAEDE5B88
                                                                        SHA-512:3A73438F1A7B3B2F166B2B2F70E713F7393A2F2D5DF23858D05F2790BD2DF5B2CDC38263EC72ECC34621C82C44308E3C0474E295C678642E30146CAC27D69067
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........s...............s..............x....,........................................................................5.................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.450965793914843
                                                                        Encrypted:false
                                                                        SSDEEP:384:phFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfO:pzSKEqsMuy6CL3
                                                                        MD5:3914FD52494E203A25B69F9F4221031F
                                                                        SHA1:8046E0D1C78A47632A4550AC66FC9917E6429457
                                                                        SHA-256:D2D37391EC1325C6C27486311C5B5E1D11C55D0A464270F009E3D3E1B2A54D3B
                                                                        SHA-512:12FB89D2F9A5B19C7150D23A09A7C7B3F5616C09C8A83AE83A331263F0FA45181066F1A44080A46FE3A9F551BDF56485BD03DB9001FE82388DCDB1EF3FBC7829
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........L...............L...................=....................................................................... ..H................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&........................................`..............................................................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.1568075545974956
                                                                        Encrypted:false
                                                                        SSDEEP:384:ZhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zg:Zmw9g3LCjg
                                                                        MD5:F3CF496665845DA6C957242770973ECE
                                                                        SHA1:BF7206ECD6C6ABE687BE10A157C86C7EBE59C6BD
                                                                        SHA-256:BB190FF3FA391F3B69F3E4509B14D6DE320C980D69A59BC74DBD57BD8AA42F7F
                                                                        SHA-512:EA5A2D21353556B5B6FC420671E5F7026B6A280C7CD740CD1CAFA2C958318B5BB6A5F4AE6A00450E2A7997425A0AAAFFD158452401ABB732CA985A8DE3548213
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........6...............6...........(o...p..........................................................................y.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n........X..............................................................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.8853799397148268
                                                                        Encrypted:false
                                                                        SSDEEP:384:5hCI2LwuSsYI8tIbLIYoI/IE6IQsIhIxIUIfIXIAI2I/IRIvI:5Z
                                                                        MD5:FACBCFA717058EFCED1754221D6A421D
                                                                        SHA1:1BA10B3E2BB8A2C739257CE228789E2D6C4F1A1D
                                                                        SHA-256:6F6A7779828D79A41F94AF9EE452BB44EE0E495D27A5B5DE7DAD659A6865C9CB
                                                                        SHA-512:0253FDCC88D3E52A9A26A065AC0C4E264DC0E84CB6A175D09BEC79E56D5282B9B95DCE2FEF47C48505D34C629388904AA6E2BDFF81759920FE314D6F9F5A6DB0
                                                                        Malicious:false
                                                                        Preview:ElfChnk.K.......L.......K.......L...............@6..u..B.....................................................................w..................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**......K.......1E..`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.0596696487276978
                                                                        Encrypted:false
                                                                        SSDEEP:384:Qh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMpHMXmM+ZM6Zz:QeJ+
                                                                        MD5:F6D375E51341AC949A73803CF00B96E6
                                                                        SHA1:5DB3BF9A34145DD777EA9593DE3C8054B08A11D1
                                                                        SHA-256:EBDFA834049A08F8FC9B3DD35800233E75BDB480D59E548D7F4F3F2720B889F9
                                                                        SHA-512:1714A4243ECEB63E23583F31D3D6C161D8423E1AD2D1E1440545718E6DA879F74C2F03E5C21120ED826093777F6DEEEFEC57B913E1B4C1D74C0B8A473752460B
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........................................X0.....!....................................................................B...........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................6(..............................................................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.241268628600426
                                                                        Encrypted:false
                                                                        SSDEEP:384:Thk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1/:TBjdjP0csQqL
                                                                        MD5:602FD635C1BE2C0F087784BAE052554B
                                                                        SHA1:77EE62511C78BA6989DF77AC6B616422A44D7F54
                                                                        SHA-256:78FC5D1D71915650A8080B217B8B28F799B054F35C89AAB2C474DC4B9C3F0581
                                                                        SHA-512:8A66621CE4233D42AE83A0046A04628F4A88D91713C064944A61AFDF3F33D44E54E416A8441D1FFFDDCEA2E909761BBF151894881B4F93C0D238537939E21217
                                                                        Malicious:false
                                                                        Preview:ElfChnk...............................................j.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&..............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):129088
                                                                        Entropy (8bit):3.703847255178517
                                                                        Encrypted:false
                                                                        SSDEEP:384:fPIDrHIHIvIUIMIrInIJlImwIbzI8rIseIyIQIFIDIeIlnIAITI3WhDIEQAGxIHm:fNhjWZxGkilvhQWZxGkilvhYZ
                                                                        MD5:D5DEF85CEFB34DA16A8CD5F89BF31C07
                                                                        SHA1:A678F85043514D7255AECEF02F19BC9353E0BBBC
                                                                        SHA-256:940F45A2DD04BBCAA236C52183DCDF4B7D4FC2C24C14F0231C6683EB6C3CB7CA
                                                                        SHA-512:E0089C0E13EB5D46A2362A5E35FBA6330EDD808A07A56D2D0BD8B4D5A9C70C33AEDBA54FEDA69BBDAEEB847FCBBC3A6715F19B835E2E36DFDBCFC499A6B934EF
                                                                        Malicious:false
                                                                        Preview:ElfChnk.T...............T........................... ......................................................................O.;.........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................................................a........F..........1........................................)..........................**......y.......C....a..........E!.F..............................................................,.......D.....!........... ....@C....a.....`...Z..`....... ...y....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l.......a...&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.8023807109333921
                                                                        Encrypted:false
                                                                        SSDEEP:384:Fch6iIvcImIvITIQIoIoI3IEIMIoIBIOIRTIWeIZIEPdINI:FcoxXxP
                                                                        MD5:996D00E5A8B66706691FE697CCD68A7A
                                                                        SHA1:C90C99232451BAF2DCEB02C56C69CA9194390A9D
                                                                        SHA-256:95EF5245BEB2BBFD8EB8F5CE3A0C81869EF2AFACA54EF3445C3B144909C6A4B2
                                                                        SHA-512:FEA1D551151A622B151133814ECA8DE8EE4E3DA6D08F81CCE931FA7A64242E732A283E03A4B21EE922AF24F6FF0AF5EE2F26CDB7AA534583063C40F9C40DA0C8
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................`"...#...l]....................................................................upp.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................^...............................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.999253421723821
                                                                        Encrypted:false
                                                                        SSDEEP:768:h4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH130:j
                                                                        MD5:11CAFE60067FAE9C5A304C7A7DAC0EB5
                                                                        SHA1:0E72987588CB8557C7CD00AD3D8956CDC0593C35
                                                                        SHA-256:1AFA765FD9A0D9659C2A02A266ED4FD303C82BD9AFF45F0E7167E335F91E042E
                                                                        SHA-512:764A5D459803B989800473821647907FF484C914778A8AE42257E4791C1C1369E5490AB9365665C257045A007907981E78C1F2B4D5652BCA777873439537E9D0
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................0...@......~....................................................................u!..................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:dBase III DBT, next free block index 1130785861, 1st item "**"
                                                                        Category:dropped
                                                                        Size (bytes):68632
                                                                        Entropy (8bit):3.8554460752513044
                                                                        Encrypted:false
                                                                        SSDEEP:768:vc8utDBjV8k+G7eUtHpoVWW6HzLKvc90Xjt0GMAoLx07SZRcZv76NcRUjGHzLKv9:futDBjV8k+G7PtHpoVW
                                                                        MD5:BFA6C635B63E3D65527E466C0F72F979
                                                                        SHA1:9143FE5E1E2382138FE304B43D10C5140D30D469
                                                                        SHA-256:F978A09BD27A227DF281408C04AD2B0B258F99199AEEDA966831592F97818EDD
                                                                        SHA-512:A9B9B8246B2DA4337936C02B3F65AB4CD5598B81A7E3E8866C14E162DC3AA6EF29264D16D1FAADD76C62DA66FEB3CBC06E998E5FD8249841E4CB7ABA4D9AA79F
                                                                        Malicious:false
                                                                        Preview:ElfChnk.................O.......Q...................{.......................................................................h..................8...........................=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..h...O........$v..a..........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.435727690193882
                                                                        Encrypted:false
                                                                        SSDEEP:768:GpJ5LU1jN2RkG6OQFAWAbYgO0TKLPmbvZk8M4+q:0LUy4AVKLPmbDM4L
                                                                        MD5:C8CA09D06FDF7816260F8EC0A3D7651C
                                                                        SHA1:F6C7175325E661DFCF9DB213CFDA41D975D9CA82
                                                                        SHA-256:53026A81DE8E4C632D99AD6C8550ACD74E51F16F694B1B0BE2DCB4EA167D2079
                                                                        SHA-512:4A40AEC067D2CFEAB320586822D093BA54EED08D33CDFF6C200282E47A452D02B39A4D3A64A205C5C8CDEDD00682FC32B966C095C45E2FAE7DF17E23E712D2B8
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........................................x......q....................................................................*..................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................O.......................&..........................................................._...................**..@...........:.2..a..........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.7602204514023913
                                                                        Encrypted:false
                                                                        SSDEEP:384:ChP8o8Z85848V8M8g8D8R8E8J83W1d8b8ut8l8:CR
                                                                        MD5:A71D2A716E4B8C87379C50F91A376243
                                                                        SHA1:B55D17BCD95C285812D918E820EDC513B8BC4373
                                                                        SHA-256:4C279C417D131982DEF275E92EC2EB1CCF985E5A5785B8989D28972A72AAD650
                                                                        SHA-512:4759EE9F1D1DF7F9C3452A40C1A58C66A8928378CC69B464944C4732BC5042BE1FFA81996F5943702CF7379C632B41081F9109421EB9A2243CCF06AF02BC45E8
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........................................8!..=.......................................................................w]..........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......v...............................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.777686051348048
                                                                        Encrypted:false
                                                                        SSDEEP:1536:uXhWUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:uXcnS
                                                                        MD5:68B21090E6E30897FEB4503C8114AF6F
                                                                        SHA1:4486CAB534F83710240BB5CD6D35E7A269BD318A
                                                                        SHA-256:FFDFC9C8FACFF754DA908F2A4D513C890074BD7E6E08E7DAA1A1B1EE31F7256D
                                                                        SHA-512:D6AC1650B80A5E850745F89546E09C6C57204E952573B19FEEDFD3DC20864C1972C95F85B426CFDDB3D0D8738C84B91171816922D92EFFD751CBDCF1881D8FD1
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........*...............*...........(N...O..F.......................................................................D.na................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........=......................................................O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.4655200384785823
                                                                        Encrypted:false
                                                                        SSDEEP:768:m0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O5vaP4eZiGai2niL9i5:ucE5
                                                                        MD5:EC1441AF347A3AEBD3C499EB77112044
                                                                        SHA1:062F0645AF0FF401308A0582362E6FE001C5444F
                                                                        SHA-256:97F7D6CF9603D2EF964F3D680F5902853382AE270ED6A37576364BD19E0A1C4A
                                                                        SHA-512:687D850AB0E8E4E75E484ED8E56658749F1331854AD6E28400538F050E3F372CA791023C87CE192D1417C70E63C0911E589AD9AE103CE30BB68A03EED414AABA
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........@...............@............{..@}....c.....................................................................].................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&................................................b..........%_..........................]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):86488
                                                                        Entropy (8bit):2.2471092796292176
                                                                        Encrypted:false
                                                                        SSDEEP:384:lhNiwCrtrlXbaDQX/5pbiN5p6iN5yYXiN5pZiN5pIiN5pLiN5pZDiN5p+iN5yYTQ:l6f6mR
                                                                        MD5:F9038C399CFFA5DD217B0B39A7068204
                                                                        SHA1:0E4C8EFF437E1FFB07AEA21953962324E0A8A047
                                                                        SHA-256:C181FEBBD7F0972B4CC905A46F3156B3E12D127FB30DABDADA492478399757DA
                                                                        SHA-512:FE98ECBF5D3AF5B4CFF9FCABF52400EB2E81ACE4804DF8F3663518558F2880192AD6A5016EF0B4C227E84949BC18A8B23D90921822B38905BA11702C01AEC967
                                                                        Malicious:false
                                                                        Preview:ElfChnk.'.......0.......'.......0............E..`L....B.....................................................................\M..................^...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................7.......................&...............................................................................**......'........D.Y_...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.335307911754908
                                                                        Encrypted:false
                                                                        SSDEEP:384:NpQ/hDGCyCkCzCRCFCaC5ClCWQCyCiECLCtmWCTCYCflCdCEtC0C6gCwzChWCVJY:NpQ/dJjm6EIf8aG3e
                                                                        MD5:DEC13E419235D71E66C768AF61C819EB
                                                                        SHA1:C2601E3DF8A2D6E230D368CA0ECDD4BD11786D1A
                                                                        SHA-256:E9AAB8B817BC34F1B7009A6ABC439ACD1EFC991293198857268699458DF84552
                                                                        SHA-512:A78230EF0961E00D27B109F0EEF6DEDB9198759E1858C1DCB8C0E1032D48242C23726BB2931EE62A47A5C4D8434CD3BB537B0E6DF85D62653E3648A49A22AA3D
                                                                        Malicious:false
                                                                        Preview:ElfChnk.U...............U.............................w..................................................................... j..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................1[..............................&........>......................................y.......................................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.470554172113501
                                                                        Encrypted:false
                                                                        SSDEEP:1536:J0dBaHTmPeG68WdEWx/Tm3vaA1YNNd/vTGMk1o4X7BOBrc3gkWqJfECYqzGDXbJm:J0razmmG/WCWlTYvn1ANxvqMYo4XdOBH
                                                                        MD5:7C2BA3824E6FDFDC9B34997831CF5BA4
                                                                        SHA1:2F75B2D7953CA1F3F139E66C1C1C785DC11F6F0B
                                                                        SHA-256:902EC3153154EDF682DF6D35860B9D42B3C6016F787D02E0CC1D2371F3997192
                                                                        SHA-512:4BC9FFCB38302D4764B8632EC360FFDE079EF9818F6128BE07F6E89671A510A32AC93145F3FDB4CDBD6363390EAB157D8B164C2B04B86A36C3B93A08AE7A6B52
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................h...i.....n....................................................................n.2.................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..8............C',_...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.469736793329298
                                                                        Encrypted:false
                                                                        SSDEEP:1536:6j9GvEkeLhw6IrKOu4zB5c63VJ7qhFRbw7ZGnCg7HZANhlPqizIUxKu/GFy9pUJD:6j9GvEkeLhw6IrKOu4zB5c63VJ7qhFRv
                                                                        MD5:8F5A4A76B980826116BE5A5516591E85
                                                                        SHA1:59BF27E802048AD462308A17C30F5FE5006F86A1
                                                                        SHA-256:41E83C33670CDD3452FA267E442B42AD26F61A0766381B0D61026312007299D4
                                                                        SHA-512:DF7BEC6D83713ABA6CF9CB2ADC34E2A884B4942C08CCA0DBBAD4A9A358D4E79FC55EE35B68CA7518BF56AC1E8B137596E29FF2B9311F7DB76DC0F16E8838955C
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........#...............#...............(...Z.......................................................................nh`.................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F...............................................................9...&...........................q.......I...................................Q.......**..............t...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.5283250731919766
                                                                        Encrypted:false
                                                                        SSDEEP:384:YeUThv707s7a7v7yP7c7V7u7C7Z7C7M7n7K7G7d7Yp7PC787h7H7l73+7L7L7j7s:YeUTRVb
                                                                        MD5:9CB77B06F0F33B4BC7A638085998A032
                                                                        SHA1:04C57BABBE0B49A1AF70143FD2D9ED9071A14D5C
                                                                        SHA-256:AC3F98137ECCA65B1C5EBDF80B02F693E51AEA05B0B033CCB9A91C68778FF751
                                                                        SHA-512:488788029BCCEA4A3D2C8ED7492D895469BE0962884BC868F080E9CB479AF7ECDAF46E17FC08C9912B953E614E9DEE673DF994170931A99D9E28248117C6F4F8
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................0y...{.._N......................................................................%.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................-@..............E9..m...................&.......................................................->......................**..8...........D...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.268440759929627
                                                                        Encrypted:false
                                                                        SSDEEP:384:whc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinJ:w6Ovc0S5UyEeDgLvqSX79K
                                                                        MD5:3E6903B4F529505011694E65B60A9154
                                                                        SHA1:05BC372041FD161154C35F843BFE439066F3A6C6
                                                                        SHA-256:E7BB68D43D88025FC2EC47BCA4957A08CEDF53FAA24751D95019CEF867223393
                                                                        SHA-512:8C700C45A3A01A79F9E0AB74BE5C0E718E231AAD4395F631A3DADA5C83E937EEBD0804DB0AF340A341440414ACD9293713B9ECB1A074F5E794CA21DFAB8D8CA0
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........?...............?............q...s..>O......................................................................C.*.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................6^..............................................w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.8178355996317889
                                                                        Encrypted:false
                                                                        SSDEEP:384:HhGuZumutu4uEu5uOuDuyb2uPu1uuuCeuDu7utu:HD
                                                                        MD5:FFB7825ACA321A39E4DD495EC4B7E3BE
                                                                        SHA1:A4EBE4617E4B98D93FDE5546893A4D29441B5F44
                                                                        SHA-256:F56C28857B0E8D30F34089306B9CCF6655F7ED073412E710AB10D747092DA0D2
                                                                        SHA-512:86D7C252C870B9362394CFA35B99AE257228E477A5346D8EF5B91E81F3A78CD008DC52A5F3D12C395EFB715F82B849CAD805AD71CF8C58514614F83EACB4F63E
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................"...$....u.....................................................................v..C................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......>...............................................................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.075909180265887
                                                                        Encrypted:false
                                                                        SSDEEP:384:NhzAsAvAaAmANSAbNAQAfCHA+AHchArAXATAvAjALATABAtGABS78jAOAqA4eAEp:NGCs2k64i/tpqA
                                                                        MD5:3A282029B03747ACB9F0A3496C717BD9
                                                                        SHA1:705490A345F883E024CC1641981A90DA6EDADCF5
                                                                        SHA-256:2A94A3FFC2481031F58367AB9F99D7972299D7F537520D2A6318B1BAA6B158F8
                                                                        SHA-512:F98AEB35B035B10B5C3CCA876E445D502AD84F66BE857B17EFE715983F9834ECAEDCCE5FF03914853115DE1644E9541FF111BD79A3607FA707735546A0C04AD4
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................H.......}{........................................................................dE................<.......................d...=...........................................................................................................................f...............?...........................m...................M...F............................+.......................%..............&...............................................................................**..............|..3_...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.162414582102809
                                                                        Encrypted:false
                                                                        SSDEEP:384:khVpW2pPkpPrpPepP1pP4pPHpPypPxpPYpPDpPypPlpPct1pPnpPsLpPAWpPQpPT:k+tZb
                                                                        MD5:0D76B94CB673E07C9297775F6635BB30
                                                                        SHA1:42037C8D133B4CD395BA6BDC1108C30882248866
                                                                        SHA-256:7133E41E960AD5F46294DCBDC3FFE8CFCFD120213DF680017947924D3C013A8B
                                                                        SHA-512:9E5D104332631EDBCB8AF55BCEA2CD7B7EB34A0FE1DF226579E005A775840CDF05C86CCBEF902730138ED1A27347B4FB070FAF37046320740009CC11BAC11C33
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........'...............'...................u..4.................................................................... ...........................................B...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**...............h{.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.217583590897775
                                                                        Encrypted:false
                                                                        SSDEEP:384:3hUIpGcRpDvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBD:3YDoh1VLBCVz6t0o3ZeF9UBlG
                                                                        MD5:C5BB06A11AA8E33C5D2512146A14F414
                                                                        SHA1:BCA1D0ABD07806B4DDB34B4483B04B57A840CC26
                                                                        SHA-256:5A42653C87D73E415D15B08AE3511312F991238224022920D85CDEE43316C64A
                                                                        SHA-512:8FE28DAC0CEB3BBB462390492FA7623077448CCD58E04EE38C6CE9FF92FAD6647176DD61A628A4C03C3C5DEE9912D67375AE77865DE52D23B2B253C01C43FC86
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........................................P......a.................................................................... ..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..............T.0.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.1666137709834492
                                                                        Encrypted:false
                                                                        SSDEEP:384:uwhwCCRzCaCkClCzCYC/CyCVCGCMCvCzCw9CdqCVCICsC:uwKFT
                                                                        MD5:88E290384531AC91E63C802B158E726D
                                                                        SHA1:2AFD218C14B290A33DC27B0BDBA87AADFD428D9B
                                                                        SHA-256:36B48D00709B0F3B917927DE97D395C4785F6A7B61CCC5C72C799C4521FD9D97
                                                                        SHA-512:7969E4BDC2659D8412FD187135AB04B329AE134E2A5E386D86BA0E490F979621DCE05DF1118FA31987CB5FD27CB964773F4A67D6884002F7E9579A752E5A2AAD
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................84..p6..........................................................................Pl..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................v)........................................................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):95328
                                                                        Entropy (8bit):4.686458683797856
                                                                        Encrypted:false
                                                                        SSDEEP:768:zv+AywAyCAy6tAyP4s05v+AywAyCAyre5:lakGqEbakIe5
                                                                        MD5:3A9D52C4CF9DF9FF73469CF1531022A8
                                                                        SHA1:243E7D613C2B38DA2ADBC639983A740778B31008
                                                                        SHA-256:93F14F47CF45EC8E9A84E81D44F807185F3067614BD21DCE9BE9830459153075
                                                                        SHA-512:9F7A1B40AD35BD6BB03D72946726A3762D5690EE7EF308B2F0A3A64FA2E454759292D343845917A3B5BDF3CABB35A2CCB609F9AA47657301CA658F536A43EA75
                                                                        Malicious:false
                                                                        Preview:ElfChnk..3.......3.......3.......3...........N...Q.....r......................................................................g.........................................<...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..p....3.......N-..a..........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
                                                                        Category:dropped
                                                                        Size (bytes):79024
                                                                        Entropy (8bit):1.8243555656174901
                                                                        Encrypted:false
                                                                        SSDEEP:384:y/hL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmIUmxjUmLUmnUxhL6UsE0ZUv:YY7LR+Y7LR
                                                                        MD5:8F4A3197835332B5EB3B1097779D28A7
                                                                        SHA1:25C6BE736424268F10F7F21D4F8E703B5FBFEB4B
                                                                        SHA-256:8DB763A92F2734BB8311391DF5BCCAEA658DD2728A2F149261C11CC7F0A2E2F0
                                                                        SHA-512:F874CEBB95B01F2D65CA542EDF092C40FE9ED9DFDC255B19C24384911FC86D172443D597051C3A1D900FDAFBFABFF837279282D2F0A3736FAC5C2FC23AC6FCE0
                                                                        Malicious:false
                                                                        Preview:ElfFile.....................................................................................................................\>.eElfChnk......................................1..04..J.T|....................................................................&..T................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&........................................*..............................................................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.20434892737239
                                                                        Encrypted:false
                                                                        SSDEEP:24:Mzbg2Wkw1rPfWwfcnMoNRpYCx/EtfWi05MhL5OkWwj21WhBkco16wa8LDl80hmjj:MtW3rP+yQNRBEZWTENO4bhBkcob/6zk
                                                                        MD5:7DA84830C2365B0DBB218E56F42BE048
                                                                        SHA1:02826810E1C9828F82120DC163218F77242F3B17
                                                                        SHA-256:CB0C22CDD968868FA322D0EEAE3E4AF8B32B20DE4FDBE5FFBB0CECAA984AAC4F
                                                                        SHA-512:4F0629A340A6B23EC0EA9A388E5091DE2225833DD87DECD7E0F53B6A97DD2F11601CD33F97B5908E2F7D97A5E2A99CECC4B84B1CFA931033ABDD664E5B557A43
                                                                        Malicious:false
                                                                        Preview:ElfChnk.............................................e........................................................................=.y................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**...............p.3a...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.0934111022900845
                                                                        Encrypted:false
                                                                        SSDEEP:384:phjivnniDiiuXieuietio0i7riTKhiIViOhin5ibaifiWipiUiKijiTVijiHiBRY:pon6ufC/hCI4MWs8PM9QSp
                                                                        MD5:C03DC232AFCDF6316B6CC7D1D5266423
                                                                        SHA1:8B90D640BB1B09E8C61117DE6B00B93CB1FE69A0
                                                                        SHA-256:198FDBBBC7444C323E7DBFB5B6D5B6AB870587FE7B740A05C22C6821B0508D16
                                                                        SHA-512:192E77738FC7A6493DFA22C5A56EA01E4A502219756578AE772C4FB0A1074617A21523D1029C6C9DDF15798D0968A0C14C8B723EAB0B91BD01F9967540C04DE9
                                                                        Malicious:false
                                                                        Preview:ElfChnk.y...............y....................x...z..D.......................................................................Hu...................#..a.......................=.......................#...................................................................................................f...............?................'......P.......................M...F....................................................................@...................#..................................w#.......'..............**......y........`0.Y...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):100392
                                                                        Entropy (8bit):2.90277895823838
                                                                        Encrypted:false
                                                                        SSDEEP:768:+hshamoZqP+INFaqoshamoZqP+INFaqsXqF:+6hYE7NT3hYE7NT6a
                                                                        MD5:76F34EF68E46015C53CB7C35B7292438
                                                                        SHA1:1F88DC60350F138C0EC820DCB6C935F9CC96496E
                                                                        SHA-256:B921FB50DEF74EA6E8739CA57C064A702049FCD692D5E1EBBEC5598BE3A2982E
                                                                        SHA-512:45F5C6CD4CD02798A994A3FB16781E7805450C6534870597D27B6B24CEC126FCC97F8AB2E6F83283DCD072A5E5459582FF9C34DB608FC6B76EE81424BCE317CE
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................k...m....8........................................................................................6...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................y...........&........0...........%..........................a!..........!F..........................**..............*.n..a..........E!.0..............................................................<.......T...A.!................@*.n..a.....`.......`...(...8........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.T.i.m.e.-.S.e.r.v.i.c.e.......SN.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.T.i.m.e.-.S.e.r.v.i.c.e./.O.p.e.r.a.t.i.o.n.a.l....%.....................................................<..............**..x................a..........E!.0....................................

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.386685832930137
                                                                        Encrypted:false
                                                                        SSDEEP:768:EsasF4a8a/a8a7aRadaQacaXaaaJamagabavaraTaHabavaLaHa/a3aHaPaLa7aX:fF4
                                                                        MD5:0F8EBC41337BB0FE1E1350110C8FFF3E
                                                                        SHA1:2485A1CF190C989195AA9172D54F51EC3F34BDE8
                                                                        SHA-256:FFC2533D7AD10B6E25313AA7583390DEDFA57BA7197B1DB2B23084AE039CAC35
                                                                        SHA-512:B5398826684295641D2946017570CD17E5878446F4662785FB9A0BAEC516448DCACE3420A84C761E811EF7364DBBB64E239C6EF561C8D42C666B1A8548B3B2CE
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........@...............@...............h.........................................................................I...................h...........................=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...........................................A...................................**..P...........%..!a...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.4157482482643835
                                                                        Encrypted:false
                                                                        SSDEEP:384:8haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJgXJRpXJBgXJQXJBvXJnXJSc:8Q0yUkNYwD8imLEoRfBoYb5GO
                                                                        MD5:A886E83D1948FFB2BF4A2B744DDCCBD3
                                                                        SHA1:0074C53E8984FB0024DE0485447D3E1081B34D0B
                                                                        SHA-256:6DD70CE24E770699A142E13D62B090F64E00CD0A8501FC2D31E0ED5F9DFAB004
                                                                        SHA-512:3263F89608AEB4140553E587A3946E352391DAAC7DF85ABF0358A39B45103655DAE1DE29616A71142C4BB42FD1C0273F3E3B2F6900CCDE672F36ADBB3F7629D1
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................D...G..B.f......................................................................0.................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........3..................................................C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.342266575776689
                                                                        Encrypted:false
                                                                        SSDEEP:384:Chbm8mJmAwmsmkmtmZjm9mEJmSmSgmMmJmyFmgmPm4mOmdm9mHbkmzm7m6mBmdmv:CA74DcxI1c8PF
                                                                        MD5:302AE7C3FB3FBC33D19DBFB4CA97D867
                                                                        SHA1:86165BE8A181F1DE44CC86F75E36890C0379AB94
                                                                        SHA-256:1183791BE47DD2268E48827BC2B2F8D2F50C6265AF23904E15E35A8A4715B3DB
                                                                        SHA-512:AEE86973AE3C7844DF4EAA3406ECCF1AD59EF458F1623A35B84246B26C83229441B76C64A2502D2F9EF298DAF450D0069C6180A99B041A1D2B9DAD57B6F8A816
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................6..P8...P\<........................................................................................R.......................z...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...........;...........+.......................................................**...............21.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.711346426112008
                                                                        Encrypted:false
                                                                        SSDEEP:192:7V7rDiDxFYzDiDPDiDfDiDDDiDxDiDUDiDgDiDsDiDQDiDEDiDYDiDEDiD:7hr2ts2T2z2n2N2w202w2M2Y2E2I2
                                                                        MD5:F911674F42FFA9096A39B15D79861134
                                                                        SHA1:14C46673DAB47906E3693ABC048CD0C2FADBECB6
                                                                        SHA-256:1668A045EF7528D741AAD61574F673D564D9BC7831A57FB6CD4A4D25C3FCA4B5
                                                                        SHA-512:2341C1145DCD1E714D0A16CFE517CCD8F0BF6F94A45882A4142B2D90B27A1ACD4F4508AF7E49A52B0B0F2E418EEC461EF2CBB0463D48CC48E08E6880A617B442
                                                                        Malicious:false
                                                                        Preview:ElfChnk................................................(....................................................................4.KU................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F...............................-...................................&...............................................................................**..............IL..`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):71640
                                                                        Entropy (8bit):3.8668332644778953
                                                                        Encrypted:false
                                                                        SSDEEP:384:2RtRIzsRccRVwR+Rh7RucVRDRbR2R3RgRxR5RrGRRrRuRVRERfRzRwRQRoRTyDRL:boRNzUhK3Vo
                                                                        MD5:6AC9E81348EA20DCBEE8AA401F1F9D2F
                                                                        SHA1:6CC0F8879DC823B84E713EB666C6A6C38D0DEFF9
                                                                        SHA-256:D8BEA8365E544E3336122FBD085BE1D236F525EA32E1117485523CDEBB068789
                                                                        SHA-512:59A81AFC4DF7BAD162AE125F179D8794152CCFFAE27421C0448E23ADE078532D3E0B0F1897D10C846A8BAC36302111918404E410552C9A11F4CB1F0C8BB17DFE
                                                                        Malicious:false
                                                                        Preview:ElfChnk.:.......w.......:.......w...................q^<.............................................................................................2.......@...............=...........................................S.......................-...........................J..........................f...b..........?...............................A.......G.......M...F.......................................................................................&...........................................................**......s........2...a.........^..&...............................................................<.......T...R.!................@.2...a.....`......`...........s....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...6..0........6..07.\..+{.([.U.......A..I...@........=..O.p.e.r.a.t.i.o.n._.E.S.S.t.o.C.o.n.s.u.m.e.r.B.i.n.d.i.n.g...o....j.....3.h.t.t.p.:././

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.260359446709512
                                                                        Encrypted:false
                                                                        SSDEEP:384:fhRhwhdhP0h9hzehShchawhZh4hhhshphihXhMhxhzhwhohGh5h3hShChWhzhLh4:fmFpkBzBiELmn
                                                                        MD5:067AD5BE5D9DAC2F9972EA7CCD899B43
                                                                        SHA1:EDD013A75A95D510CCEBA7DF86938621FA17E518
                                                                        SHA-256:EE5349F31C79D30F8AB2023451ECC640BD33C7F038ED6951D0F9FF2FE82BA0E7
                                                                        SHA-512:F2E20C281CD6E14FBDDCE8C89055CF5BC6A3C79E5D65037B269B11F2500E750A15998C9A29365F7D5903E4CF568EA45026E9F340A0318C212E8AD936EA2B3F65
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........................................`...........................................................................3i._........................................@...=...........................................................................................................................f...............?...........................m...................M...F...........................................i.......................&.......................................................y.......................**................9.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.2594795605878295
                                                                        Encrypted:false
                                                                        SSDEEP:384:LhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVHV7Vj0V1VXFVq:LyjbPac
                                                                        MD5:33C02B19501869BF7DF6F6BF1D2E6BF6
                                                                        SHA1:D90AF4BD50FE734A1E74ACC4E0704FEE1346F8D4
                                                                        SHA-256:6453729FD9D539566FC7AA3CE013B958C237E0E713AA917444F453C02A96F3BB
                                                                        SHA-512:B4D4A162E59651477CE87DE756F9DBD7634A206CA7FA83CA61DD73F86CAE343083AFF067A981DE096AAB1AE6997E599397E4851648800B2BCDAA6E5BAC0797A8
                                                                        Malicious:false
                                                                        Preview:ElfChnk........."..............."...........h8...9....?......................................................................Z..................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v.......&*..............................................................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.222447856511044
                                                                        Encrypted:false
                                                                        SSDEEP:384:vRhcBwBuBwB+BwBZwDIBwBoK/oyBwBY/puBwBN0bNoBwByQZBwBY/UUBwBY/5Bwu:5I0bp6tHrL
                                                                        MD5:2728CF054D93BACF2D46684B2BE7B685
                                                                        SHA1:88E3C611575E779C38212326B14D113E1FAF5038
                                                                        SHA-256:4224E965585D057E00D8A3978861E028624648A2B8112C42FCD104DA8A6F52E0
                                                                        SHA-512:D53BD84EA6F13D03AC4A18BAA05C000D04B07D7D3EFED00492E29C6135E7C184F5BE6527EBD6254C9B8F13AC848B30444BB68A1248B480E7ABB64898B880514E
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................H;..x>....;4.....................................................................k.l............................................=...........................................................................................................................f...............?...........................m...................M...F...........................o.......................................&...............................................................................**..(...............`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.423183909657457
                                                                        Encrypted:false
                                                                        SSDEEP:384:/hGUEBUEYUEQUEhUE8UE5UE5UE8UExUEFUELUEVUEyUEXUEDUEuDUEBUEWUEzUE3:/P7s3NxG9
                                                                        MD5:718C0E7FA4C2A524A5FF961FEB987C13
                                                                        SHA1:73CB0C09C67332548F50613AA349E12695C715A2
                                                                        SHA-256:461F7778DD38ABE30403674C9E34EFF22F91AB7D4C207FB8CD2C4B31773588CC
                                                                        SHA-512:6A7705597D00B2193F3ECD79CDCD4B6D97DA36B879ECBC2E5F8EA3A8B77D9FA301B14E68BBB9ACBBF72B695DC83E66493F3C4D1DD94B1FC9D0E4ABA787BD853B
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................0`...a.....r........................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................................A.......................**.................`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Security.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):84384
                                                                        Entropy (8bit):4.248889863867504
                                                                        Encrypted:false
                                                                        SSDEEP:384:FFR9Be2s7N0oGMtUkwoxMtnFR9Be2s7N0oGMtUkwoxMthtrWovMt9RYolQMDoJLw:HNO2rNO2QRNNASbk3NO2a
                                                                        MD5:C9254FF852E968A6678BF656852DDAF8
                                                                        SHA1:11DDBEEAD2AD069B39F958BC44D22F5E093F3788
                                                                        SHA-256:12D671455347B886BD9F3F4148AE6EBD6036D76F44512C4A373E21D159512FF9
                                                                        SHA-512:0FE4DE81557609A184D4A4DF46ECED68142A5505FA8AE4B03948FFE1E6EE950BD228B030DA8493A8CE02B1EDDCA4EDAFAFB8D575DFEE1537463229AC45A46B5D
                                                                        Malicious:false
                                                                        Preview:ElfChnk.................$.......(................!...Fo......................................................................A..........!.......z...s...h...................=...................................................N...............................................w.......<.......................5...................................c...........).......M...Z...:...............................S...............................V.......................................................................&.......**..0...$........RQ..a.........<.@&........<.@.o.S....../.G.......A..;...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....d...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                        C:\Windows\System32\winevt\Logs\Setup.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):67992
                                                                        Entropy (8bit):0.40522333491716434
                                                                        Encrypted:false
                                                                        SSDEEP:96:3gNVaO8McoE8SRO2UgNVaO8McoE8SRO2:OV74RR3V74RR
                                                                        MD5:4AED6DC4A874DEB02D4E034CB7C8381E
                                                                        SHA1:DF5FE5802E3AB4745E43A7DE49E0C4AC60EBB701
                                                                        SHA-256:775CB04B338E93CCE4F57CE5FE19CA3724EDEE2CAA6DDF8A9D1F6AC98B91C661
                                                                        SHA-512:14CB5004825CF361ADB486896CF1C7291D81DFB43B251E3BAD8C063E13AFB74FF1D587B69322FA7146534148DD756C9F9D8389C26FF19B970C52DA2F2486BE82
                                                                        Malicious:false
                                                                        Preview:ElfChnk..............................................Kp.......................................................................w.............................................=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..............u....a..........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\System.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):89192
                                                                        Entropy (8bit):4.457045499770004
                                                                        Encrypted:false
                                                                        SSDEEP:768:QxpVOTxpVO6it/uFN3HpRAtF7xpVOS6Rv:sw6KLAtFRov
                                                                        MD5:89D4B5CF9CEB2881FA68243AD729FA90
                                                                        SHA1:325A0A6849A753C6601174237416BA23374A888A
                                                                        SHA-256:D83C72E5ECA638F6B0737651E8963FAFA41A21794FC2C272E1AD5A9A4771ADFD
                                                                        SHA-512:42B5BABF433CFCF95733B0E58A9F059AD3F4D7E1BF3E3C7505CDD97DEE071A3F07424E7442A097F60721E670DA6FAE773228A396D609DC6AC9D844CC6983F1AA
                                                                        Malicious:false
                                                                        Preview:ElfChnk..................................... &..0'.._..v....................................................................X.bq....................s...h...............%...=...................................................N................................ ...%..........w.......8.......................M..................................._...........).......M...;...:...................................................r"......y...~...........................................&...1%..................&...........**..H............RQ..a.........v..&........v..Tr].4....E.C.......A..7...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....`...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                        C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):77096
                                                                        Entropy (8bit):3.8481877756794898
                                                                        Encrypted:false
                                                                        SSDEEP:1536:OltSq0IC8ltSq0ICX0ZjN4r47OzHaQhy3i:
                                                                        MD5:AECFA35FCC186B873C046B3A50436078
                                                                        SHA1:54C5F566A1C07EDD920FD5DAFED5DB1F7B352864
                                                                        SHA-256:6DEE7501B9DB577F357A644A6040D704703C694591B6BDEF4209120CE6E98B15
                                                                        SHA-512:ADAC7892ECCD49E1BAE4E40BB028FC5B370559CB7FCB7ABB3CCE706B4BFEF0262B8CE1A17653EAD59830B995E4748DC7E95123D939AB071E20E1EA2510C0B3B3
                                                                        Malicious:false
                                                                        Preview:ElfChnk.................y....................(..(-..........................................................................m...............................................=..........................................................................................................................._...............8...........................f...................M...c...........................v.......................................................................................&...............................**......y.......L....a........L.-9&.......L.-9...P..K`..$5........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Entropy (8bit):6.525931537093555
                                                                        TrID:
                                                                        • Win64 Executable GUI (202006/5) 92.65%
                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:Kawpow new.exe
                                                                        File size:5'471'744 bytes
                                                                        MD5:fb6a3b436e9f9402937d95f755b62f91
                                                                        SHA1:aea3a8a311c2b8b6fc7d9d263b952f95a30b180e
                                                                        SHA256:4c9d878e35e7fd497c633a770d3359fb37447985450dc19f45db0925972c39e0
                                                                        SHA512:7a3e2e42fe965db1cebc539235fec88e277669c9a62be2450ea4efaf5dd93f1de11740197ff26e697e9e9acc499cba2c30b64cfa5e5b35b28b9e0b93087ee2f8
                                                                        SSDEEP:98304:gBybWc2fgjrlVrH3Y27fd2BY1z7QDkR3m1W:hic2GrrrH3Y2Bd1fIkR3m
                                                                        TLSH:3646224D9C715724C56B857C2A351CF0EFE2F9242EFFEAA12ACFA4843D629D62379410
                                                                        File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........R.....@..........@..............................T...........`........................................

                                                                        File Icon

                                                                        Icon Hash:00928e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x140001140
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x140000000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x6693B281 [Sun Jul 14 11:12:01 2024 UTC]
                                                                        TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:6
                                                                        OS Version Minor:0
                                                                        File Version Major:6
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:6
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:203d63d5d9a088e2d84cef737227986b

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        dec eax
                                                                        sub esp, 28h
                                                                        dec eax
                                                                        mov eax, dword ptr [0000AED5h]
                                                                        mov dword ptr [eax], 00000001h
                                                                        call 00007FBFFC7EFE1Fh
                                                                        nop
                                                                        nop
                                                                        nop
                                                                        dec eax
                                                                        add esp, 28h
                                                                        ret
                                                                        nop
                                                                        inc ecx
                                                                        push edi
                                                                        inc ecx
                                                                        push esi
                                                                        push esi
                                                                        push edi
                                                                        push ebx
                                                                        dec eax
                                                                        sub esp, 20h
                                                                        dec eax
                                                                        mov eax, dword ptr [00000030h]
                                                                        dec eax
                                                                        mov edi, dword ptr [eax+08h]
                                                                        dec eax
                                                                        mov esi, dword ptr [0000AEC9h]
                                                                        xor eax, eax
                                                                        dec eax
                                                                        cmpxchg dword ptr [esi], edi
                                                                        sete bl
                                                                        je 00007FBFFC7EFE40h
                                                                        dec eax
                                                                        cmp edi, eax
                                                                        je 00007FBFFC7EFE3Bh
                                                                        dec esp
                                                                        mov esi, dword ptr [0000D189h]
                                                                        nop word ptr [eax+eax+00000000h]
                                                                        mov ecx, 000003E8h
                                                                        inc ecx
                                                                        call esi
                                                                        xor eax, eax
                                                                        dec eax
                                                                        cmpxchg dword ptr [esi], edi
                                                                        sete bl
                                                                        je 00007FBFFC7EFE17h
                                                                        dec eax
                                                                        cmp edi, eax
                                                                        jne 00007FBFFC7EFDF9h
                                                                        dec eax
                                                                        mov edi, dword ptr [0000AE90h]
                                                                        mov eax, dword ptr [edi]
                                                                        cmp eax, 01h
                                                                        jne 00007FBFFC7EFE1Eh
                                                                        mov ecx, 0000001Fh
                                                                        call 00007FBFFC7F9B74h
                                                                        jmp 00007FBFFC7EFE39h
                                                                        cmp dword ptr [edi], 00000000h
                                                                        je 00007FBFFC7EFE1Bh
                                                                        mov byte ptr [00538531h], 00000001h
                                                                        jmp 00007FBFFC7EFE2Bh
                                                                        mov dword ptr [edi], 00000001h
                                                                        dec eax
                                                                        mov ecx, dword ptr [0000AE7Ah]
                                                                        dec eax
                                                                        mov edx, dword ptr [0000AE7Bh]
                                                                        call 00007FBFFC7F9B6Bh
                                                                        mov eax, dword ptr [edi]
                                                                        cmp eax, 01h
                                                                        jne 00007FBFFC7EFE2Bh
                                                                        dec eax
                                                                        mov ecx, dword ptr [0000AE50h]

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xe0480x3c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x53c0000x18c.pdata
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x53f0000x80.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xc0a00x28.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc4100x138.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xe1e80x160.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000xa0c60xa200daa695e177d70a143384a41c581c4152False0.48410976080246915data6.120411868835049IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0xc0000x27dc0x28008447d32f062dd402a94b6fd372cdc0e9False0.48271484375data4.797840406707439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0xf0000x52c0a80x52a800f4dad1a7599a5afded4b82e1e6a51ec2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .pdata0x53c0000x18c0x2001194c6cbad6c789127276d08d8015019False0.509765625data3.1897430361504404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .00cfg0x53d0000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .tls0x53e0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .reloc0x53f0000x800x200ac63a5c750fa0a7b812d69f394edeba3False0.2421875data1.4604375773007994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Imports

                                                                        DLLImport
                                                                        msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                                                        KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                                        Network Behavior

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Jan 7, 2025 16:08:20.432568073 CET1.1.1.1192.168.2.70xbc8cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                        Jan 7, 2025 16:08:20.432568073 CET1.1.1.1192.168.2.70xbc8cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                        Jan 7, 2025 16:08:34.748676062 CET1.1.1.1192.168.2.70xd45fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                        Jan 7, 2025 16:08:34.748676062 CET1.1.1.1192.168.2.70xd45fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                        Code Manipulations

                                                                        User Modules

                                                                        Hook Summary

                                                                        Function NameHook TypeActive in Processes
                                                                        ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                        NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                        ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                        NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                        ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                        NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                        NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                                        ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                        ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                        NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                        RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                                        NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                        NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                        ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                        ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                                        Processes

                                                                        Process: explorer.exe, Module: ntdll.dll
                                                                        Function NameHook TypeNew Data
                                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                        Process: winlogon.exe, Module: ntdll.dll
                                                                        Function NameHook TypeNew Data
                                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:10:08:01
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:10:08:01
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\SgrmBroker.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                        Imagebase:0x7ff654350000
                                                                        File size:329'504 bytes
                                                                        MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:4
                                                                        Start time:10:08:01
                                                                        Start date:07/01/2025
                                                                        Path:C:\Users\user\Desktop\Kawpow new.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\Kawpow new.exe"
                                                                        Imagebase:0x7ff74ac40000
                                                                        File size:5'471'744 bytes
                                                                        MD5 hash:FB6A3B436E9F9402937D95F755B62F91
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:10:08:02
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                        Imagebase:0x7ff741d30000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:10:08:02
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:10:08:02
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:10
                                                                        Start time:10:08:06
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                        Imagebase:0x7ff7fb730000
                                                                        File size:496'640 bytes
                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:11
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff662580000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                        Imagebase:0x7ff7078b0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:15
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\wusa.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff6d4da0000
                                                                        File size:345'088 bytes
                                                                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                        Imagebase:0x7ff7078b0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:17
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:18
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                        Imagebase:0x7ff7078b0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:19
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:20
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop bits
                                                                        Imagebase:0x7ff7078b0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:21
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:22
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                        Imagebase:0x7ff7078b0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:23
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:24
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                        Imagebase:0x7ff655360000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:25
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                        Imagebase:0x7ff655360000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:26
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:27
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                        Imagebase:0x7ff655360000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:28
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:29
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                        Imagebase:0x7ff655360000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:30
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:31
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\dialer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\dialer.exe
                                                                        Imagebase:0x7ff7ec3d0000
                                                                        File size:39'936 bytes
                                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:32
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:33
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe delete "CKTJZLMO"
                                                                        Imagebase:0x7ff7078b0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:34
                                                                        Start time:10:08:08
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:35
                                                                        Start time:10:08:09
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
                                                                        Imagebase:0x7ff7078b0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:36
                                                                        Start time:10:08:09
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:37
                                                                        Start time:10:08:09
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\winlogon.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:winlogon.exe
                                                                        Imagebase:0x7ff6fc1b0000
                                                                        File size:906'240 bytes
                                                                        MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:38
                                                                        Start time:10:08:09
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                        Imagebase:0x7ff7078b0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:39
                                                                        Start time:10:08:09
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe start "CKTJZLMO"
                                                                        Imagebase:0x7ff7078b0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:40
                                                                        Start time:10:08:10
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:41
                                                                        Start time:10:08:10
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:42
                                                                        Start time:10:08:10
                                                                        Start date:07/01/2025
                                                                        Path:C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
                                                                        Imagebase:0x7ff669700000
                                                                        File size:5'471'744 bytes
                                                                        MD5 hash:FB6A3B436E9F9402937D95F755B62F91
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 74%, ReversingLabs
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:43
                                                                        Start time:10:08:10
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\lsass.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\lsass.exe
                                                                        Imagebase:0x7ff6d9390000
                                                                        File size:59'456 bytes
                                                                        MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:44
                                                                        Start time:10:08:10
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:45
                                                                        Start time:10:08:12
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\dwm.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"dwm.exe"
                                                                        Imagebase:0x7ff74b010000
                                                                        File size:94'720 bytes
                                                                        MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:46
                                                                        Start time:10:08:15
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:47
                                                                        Start time:10:08:15
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:48
                                                                        Start time:10:08:15
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:49
                                                                        Start time:10:08:16
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:50
                                                                        Start time:10:08:16
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:51
                                                                        Start time:10:08:16
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:53
                                                                        Start time:10:08:17
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:54
                                                                        Start time:10:08:19
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:55
                                                                        Start time:10:08:19
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:56
                                                                        Start time:10:08:20
                                                                        Start date:07/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                        Imagebase:0x7ff7b4ee0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 00007FF74AC41140 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1351846085.00007FF74AC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74AC40000, based on PE: true
                                                                          • Associated: 00000004.00000002.1351812745.00007FF74AC40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000004.00000002.1351884044.00007FF74AC4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000004.00000002.1351919032.00007FF74AC4F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000004.00000002.1351950143.00007FF74AC50000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000004.00000002.1353614812.00007FF74B144000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000004.00000002.1353806190.00007FF74B17C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ff74ac40000_Kawpow new.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                          • Instruction ID: a0ad70f45deaf7553ba4596f36c4468040dc245bf2a681bb6112833b48005c50
                                                                          • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                          • Instruction Fuzzy Hash: 29B01230D4D309C5F340BF01D84135877616B08740FE00070C40C03362CE7D54404B34

                                                                          Execution Graph

                                                                          Execution Coverage:47%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:67%
                                                                          Total number of Nodes:227
                                                                          Total number of Limit Nodes:24
                                                                          execution_graph 384 140002bf8 385 140002c05 384->385 387 140002c25 ConnectNamedPipe 385->387 388 140002c1a Sleep 385->388 395 140001b54 AllocateAndInitializeSid 385->395 389 140002c83 Sleep 387->389 390 140002c34 ReadFile 387->390 388->385 392 140002c8e DisconnectNamedPipe 389->392 391 140002c57 390->391 390->392 402 140002524 391->402 392->387 396 140001bb1 SetEntriesInAclW 395->396 397 140001c6f 395->397 396->397 398 140001bf5 LocalAlloc 396->398 397->385 398->397 399 140001c09 InitializeSecurityDescriptor 398->399 399->397 400 140001c19 SetSecurityDescriptorDacl 399->400 400->397 401 140001c30 CreateNamedPipeW 400->401 401->397 403 140002531 402->403 404 140002539 WriteFile 402->404 406 1400010c0 403->406 404->392 444 1400018ac OpenProcess 406->444 409 1400014ba 409->404 410 140001122 OpenProcess 410->409 411 14000113e OpenProcess 410->411 412 140001161 K32GetModuleFileNameExW 411->412 413 1400011fd NtQueryInformationProcess 411->413 414 1400011aa CloseHandle 412->414 415 14000117a PathFindFileNameW lstrlenW 412->415 416 1400014b1 CloseHandle 413->416 417 140001224 413->417 414->413 419 1400011b8 414->419 415->414 418 140001197 StrCpyW 415->418 416->409 417->416 420 140001230 OpenProcessToken 417->420 418->414 419->413 421 1400011d8 StrCmpIW 419->421 420->416 422 14000124e GetTokenInformation 420->422 421->416 421->419 423 1400012f1 422->423 424 140001276 GetLastError 422->424 425 1400012f8 CloseHandle 423->425 424->423 426 140001281 LocalAlloc 424->426 425->416 431 14000130c 425->431 426->423 427 140001297 GetTokenInformation 426->427 428 1400012df 427->428 429 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 427->429 430 1400012e6 LocalFree 428->430 429->430 430->425 431->416 432 14000139b StrStrA 431->432 433 1400013c3 431->433 432->431 434 1400013c8 432->434 433->416 434->416 435 1400013f3 VirtualAllocEx 434->435 435->416 436 140001420 WriteProcessMemory 435->436 436->416 437 14000143b 436->437 449 14000211c 437->449 439 14000145b 439->416 440 140001478 WaitForSingleObject 439->440 443 140001471 CloseHandle 439->443 442 140001487 GetExitCodeThread 440->442 440->443 442->443 443->416 445 14000110e 444->445 446 1400018d8 IsWow64Process 444->446 445->409 445->410 447 1400018f8 CloseHandle 446->447 448 1400018ea 446->448 447->445 448->447 452 140001914 GetModuleHandleA 449->452 453 140001934 GetProcAddress 452->453 454 14000193d 452->454 453->454 455 140002258 458 14000226c 455->458 482 140001f2c 458->482 461 140001f2c 14 API calls 462 14000228f GetCurrentProcessId OpenProcess 461->462 463 140002321 FindResourceExA 462->463 464 1400022af OpenProcessToken 462->464 467 140002341 SizeofResource 463->467 468 140002261 ExitProcess 463->468 465 1400022c3 LookupPrivilegeValueW 464->465 466 140002318 CloseHandle 464->466 465->466 469 1400022da AdjustTokenPrivileges 465->469 466->463 467->468 470 14000235a LoadResource 467->470 469->466 471 140002312 GetLastError 469->471 470->468 472 14000236e LockResource GetCurrentProcessId 470->472 471->466 496 1400017ec GetProcessHeap HeapAlloc 472->496 474 14000238b RegCreateKeyExW 475 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 474->475 476 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 474->476 477 14000250f SleepEx 475->477 478 1400023f4 RegSetKeySecurity LocalFree 476->478 479 14000240e RegCreateKeyExW 476->479 477->477 478->479 480 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 479->480 481 14000247f RegCloseKey 479->481 480->481 481->475 483 140001f35 StrCpyW StrCatW GetModuleHandleW 482->483 484 1400020ff 482->484 483->484 485 140001f86 GetCurrentProcess K32GetModuleInformation 483->485 484->461 486 1400020f6 FreeLibrary 485->486 487 140001fb6 CreateFileW 485->487 486->484 487->486 488 140001feb CreateFileMappingW 487->488 489 140002014 MapViewOfFile 488->489 490 1400020ed CloseHandle 488->490 491 1400020e4 CloseHandle 489->491 492 140002037 489->492 490->486 491->490 492->491 493 140002050 lstrcmpiA 492->493 495 14000208e 492->495 493->492 494 140002090 VirtualProtect VirtualProtect 493->494 494->491 495->491 502 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 496->502 498 140001885 GetProcessHeap HeapFree 499 140001830 499->498 500 140001851 OpenProcess 499->500 500->499 501 140001867 TerminateProcess CloseHandle 500->501 501->499 503 140001565 502->503 504 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 502->504 503->504 505 14000157a OpenProcess 503->505 507 14000161a CloseHandle 503->507 508 1400015c9 ReadProcessMemory 503->508 504->499 505->503 506 140001597 K32EnumProcessModules 505->506 506->503 506->507 507->503 508->503 509 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 510 140002b8e K32EnumProcesses 509->510 511 140002beb Sleep 510->511 513 140002ba3 510->513 511->510 512 140002bdc 512->511 513->512 515 140002540 513->515 516 140002558 515->516 517 14000254d 515->517 516->513 518 1400010c0 30 API calls 517->518 518->516 519 1400021d0 520 1400021dd 519->520 521 140001b54 6 API calls 520->521 522 1400021f2 Sleep 520->522 523 1400021fd ConnectNamedPipe 520->523 521->520 522->520 524 140002241 Sleep 523->524 525 14000220c ReadFile 523->525 526 14000224c DisconnectNamedPipe 524->526 525->526 527 14000222f 525->527 526->523 527->526 528 140002560 529 140002592 528->529 530 14000273a 528->530 531 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 529->531 532 140002598 529->532 533 140002748 530->533 534 14000297e ReadFile 530->534 535 140002633 531->535 537 140002704 531->537 538 1400025a5 532->538 539 1400026bd ExitProcess 532->539 540 140002751 533->540 541 140002974 533->541 534->535 536 1400029a8 534->536 536->535 549 1400018ac 3 API calls 536->549 537->535 551 1400010c0 30 API calls 537->551 545 1400025ae 538->545 546 140002660 RegOpenKeyExW 538->546 542 140002919 540->542 543 14000275c 540->543 544 14000175c 22 API calls 541->544 550 140001944 ReadFile 542->550 547 140002761 543->547 548 14000279d 543->548 544->535 545->535 561 1400025cb ReadFile 545->561 552 1400026a1 546->552 553 14000268d RegDeleteValueW 546->553 547->535 610 14000217c 547->610 613 140001944 548->613 554 1400029c7 549->554 556 140002928 550->556 551->537 597 1400019c4 SysAllocString SysAllocString CoInitializeEx 552->597 553->552 554->535 565 1400029db GetProcessHeap HeapAlloc 554->565 566 140002638 554->566 556->535 568 140001944 ReadFile 556->568 560 1400026a6 605 14000175c GetProcessHeap HeapAlloc 560->605 561->535 563 1400025f5 561->563 563->535 575 1400018ac 3 API calls 563->575 571 1400014d8 13 API calls 565->571 577 140002a90 4 API calls 566->577 567 1400027b4 ReadFile 567->535 572 1400027dc 567->572 573 14000293f 568->573 588 140002a14 571->588 572->535 578 1400027e9 GetProcessHeap HeapAlloc ReadFile 572->578 573->535 579 140002947 ShellExecuteW 573->579 581 140002614 575->581 577->535 583 14000290b GetProcessHeap 578->583 584 14000282d 578->584 579->535 581->535 581->566 587 140002624 581->587 582 140002a49 GetProcessHeap 585 140002a52 HeapFree 582->585 583->585 584->583 589 140002881 lstrlenW GetProcessHeap HeapAlloc 584->589 590 14000285e 584->590 585->535 591 1400010c0 30 API calls 587->591 588->582 637 1400016cc 588->637 631 140002a90 CreateFileW 589->631 590->583 617 140001c88 590->617 591->535 598 140001a11 CoInitializeSecurity 597->598 599 140001b2c SysFreeString SysFreeString 597->599 600 140001a59 CoCreateInstance 598->600 601 140001a4d 598->601 599->560 602 140001b26 CoUninitialize 600->602 603 140001a88 VariantInit 600->603 601->600 601->602 602->599 604 140001ade 603->604 604->602 606 1400014d8 13 API calls 605->606 608 14000179a 606->608 607 1400017c8 GetProcessHeap HeapFree 608->607 609 1400016cc 5 API calls 608->609 609->608 611 140001914 2 API calls 610->611 612 140002191 611->612 614 140001968 ReadFile 613->614 615 14000198b 614->615 616 1400019a5 614->616 615->614 615->616 616->535 616->567 618 140001cbb 617->618 619 140001cce CreateProcessW 618->619 621 140001e97 618->621 623 140001e62 OpenProcess 618->623 625 140001dd2 VirtualAlloc 618->625 627 140001d8c WriteProcessMemory 618->627 619->618 620 140001d2b VirtualAllocEx 619->620 620->618 622 140001d60 WriteProcessMemory 620->622 621->583 622->618 623->618 624 140001e78 TerminateProcess 623->624 624->618 625->618 626 140001df1 GetThreadContext 625->626 626->618 628 140001e09 WriteProcessMemory 626->628 627->618 628->618 629 140001e30 SetThreadContext 628->629 629->618 630 140001e4e ResumeThread 629->630 630->618 630->621 632 1400028f7 GetProcessHeap HeapFree 631->632 633 140002ada WriteFile 631->633 632->583 634 140002b1c CloseHandle 633->634 635 140002afe 633->635 634->632 635->634 636 140002b02 WriteFile 635->636 636->634 638 140001745 637->638 639 1400016eb OpenProcess 637->639 638->582 639->638 640 140001703 639->640 641 14000211c 2 API calls 640->641 642 140001723 641->642 643 14000173c CloseHandle 642->643 644 140001731 CloseHandle 642->644 643->638 644->643

                                                                          Callgraph

                                                                          Executed Functions

                                                                          Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                          • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                          • API String ID: 4177739653-1130149537
                                                                          • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                          • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                          • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                          • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                          Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                          • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                          • API String ID: 2561231171-3753927220
                                                                          • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                          • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                          • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                          • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                          Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                          • String ID:
                                                                          • API String ID: 4084875642-0
                                                                          • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                          • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                          • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                          • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                          Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                          • String ID:
                                                                          • API String ID: 3197395349-0
                                                                          • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                          • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                          • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                          • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                          Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                          • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                            • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                            • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                            • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                            • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                            • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                            • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                            • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                                          • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                          • TerminateProcess.KERNEL32 ref: 000000014000186C
                                                                          • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                          • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                          • String ID:
                                                                          • API String ID: 1323846700-0
                                                                          • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                          • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                          • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                          • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                          Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                          • String ID: .text$C:\Windows\System32\
                                                                          • API String ID: 2721474350-832442975
                                                                          • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                          • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                          • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                          • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                          Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                          • String ID: M$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2203880229-3489460547
                                                                          • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                          • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                          • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                          • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                          Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                          • String ID: \\.\pipe\dialercontrol_redirect64
                                                                          • API String ID: 2071455217-3440882674
                                                                          • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                          • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                          • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                          • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                          Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 Sleep 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                          • String ID:
                                                                          • API String ID: 3676546796-0
                                                                          • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                          • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                          • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                          • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                          Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseHandleOpenWow64
                                                                          • String ID:
                                                                          • API String ID: 10462204-0
                                                                          • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                          • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                          • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                          • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                          Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
                                                                          APIs
                                                                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                            • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                            • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                            • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                            • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                            • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                            • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                            • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                            • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                            • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                            • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                            • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                            • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                            • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                            • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                          • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                                          • String ID:
                                                                          • API String ID: 3836936051-0
                                                                          • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                          • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                          • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                          • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                          Non-executed Functions

                                                                          Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                                          • String ID: SOFTWARE$dialerstager$open
                                                                          • API String ID: 3276259517-3931493855
                                                                          • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                                          • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                          • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                                          • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                          Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                          • String ID: @
                                                                          • API String ID: 3462610200-2766056989
                                                                          • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                          • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                          • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                          • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                          Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                          • String ID: dialersvc64
                                                                          • API String ID: 4184240511-3881820561
                                                                          • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                          • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                          • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                          • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                          Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Delete$CloseEnumOpen
                                                                          • String ID: SOFTWARE\dialerconfig
                                                                          • API String ID: 3013565938-461861421
                                                                          • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                          • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                          • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                          • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                          Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: File$Write$CloseCreateHandle
                                                                          • String ID: \\.\pipe\dialercontrol_redirect64
                                                                          • API String ID: 148219782-3440882674
                                                                          • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                          • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                          • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                          • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                          Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.2619618506.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000001F.00000002.2619163841.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2619929734.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000001F.00000002.2620296845.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: ntdll.dll
                                                                          • API String ID: 1646373207-2227199552
                                                                          • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                          • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                          • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                          • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                          Execution Graph

                                                                          Execution Coverage:1.6%
                                                                          Dynamic/Decrypted Code Coverage:95.1%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:123
                                                                          Total number of Limit Nodes:16
                                                                          execution_graph 15420 1ca7d1e28c8 15422 1ca7d1e290e 15420->15422 15421 1ca7d1e2970 15422->15421 15424 1ca7d1e3844 15422->15424 15425 1ca7d1e3866 15424->15425 15426 1ca7d1e3851 StrCmpNIW 15424->15426 15425->15422 15426->15425 15427 1ca7d1e3ab9 15431 1ca7d1e3a06 15427->15431 15428 1ca7d1e3a70 15429 1ca7d1e3a56 VirtualQuery 15429->15428 15429->15431 15430 1ca7d1e3a8a VirtualAlloc 15430->15428 15432 1ca7d1e3abb GetLastError 15430->15432 15431->15428 15431->15429 15431->15430 15432->15428 15432->15431 15433 1ca7d1e5cf0 15434 1ca7d1e5cfd 15433->15434 15435 1ca7d1e5d09 15434->15435 15436 1ca7d1e5e1a 15434->15436 15437 1ca7d1e5d3e 15435->15437 15438 1ca7d1e5d8d 15435->15438 15440 1ca7d1e5e41 VirtualProtect FlushInstructionCache 15436->15440 15441 1ca7d1e5efe 15436->15441 15439 1ca7d1e5d66 SetThreadContext 15437->15439 15439->15438 15440->15436 15442 1ca7d1e5f1e 15441->15442 15455 1ca7d1e43e0 15441->15455 15451 1ca7d1e4df0 GetCurrentProcess 15442->15451 15445 1ca7d1e5f23 15446 1ca7d1e5f77 15445->15446 15447 1ca7d1e5f37 ResumeThread 15445->15447 15459 1ca7d1e7940 15446->15459 15448 1ca7d1e5f6b 15447->15448 15448->15445 15450 1ca7d1e5fbf 15452 1ca7d1e4e0c 15451->15452 15453 1ca7d1e4e22 VirtualProtect FlushInstructionCache 15452->15453 15454 1ca7d1e4e53 15452->15454 15453->15452 15454->15445 15457 1ca7d1e43fc 15455->15457 15456 1ca7d1e445f 15456->15442 15457->15456 15458 1ca7d1e4412 VirtualFree 15457->15458 15458->15457 15460 1ca7d1e7949 15459->15460 15461 1ca7d1e7954 15460->15461 15462 1ca7d1e812c IsProcessorFeaturePresent 15460->15462 15461->15450 15463 1ca7d1e8144 capture_previous_context 15462->15463 15463->15450 15464 1ca7d1b273c 15465 1ca7d1b276a 15464->15465 15466 1ca7d1b27c5 VirtualAlloc 15465->15466 15469 1ca7d1b28d4 15465->15469 15468 1ca7d1b27ec 15466->15468 15466->15469 15467 1ca7d1b2858 LoadLibraryA 15467->15468 15468->15467 15468->15469 15470 1ca7d1e1abc 15475 1ca7d1e1628 GetProcessHeap 15470->15475 15472 1ca7d1e1ad2 Sleep SleepEx 15473 1ca7d1e1acb 15472->15473 15473->15472 15474 1ca7d1e1598 StrCmpIW StrCmpW 15473->15474 15474->15473 15476 1ca7d1e1648 __std_exception_copy 15475->15476 15520 1ca7d1e1268 GetProcessHeap 15476->15520 15478 1ca7d1e1650 15479 1ca7d1e1268 2 API calls 15478->15479 15480 1ca7d1e1661 15479->15480 15481 1ca7d1e1268 2 API calls 15480->15481 15482 1ca7d1e166a 15481->15482 15483 1ca7d1e1268 2 API calls 15482->15483 15484 1ca7d1e1673 15483->15484 15485 1ca7d1e168e RegOpenKeyExW 15484->15485 15486 1ca7d1e18a6 15485->15486 15487 1ca7d1e16c0 RegOpenKeyExW 15485->15487 15486->15473 15488 1ca7d1e16e9 15487->15488 15489 1ca7d1e16ff RegOpenKeyExW 15487->15489 15531 1ca7d1e12bc RegQueryInfoKeyW 15488->15531 15490 1ca7d1e1723 15489->15490 15491 1ca7d1e173a RegOpenKeyExW 15489->15491 15524 1ca7d1e104c RegQueryInfoKeyW 15490->15524 15494 1ca7d1e1775 RegOpenKeyExW 15491->15494 15495 1ca7d1e175e 15491->15495 15499 1ca7d1e1799 15494->15499 15500 1ca7d1e17b0 RegOpenKeyExW 15494->15500 15498 1ca7d1e12bc 13 API calls 15495->15498 15501 1ca7d1e176b RegCloseKey 15498->15501 15502 1ca7d1e12bc 13 API calls 15499->15502 15503 1ca7d1e17d4 15500->15503 15504 1ca7d1e17eb RegOpenKeyExW 15500->15504 15501->15494 15507 1ca7d1e17a6 RegCloseKey 15502->15507 15508 1ca7d1e12bc 13 API calls 15503->15508 15505 1ca7d1e1826 RegOpenKeyExW 15504->15505 15506 1ca7d1e180f 15504->15506 15510 1ca7d1e1861 RegOpenKeyExW 15505->15510 15511 1ca7d1e184a 15505->15511 15509 1ca7d1e104c 5 API calls 15506->15509 15507->15500 15512 1ca7d1e17e1 RegCloseKey 15508->15512 15513 1ca7d1e181c RegCloseKey 15509->15513 15515 1ca7d1e1885 15510->15515 15516 1ca7d1e189c RegCloseKey 15510->15516 15514 1ca7d1e104c 5 API calls 15511->15514 15512->15504 15513->15505 15517 1ca7d1e1857 RegCloseKey 15514->15517 15518 1ca7d1e104c 5 API calls 15515->15518 15516->15486 15517->15510 15519 1ca7d1e1892 RegCloseKey 15518->15519 15519->15516 15542 1ca7d1f6168 15520->15542 15522 1ca7d1e1283 GetProcessHeap 15523 1ca7d1e12ae __std_exception_copy 15522->15523 15523->15478 15525 1ca7d1e11b5 RegCloseKey 15524->15525 15526 1ca7d1e10bf 15524->15526 15525->15491 15526->15525 15527 1ca7d1e10cf RegEnumValueW 15526->15527 15528 1ca7d1e1125 __std_exception_copy 15527->15528 15528->15525 15528->15527 15529 1ca7d1e114e GetProcessHeap 15528->15529 15530 1ca7d1e116e GetProcessHeap HeapFree 15528->15530 15529->15528 15530->15528 15532 1ca7d1e1327 GetProcessHeap 15531->15532 15533 1ca7d1e148a RegCloseKey 15531->15533 15536 1ca7d1e133e __std_exception_copy 15532->15536 15533->15489 15534 1ca7d1e1476 GetProcessHeap HeapFree 15534->15533 15535 1ca7d1e1352 RegEnumValueW 15535->15536 15536->15534 15536->15535 15538 1ca7d1e13d3 GetProcessHeap 15536->15538 15539 1ca7d1e141e lstrlenW GetProcessHeap 15536->15539 15540 1ca7d1e13f3 GetProcessHeap HeapFree 15536->15540 15541 1ca7d1e1443 StrCpyW 15536->15541 15544 1ca7d1e152c 15536->15544 15538->15536 15539->15536 15540->15539 15541->15536 15543 1ca7d1f6177 15542->15543 15545 1ca7d1e1546 15544->15545 15548 1ca7d1e157c 15544->15548 15546 1ca7d1e1565 StrCmpW 15545->15546 15547 1ca7d1e155d StrCmpIW 15545->15547 15545->15548 15546->15545 15547->15545 15548->15536 15549 1ca7d1e554d 15551 1ca7d1e5554 15549->15551 15550 1ca7d1e55bb 15551->15550 15552 1ca7d1e5637 VirtualProtect 15551->15552 15553 1ca7d1e5663 GetLastError 15552->15553 15554 1ca7d1e5671 15552->15554 15553->15554

                                                                          Executed Functions

                                                                          Function 000001CA7D1E1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 48ce8952a82ebc74220c2487228d1bc0113687a5d257c47da5ea2c9a7a45dc1b
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 12711737B51B1986FB119F61E880ED933A4FB85B8DF811111DA4E43B68DF3AC485C392
                                                                          Function 000001CA7D1E3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 1437afb44a6030bed97caeb438423ad72f3f4486f91bb87fdb2879e943d99604
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: ED118E37B4574582FF159B51E404AA972B0FB89F8AF840129DE8903754EF3EC505C746
                                                                          Function 000001CA7D1E5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 59 1ca7d1e5b30-1ca7d1e5b57 60 1ca7d1e5b59-1ca7d1e5b68 59->60 61 1ca7d1e5b6b-1ca7d1e5b76 GetCurrentThreadId 59->61 60->61 62 1ca7d1e5b78-1ca7d1e5b7d 61->62 63 1ca7d1e5b82-1ca7d1e5b89 61->63 64 1ca7d1e5faf-1ca7d1e5fc6 call 1ca7d1e7940 62->64 65 1ca7d1e5b9b-1ca7d1e5baf 63->65 66 1ca7d1e5b8b-1ca7d1e5b96 call 1ca7d1e5960 63->66 67 1ca7d1e5bbe-1ca7d1e5bc4 65->67 66->64 70 1ca7d1e5c95-1ca7d1e5cb6 67->70 71 1ca7d1e5bca-1ca7d1e5bd3 67->71 78 1ca7d1e5e1f-1ca7d1e5e30 call 1ca7d1e74bf 70->78 79 1ca7d1e5cbc-1ca7d1e5cdc GetThreadContext 70->79 74 1ca7d1e5bd5-1ca7d1e5c18 call 1ca7d1e85c0 71->74 75 1ca7d1e5c1a-1ca7d1e5c8d call 1ca7d1e4510 call 1ca7d1e44b0 call 1ca7d1e4470 71->75 86 1ca7d1e5c90 74->86 75->86 93 1ca7d1e5e35-1ca7d1e5e3b 78->93 82 1ca7d1e5ce2-1ca7d1e5d03 79->82 83 1ca7d1e5e1a 79->83 82->83 90 1ca7d1e5d09-1ca7d1e5d12 82->90 83->78 86->67 96 1ca7d1e5d14-1ca7d1e5d25 90->96 97 1ca7d1e5d92-1ca7d1e5da3 90->97 94 1ca7d1e5e41-1ca7d1e5e98 VirtualProtect FlushInstructionCache 93->94 95 1ca7d1e5efe-1ca7d1e5f0e 93->95 99 1ca7d1e5ec9-1ca7d1e5ef9 call 1ca7d1e78ac 94->99 100 1ca7d1e5e9a-1ca7d1e5ea4 94->100 103 1ca7d1e5f10-1ca7d1e5f17 95->103 104 1ca7d1e5f1e-1ca7d1e5f2a call 1ca7d1e4df0 95->104 105 1ca7d1e5d27-1ca7d1e5d3c 96->105 106 1ca7d1e5d8d 96->106 101 1ca7d1e5e15 97->101 102 1ca7d1e5da5-1ca7d1e5dc3 97->102 99->93 100->99 108 1ca7d1e5ea6-1ca7d1e5ec1 call 1ca7d1e4390 100->108 102->101 110 1ca7d1e5dc5-1ca7d1e5e0c call 1ca7d1e3900 102->110 103->104 111 1ca7d1e5f19 call 1ca7d1e43e0 103->111 123 1ca7d1e5f2f-1ca7d1e5f35 104->123 105->106 112 1ca7d1e5d3e-1ca7d1e5d88 call 1ca7d1e3970 SetThreadContext 105->112 106->101 108->99 110->101 126 1ca7d1e5e10 call 1ca7d1e74dd 110->126 111->104 112->106 124 1ca7d1e5f77-1ca7d1e5f95 123->124 125 1ca7d1e5f37-1ca7d1e5f75 ResumeThread call 1ca7d1e78ac 123->125 128 1ca7d1e5fa9 124->128 129 1ca7d1e5f97-1ca7d1e5fa6 124->129 125->123 126->101 128->64 129->128
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                                          • Instruction ID: 9e730dcd64c9b4873a2407d987be952f30225ce8fa84111ce86869373716654e
                                                                          • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                                          • Instruction Fuzzy Hash: 37D1BC37644B8881FA71DB06E49079AB7A0F7C8B89F500216EACD47BA5DF3DC541CB92
                                                                          Function 000001CA7D1E50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 131 1ca7d1e50d0-1ca7d1e50fc 132 1ca7d1e50fe-1ca7d1e5106 131->132 133 1ca7d1e510d-1ca7d1e5116 131->133 132->133 134 1ca7d1e5118-1ca7d1e5120 133->134 135 1ca7d1e5127-1ca7d1e5130 133->135 134->135 136 1ca7d1e5132-1ca7d1e513a 135->136 137 1ca7d1e5141-1ca7d1e514a 135->137 136->137 138 1ca7d1e5156-1ca7d1e5161 GetCurrentThreadId 137->138 139 1ca7d1e514c-1ca7d1e5151 137->139 141 1ca7d1e5163-1ca7d1e5168 138->141 142 1ca7d1e516d-1ca7d1e5174 138->142 140 1ca7d1e56d3-1ca7d1e56da 139->140 141->140 143 1ca7d1e5176-1ca7d1e517c 142->143 144 1ca7d1e5181-1ca7d1e518a 142->144 143->140 145 1ca7d1e5196-1ca7d1e51a2 144->145 146 1ca7d1e518c-1ca7d1e5191 144->146 147 1ca7d1e51a4-1ca7d1e51c9 145->147 148 1ca7d1e51ce-1ca7d1e5225 call 1ca7d1e56e0 * 2 145->148 146->140 147->140 153 1ca7d1e5227-1ca7d1e522e 148->153 154 1ca7d1e523a-1ca7d1e5243 148->154 155 1ca7d1e5236 153->155 156 1ca7d1e5230 153->156 157 1ca7d1e5255-1ca7d1e525e 154->157 158 1ca7d1e5245-1ca7d1e5252 154->158 155->154 160 1ca7d1e52a6-1ca7d1e52aa 155->160 159 1ca7d1e52b0-1ca7d1e52b6 156->159 161 1ca7d1e5273-1ca7d1e5298 call 1ca7d1e7870 157->161 162 1ca7d1e5260-1ca7d1e5270 157->162 158->157 164 1ca7d1e52b8-1ca7d1e52d4 call 1ca7d1e4390 159->164 165 1ca7d1e52e5-1ca7d1e52eb 159->165 160->159 171 1ca7d1e529e 161->171 172 1ca7d1e532d-1ca7d1e5342 call 1ca7d1e3cc0 161->172 162->161 164->165 176 1ca7d1e52d6-1ca7d1e52de 164->176 168 1ca7d1e5315-1ca7d1e5328 165->168 169 1ca7d1e52ed-1ca7d1e530c call 1ca7d1e78ac 165->169 168->140 169->168 171->160 178 1ca7d1e5344-1ca7d1e534c 172->178 179 1ca7d1e5351-1ca7d1e535a 172->179 176->165 178->160 180 1ca7d1e536c-1ca7d1e53ba call 1ca7d1e8c60 179->180 181 1ca7d1e535c-1ca7d1e5369 179->181 184 1ca7d1e53c2-1ca7d1e53ca 180->184 181->180 185 1ca7d1e54d7-1ca7d1e54df 184->185 186 1ca7d1e53d0-1ca7d1e54bb call 1ca7d1e7440 184->186 188 1ca7d1e5523-1ca7d1e552b 185->188 189 1ca7d1e54e1-1ca7d1e54f4 call 1ca7d1e4590 185->189 198 1ca7d1e54bf-1ca7d1e54ce call 1ca7d1e4060 186->198 199 1ca7d1e54bd 186->199 190 1ca7d1e5537-1ca7d1e5546 188->190 191 1ca7d1e552d-1ca7d1e5535 188->191 200 1ca7d1e54f8-1ca7d1e5521 189->200 201 1ca7d1e54f6 189->201 196 1ca7d1e5548 190->196 197 1ca7d1e554f 190->197 191->190 195 1ca7d1e5554-1ca7d1e5561 191->195 203 1ca7d1e5564-1ca7d1e55b9 call 1ca7d1e85c0 195->203 204 1ca7d1e5563 195->204 196->197 197->195 207 1ca7d1e54d2 198->207 208 1ca7d1e54d0 198->208 199->185 200->185 201->188 210 1ca7d1e55c8-1ca7d1e5661 call 1ca7d1e4510 call 1ca7d1e4470 VirtualProtect 203->210 211 1ca7d1e55bb-1ca7d1e55c3 203->211 204->203 207->184 208->185 216 1ca7d1e5663-1ca7d1e5668 GetLastError 210->216 217 1ca7d1e5671-1ca7d1e56d1 210->217 216->217 217->140
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                                          • Instruction ID: 186141dc81254af0a0e79f67f44779af937e48d3e6299e15823b50d9708dab82
                                                                          • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                                          • Instruction Fuzzy Hash: B5021A33658B8886F761CB55F49079AB7A0F7C4789F500015EA8E87BA9DF7DC484CB42
                                                                          Function 000001CA7D1E39E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocQuery
                                                                          • String ID:
                                                                          • API String ID: 31662377-0
                                                                          • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction ID: efa9a61321a05f5721407d38492656d5084e18caa73be618f57ab66f9e01f62e
                                                                          • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction Fuzzy Hash: 7F312733A59B8881FA32AA15E05479E76A0FBC4B8EF900515F5CD46798DF7EC1C08B87
                                                                          Function 000001CA7D1E328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 48bd2577c4afaca7072e3fbef1ae148441cb0d439950237a956cc62ed7abe44a
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: 49116133E9074882F7629761F845FE932A4BF54B4FFD04125A906415A2EF7BC04483D3
                                                                          Function 000001CA7D1E4DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 3733156554-0
                                                                          • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                                          • Instruction ID: 745996f67f8af34395719e6fd1a935c418c87249f72ce47cbee2d4951f10e5ff
                                                                          • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                                          • Instruction Fuzzy Hash: E1F03037658B08C0F632DB11E441B9A7BA0F7887D8F940111FACD43B69DA3EC580CB82
                                                                          Function 000001CA7D1B273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 265 1ca7d1b273c-1ca7d1b27a4 call 1ca7d1b29d4 * 4 274 1ca7d1b29b2 265->274 275 1ca7d1b27aa-1ca7d1b27ad 265->275 276 1ca7d1b29b4-1ca7d1b29d0 274->276 275->274 277 1ca7d1b27b3-1ca7d1b27b6 275->277 277->274 278 1ca7d1b27bc-1ca7d1b27bf 277->278 278->274 279 1ca7d1b27c5-1ca7d1b27e6 VirtualAlloc 278->279 279->274 280 1ca7d1b27ec-1ca7d1b280c 279->280 281 1ca7d1b2838-1ca7d1b283f 280->281 282 1ca7d1b280e-1ca7d1b2836 280->282 283 1ca7d1b2845-1ca7d1b2852 281->283 284 1ca7d1b28df-1ca7d1b28e6 281->284 282->281 282->282 283->284 285 1ca7d1b2858-1ca7d1b286a LoadLibraryA 283->285 286 1ca7d1b2992-1ca7d1b29b0 284->286 287 1ca7d1b28ec-1ca7d1b2901 284->287 288 1ca7d1b286c-1ca7d1b2878 285->288 289 1ca7d1b28ca-1ca7d1b28d2 285->289 286->276 287->286 290 1ca7d1b2907 287->290 292 1ca7d1b28c5-1ca7d1b28c8 288->292 289->285 293 1ca7d1b28d4-1ca7d1b28d9 289->293 291 1ca7d1b290d-1ca7d1b2921 290->291 295 1ca7d1b2923-1ca7d1b2934 291->295 296 1ca7d1b2982-1ca7d1b298c 291->296 292->289 297 1ca7d1b287a-1ca7d1b287d 292->297 293->284 298 1ca7d1b2936-1ca7d1b293d 295->298 299 1ca7d1b293f-1ca7d1b2943 295->299 296->286 296->291 300 1ca7d1b28a7-1ca7d1b28b7 297->300 301 1ca7d1b287f-1ca7d1b28a5 297->301 303 1ca7d1b2970-1ca7d1b2980 298->303 304 1ca7d1b2945-1ca7d1b294b 299->304 305 1ca7d1b294d-1ca7d1b2951 299->305 306 1ca7d1b28ba-1ca7d1b28c1 300->306 301->306 303->295 303->296 304->303 307 1ca7d1b2963-1ca7d1b2967 305->307 308 1ca7d1b2953-1ca7d1b2961 305->308 306->292 307->303 310 1ca7d1b2969-1ca7d1b296c 307->310 308->303 310->303
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AllocLibraryLoadVirtual
                                                                          • String ID:
                                                                          • API String ID: 3550616410-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 371cd42a6a5bec0abf48dcf5dd3b8f5c2ba92a03d5d6d1c4d01554504f57e61a
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: F5611233F417E887EB568F15D000BADB392FB54BA8F988121DE5D07788DA39D856C782
                                                                          Function 000001CA7D1E1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 000001CA7D1E1628: GetProcessHeap.KERNEL32 ref: 000001CA7D1E1633
                                                                            • Part of subcall function 000001CA7D1E1628: HeapAlloc.KERNEL32 ref: 000001CA7D1E1642
                                                                            • Part of subcall function 000001CA7D1E1628: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E16B2
                                                                            • Part of subcall function 000001CA7D1E1628: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E16DF
                                                                            • Part of subcall function 000001CA7D1E1628: RegCloseKey.ADVAPI32 ref: 000001CA7D1E16F9
                                                                            • Part of subcall function 000001CA7D1E1628: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E1719
                                                                            • Part of subcall function 000001CA7D1E1628: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1734
                                                                            • Part of subcall function 000001CA7D1E1628: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E1754
                                                                            • Part of subcall function 000001CA7D1E1628: RegCloseKey.ADVAPI32 ref: 000001CA7D1E176F
                                                                            • Part of subcall function 000001CA7D1E1628: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E178F
                                                                            • Part of subcall function 000001CA7D1E1628: RegCloseKey.ADVAPI32 ref: 000001CA7D1E17AA
                                                                            • Part of subcall function 000001CA7D1E1628: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E17CA
                                                                          • Sleep.KERNEL32 ref: 000001CA7D1E1AD7
                                                                          • SleepEx.KERNELBASE ref: 000001CA7D1E1ADD
                                                                            • Part of subcall function 000001CA7D1E1628: RegCloseKey.ADVAPI32 ref: 000001CA7D1E17E5
                                                                            • Part of subcall function 000001CA7D1E1628: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E1805
                                                                            • Part of subcall function 000001CA7D1E1628: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1820
                                                                            • Part of subcall function 000001CA7D1E1628: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E1840
                                                                            • Part of subcall function 000001CA7D1E1628: RegCloseKey.ADVAPI32 ref: 000001CA7D1E185B
                                                                            • Part of subcall function 000001CA7D1E1628: RegOpenKeyExW.ADVAPI32 ref: 000001CA7D1E187B
                                                                            • Part of subcall function 000001CA7D1E1628: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1896
                                                                            • Part of subcall function 000001CA7D1E1628: RegCloseKey.ADVAPI32 ref: 000001CA7D1E18A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: 90bbf13b46906a81cca8f7b5d075952f832bd840b306eeba2e69fe4698c1ced9
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 37312F33A8474941FB529B22DA40BE933B5BF44BCEF8A54618E0987295FE12C4D1C3B3

                                                                          Non-executed Functions

                                                                          Function 000001CA7D1E2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 573 1ca7d1e2b2c-1ca7d1e2ba5 call 1ca7d202ce0 576 1ca7d1e2ee0-1ca7d1e2f03 573->576 577 1ca7d1e2bab-1ca7d1e2bb1 573->577 577->576 578 1ca7d1e2bb7-1ca7d1e2bba 577->578 578->576 579 1ca7d1e2bc0-1ca7d1e2bc3 578->579 579->576 580 1ca7d1e2bc9-1ca7d1e2bd9 GetModuleHandleA 579->580 581 1ca7d1e2bed 580->581 582 1ca7d1e2bdb-1ca7d1e2beb call 1ca7d1f6090 580->582 584 1ca7d1e2bf0-1ca7d1e2c0e 581->584 582->584 584->576 587 1ca7d1e2c14-1ca7d1e2c33 StrCmpNIW 584->587 587->576 588 1ca7d1e2c39-1ca7d1e2c3d 587->588 588->576 589 1ca7d1e2c43-1ca7d1e2c4d 588->589 589->576 590 1ca7d1e2c53-1ca7d1e2c5a 589->590 590->576 591 1ca7d1e2c60-1ca7d1e2c73 590->591 592 1ca7d1e2c75-1ca7d1e2c81 591->592 593 1ca7d1e2c83 591->593 594 1ca7d1e2c86-1ca7d1e2c8a 592->594 593->594 595 1ca7d1e2c8c-1ca7d1e2c98 594->595 596 1ca7d1e2c9a 594->596 597 1ca7d1e2c9d-1ca7d1e2ca7 595->597 596->597 598 1ca7d1e2d9d-1ca7d1e2da1 597->598 599 1ca7d1e2cad-1ca7d1e2cb0 597->599 600 1ca7d1e2da7-1ca7d1e2daa 598->600 601 1ca7d1e2ed2-1ca7d1e2eda 598->601 602 1ca7d1e2cc2-1ca7d1e2ccc 599->602 603 1ca7d1e2cb2-1ca7d1e2cbf call 1ca7d1e199c 599->603 604 1ca7d1e2dac-1ca7d1e2db8 call 1ca7d1e199c 600->604 605 1ca7d1e2dbb-1ca7d1e2dc5 600->605 601->576 601->591 607 1ca7d1e2d00-1ca7d1e2d0a 602->607 608 1ca7d1e2cce-1ca7d1e2cdb 602->608 603->602 604->605 613 1ca7d1e2dc7-1ca7d1e2dd4 605->613 614 1ca7d1e2df5-1ca7d1e2df8 605->614 610 1ca7d1e2d0c-1ca7d1e2d19 607->610 611 1ca7d1e2d3a-1ca7d1e2d3d 607->611 608->607 609 1ca7d1e2cdd-1ca7d1e2cea 608->609 618 1ca7d1e2ced-1ca7d1e2cf3 609->618 610->611 619 1ca7d1e2d1b-1ca7d1e2d28 610->619 620 1ca7d1e2d3f-1ca7d1e2d49 call 1ca7d1e1bbc 611->620 621 1ca7d1e2d4b-1ca7d1e2d58 lstrlenW 611->621 613->614 623 1ca7d1e2dd6-1ca7d1e2de3 613->623 616 1ca7d1e2e05-1ca7d1e2e12 lstrlenW 614->616 617 1ca7d1e2dfa-1ca7d1e2e03 call 1ca7d1e1bbc 614->617 627 1ca7d1e2e14-1ca7d1e2e1e 616->627 628 1ca7d1e2e35-1ca7d1e2e3f call 1ca7d1e3844 616->628 617->616 643 1ca7d1e2e4a-1ca7d1e2e55 617->643 625 1ca7d1e2cf9-1ca7d1e2cfe 618->625 626 1ca7d1e2d93-1ca7d1e2d98 618->626 629 1ca7d1e2d2b-1ca7d1e2d31 619->629 620->621 620->626 631 1ca7d1e2d5a-1ca7d1e2d64 621->631 632 1ca7d1e2d7b-1ca7d1e2d8d call 1ca7d1e3844 621->632 633 1ca7d1e2de6-1ca7d1e2dec 623->633 625->607 625->618 636 1ca7d1e2e42-1ca7d1e2e44 626->636 627->628 637 1ca7d1e2e20-1ca7d1e2e33 call 1ca7d1e152c 627->637 628->636 629->626 638 1ca7d1e2d33-1ca7d1e2d38 629->638 631->632 641 1ca7d1e2d66-1ca7d1e2d79 call 1ca7d1e152c 631->641 632->626 632->636 642 1ca7d1e2dee-1ca7d1e2df3 633->642 633->643 636->601 636->643 637->628 637->643 638->611 638->629 641->626 641->632 642->614 642->633 647 1ca7d1e2e57-1ca7d1e2e5b 643->647 648 1ca7d1e2ecc-1ca7d1e2ed0 643->648 652 1ca7d1e2e63-1ca7d1e2e7d call 1ca7d1e85c0 647->652 653 1ca7d1e2e5d-1ca7d1e2e61 647->653 648->601 655 1ca7d1e2e80-1ca7d1e2e83 652->655 653->652 653->655 657 1ca7d1e2ea6-1ca7d1e2ea9 655->657 658 1ca7d1e2e85-1ca7d1e2ea3 call 1ca7d1e85c0 655->658 657->648 660 1ca7d1e2eab-1ca7d1e2ec9 call 1ca7d1e85c0 657->660 658->657 660->648
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: ea87f51b4d246b202b162c5beb234da6051bdf7f7ec10de7cdedcfd0f2486952
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: C6B18E33A51B5882FB6A8F25D460BE973A5FF44B8EF84505AEE0953794DB36C840C382
                                                                          Function 000001CA7D1E7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: c6cc1a2b66a7223f86c8833438918cb61fa612acceaea4aed7f027ca5527fed7
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: 5A316F77645B848AFB61DF60E840BED7360FB84748F84402ADA8E57B94EF39C548C752
                                                                          Function 000001CA7D1ED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 41f782a374a9e7ac0e04b499f40d3f10b57880f75d585e5a1c91e151fdb1a05c
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 7D31BE37644B8486FB21CF25E840BDE73A0FB89759F940126EA8D43B99EF39C145CB42
                                                                          Function 000001CA7D1E7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: 6c190a95eddca58bebb779cd6f5741fc51bdbaffc4857ac3b0ec7aa6c4f8f1e4
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: C1112E32B55F0589FB01CF60E8547A833A4FB5975CF840E21DE6D867A4EB79C19983C2
                                                                          Function 000001CA7D1EDCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                          • Instruction ID: e8a152b29c9dc1c6f23f48376aabb017e8c2a3263a0affc95413c9e1d5eb2ddd
                                                                          • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                          • Instruction Fuzzy Hash: F551D433B4079489FB21DB72A840BDE7BA1FB4479DF988114EE5827B99DA39C401C742
                                                                          Function 000001CA7D1F6218 Relevance: .1, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 06bdc7bdcce5dafae6e0238bdb12be328aa1397a169adc73bdcff9f24297e149
                                                                          • Instruction ID: a448f7bb0c2100c17309db19a22ea3cdab781a59969db90d663f4ba9f1525f78
                                                                          • Opcode Fuzzy Hash: 06bdc7bdcce5dafae6e0238bdb12be328aa1397a169adc73bdcff9f24297e149
                                                                          • Instruction Fuzzy Hash: 9A31C5F7D8FBC84AF3934B784977A893F90BBA1B18F8E8056C381421C7A65759058383
                                                                          Function 000001CA7D1C36F0 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                          • Instruction ID: c70208b93198a25992856707a338619cefe2d793cbcf0771febef66b4268afc6
                                                                          • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                          • Instruction Fuzzy Hash: 7AF068727543988EEB998F68A402B5A77D1F708388FD08159D69983B04D33DC050CF45
                                                                          Function 000001CA7D1E12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: e7645e214f6475b5f26edb55c88840f96c5a30b1b602d3f65bf79884d792b9a8
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 8A518DB3A45B8886FB11CF62E44879A77A1FB89F89F844124DE4907719DF3DC445C742
                                                                          Function 000001CA7D1E1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 78337731afdec34c9cfa824d5e060e934d323296e0797ae460139294bdbcf7ad
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: ED31AF76D81B0EA0FA02EF65E861FE47321BF0135DFC51057941902566AE7AC28AC3E3
                                                                          Function 000001CA7D1B6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 415 1ca7d1b6910-1ca7d1b6916 416 1ca7d1b6918-1ca7d1b691b 415->416 417 1ca7d1b6951-1ca7d1b695b 415->417 419 1ca7d1b6945-1ca7d1b6984 call 1ca7d1b6fc0 416->419 420 1ca7d1b691d-1ca7d1b6920 416->420 418 1ca7d1b6a78-1ca7d1b6a8d 417->418 424 1ca7d1b6a9c-1ca7d1b6ab6 call 1ca7d1b6e54 418->424 425 1ca7d1b6a8f 418->425 438 1ca7d1b6a52 419->438 439 1ca7d1b698a-1ca7d1b699f call 1ca7d1b6e54 419->439 422 1ca7d1b6922-1ca7d1b6925 420->422 423 1ca7d1b6938 __scrt_dllmain_crt_thread_attach 420->423 430 1ca7d1b6927-1ca7d1b6930 422->430 431 1ca7d1b6931-1ca7d1b6936 call 1ca7d1b6f04 422->431 428 1ca7d1b693d-1ca7d1b6944 423->428 436 1ca7d1b6ab8-1ca7d1b6aed call 1ca7d1b6f7c call 1ca7d1b6e1c call 1ca7d1b7318 call 1ca7d1b7130 call 1ca7d1b7154 call 1ca7d1b6fac 424->436 437 1ca7d1b6aef-1ca7d1b6b20 call 1ca7d1b7190 424->437 426 1ca7d1b6a91-1ca7d1b6a9b 425->426 431->428 436->426 447 1ca7d1b6b22-1ca7d1b6b28 437->447 448 1ca7d1b6b31-1ca7d1b6b37 437->448 442 1ca7d1b6a54-1ca7d1b6a69 438->442 450 1ca7d1b69a5-1ca7d1b69b6 call 1ca7d1b6ec4 439->450 451 1ca7d1b6a6a-1ca7d1b6a77 call 1ca7d1b7190 439->451 447->448 452 1ca7d1b6b2a-1ca7d1b6b2c 447->452 453 1ca7d1b6b39-1ca7d1b6b43 448->453 454 1ca7d1b6b7e-1ca7d1b6b94 call 1ca7d1b268c 448->454 465 1ca7d1b69b8-1ca7d1b69dc call 1ca7d1b72dc call 1ca7d1b6e0c call 1ca7d1b6e38 call 1ca7d1bac0c 450->465 466 1ca7d1b6a07-1ca7d1b6a11 call 1ca7d1b7130 450->466 451->418 459 1ca7d1b6c1f-1ca7d1b6c2c 452->459 460 1ca7d1b6b45-1ca7d1b6b4d 453->460 461 1ca7d1b6b4f-1ca7d1b6b5d call 1ca7d1c5780 453->461 472 1ca7d1b6b96-1ca7d1b6b98 454->472 473 1ca7d1b6bcc-1ca7d1b6bce 454->473 468 1ca7d1b6b63-1ca7d1b6b78 call 1ca7d1b6910 460->468 461->468 482 1ca7d1b6c15-1ca7d1b6c1d 461->482 465->466 518 1ca7d1b69de-1ca7d1b69e5 __scrt_dllmain_after_initialize_c 465->518 466->438 486 1ca7d1b6a13-1ca7d1b6a1f call 1ca7d1b7180 466->486 468->454 468->482 472->473 479 1ca7d1b6b9a-1ca7d1b6bbc call 1ca7d1b268c call 1ca7d1b6a78 472->479 480 1ca7d1b6bd5-1ca7d1b6bea call 1ca7d1b6910 473->480 481 1ca7d1b6bd0-1ca7d1b6bd3 473->481 479->473 512 1ca7d1b6bbe-1ca7d1b6bc6 call 1ca7d1c5780 479->512 480->482 500 1ca7d1b6bec-1ca7d1b6bf6 480->500 481->480 481->482 482->459 505 1ca7d1b6a45-1ca7d1b6a50 486->505 506 1ca7d1b6a21-1ca7d1b6a2b call 1ca7d1b7098 486->506 502 1ca7d1b6bf8-1ca7d1b6bff 500->502 503 1ca7d1b6c01-1ca7d1b6c11 call 1ca7d1c5780 500->503 502->482 503->482 505->442 506->505 517 1ca7d1b6a2d-1ca7d1b6a3b 506->517 512->473 517->505 518->466 519 1ca7d1b69e7-1ca7d1b6a04 call 1ca7d1babc8 518->519 519->466
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 99f2c08cbdff331c93203f278c729cdb7b88395c708101498294299cc26d5d2f
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 7981D073F8430D8AFA52AB269451BE932A0FFA578CFD44015D94C4B796DB3BC8858783
                                                                          Function 000001CA7D1ECE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 000001CA7D1ECE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001CA7D1F0A6B,?,?,?,000001CA7D1F045C,?,?,?,000001CA7D1EC84F), ref: 000001CA7D1ECE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001CA7D1F0A6B,?,?,?,000001CA7D1F045C,?,?,?,000001CA7D1EC84F), ref: 000001CA7D1ECE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001CA7D1F0A6B,?,?,?,000001CA7D1F045C,?,?,?,000001CA7D1EC84F), ref: 000001CA7D1ECE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001CA7D1F0A6B,?,?,?,000001CA7D1F045C,?,?,?,000001CA7D1EC84F), ref: 000001CA7D1ECEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001CA7D1F0A6B,?,?,?,000001CA7D1F045C,?,?,?,000001CA7D1EC84F), ref: 000001CA7D1ECEBC
                                                                          • SetLastError.KERNEL32 ref: 000001CA7D1ECED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001CA7D1F0A6B,?,?,?,000001CA7D1F045C,?,?,?,000001CA7D1EC84F), ref: 000001CA7D1ECF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,000001CA7D1EECCC,?,?,?,?,000001CA7D1EBF9F,?,?,?,?,?,000001CA7D1E7AB0), ref: 000001CA7D1ECF2C
                                                                            • Part of subcall function 000001CA7D1ED6CC: HeapAlloc.KERNEL32 ref: 000001CA7D1ED721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CA7D1F0A6B,?,?,?,000001CA7D1F045C,?,?,?,000001CA7D1EC84F), ref: 000001CA7D1ECF54
                                                                            • Part of subcall function 000001CA7D1ED744: HeapFree.KERNEL32 ref: 000001CA7D1ED75A
                                                                            • Part of subcall function 000001CA7D1ED744: GetLastError.KERNEL32 ref: 000001CA7D1ED764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CA7D1F0A6B,?,?,?,000001CA7D1F045C,?,?,?,000001CA7D1EC84F), ref: 000001CA7D1ECF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CA7D1F0A6B,?,?,?,000001CA7D1F045C,?,?,?,000001CA7D1EC84F), ref: 000001CA7D1ECF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: 8296048ea8ffe2076b5639f4ac60f58a94fc61a4852f985f49d5950637c27c62
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: C1416B32EC134C42FA6BA3355941BE972537F447BEFD84724A836466D6EA2AC84183C3
                                                                          Function 000001CA7D1E2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: fd45427aeee6357c87aaea6c99e18d604ac28c80192c8d27bf1af2cc7dda8255
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: 4E219233A5474483FB11CB24F454B9973A1FB89BA9FA00215EA5903BA8CF3DC149CF42
                                                                          Function 000001CA7D1B9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 6d2781804dbe8b1ea41af8a2371f1589b4dd2bfa224022df002ce09c2fb839c7
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: E4E1BD73A44B488AFB629B65D480BDD77A0FB45B8CF800115EE8D57B99CB36C092C783
                                                                          Function 000001CA7D1EA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: 8c57a0ee9345419c73fab16e88ad87043601f387ae73b4eb170320544ddd202f
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 38E18B73A407488AFB22DF259580BDD77A0FB9979EF900116EE8957B95CB35C081C783
                                                                          Function 000001CA7D1EF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 3f1bf872b977040abdece61366c477209e7c321d0cf28104e8ad10cb84968118
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 6641C233B91B0881FB17CB66A804BD53392BF45BE9FD942259D0A87785EE3AC4458393
                                                                          Function 000001CA7D1E104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 0332acd1771d854494ee12fb43ad52b5304bce5d0e0612f73963db57a60a753a
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 2741A1B3614B88C6F761CF21E444B9E77A1F788B89F448129DA8947758DF39C485CB42
                                                                          Function 000001CA7D1ED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001CA7D1EC7DE,?,?,?,?,?,?,?,?,000001CA7D1ECF9D,?,?,00000001), ref: 000001CA7D1ED087
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001CA7D1EC7DE,?,?,?,?,?,?,?,?,000001CA7D1ECF9D,?,?,00000001), ref: 000001CA7D1ED0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001CA7D1EC7DE,?,?,?,?,?,?,?,?,000001CA7D1ECF9D,?,?,00000001), ref: 000001CA7D1ED0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001CA7D1EC7DE,?,?,?,?,?,?,?,?,000001CA7D1ECF9D,?,?,00000001), ref: 000001CA7D1ED0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001CA7D1EC7DE,?,?,?,?,?,?,?,?,000001CA7D1ECF9D,?,?,00000001), ref: 000001CA7D1ED0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 30b70231d1e24de4b4ca025418508e32fa0bfd173ae1eb2ce45867a7fd4bf205
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: 87118172F8434C42FA6B57355951BE971527F443FDFDC8324A839466DAEE2AC4428383
                                                                          Function 000001CA7D1E7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 54b571efee64b7c6e9de23f96b134ccc0a5902488700766100ffe0eb4a6d37ff
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 3381B033F8030986FA57AB65A441FD97290BF8578EFD84415E98847396EB3AC806C7C3
                                                                          Function 000001CA7D1E9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 62314fa3814a8e06d3d4a6beeb72d442ce52af9b01e3a874d5eecb47daa7c9a7
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: AE31A433A9274891FE27DB42A400FD57394BF48BA9F990925DE1D0B791DF3AC6858383
                                                                          Function 000001CA7D1F3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 2b86fcdd5caa45acab973e001419543304b1708e844680d1db9a10069147419d
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: B711B232B55B4882F7528B52E844B9972A0FB88FE8F940214EE1E87794DF39C81487C6
                                                                          Function 000001CA7D1E2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: b9274c7783efc7eaeec6a1c905d52b98db8aabe49b7f658e8e5547107feb53a0
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: DA31C233B41B59C2F616CF56E950BA9B7A0FF44B8AF884024DE4847B55EF36C4A18783
                                                                          Function 000001CA7D1E14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 80memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID: C:\Windows\system32\winlogon.exe
                                                                          • API String ID: 3168794593-3603389050
                                                                          • Opcode ID: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction ID: 6c6c5161a78096c14bdf9e39c571406aa4d2933193245d43bd6798bd4724b74b
                                                                          • Opcode Fuzzy Hash: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction Fuzzy Hash: 5B3181F798EBC88AF353DB7598556C93BA0FBC5F48F898015DA4403247EA26C404C783
                                                                          Function 000001CA7D1ECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: d570b095018080d9c6ef97b415606a9f5be074c38465b2419cff6c6650b22fd4
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: B5118132F8534842FA2793715541BE971527F487BDFDC4314A836466D6EE2AC44287C3
                                                                          Function 000001CA7D1E199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: f4ad075c7aea17db1ceae1a45a947082fae6b03566feeae13d02396fd8ed993f
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: 58015B72B45B8882FA21DB52A448B9973A1FB88BC9F884035DE4D43754DF3DC989C782
                                                                          Function 000001CA7D1E36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: 3562395a95a52aff63cf21579dac4e8f13eb3013ee12918dff203d36e439016a
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: ED012176B5274882FB269B51E808B9673A0FF49B8AF940425CD4907754EF3FC5448783
                                                                          Function 000001CA7D1E8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: 1199add2447963c7e0a6626c74d3094f3923f35bc4b717506d990dde214144ec
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: 8F51C1B3B4170886FB16CF15E848F997795FB48BADF908124DA1687748EB36C841C783
                                                                          Function 000001CA7D1E1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: 6e3483dfa0cb264427eadf7c91b22e4bb5698e91d066fab0aaa11d89a92d8869
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 33F08C33B0478882FB318B21E884BA97760FB88B8DFC44020CA4946954DA2EC68DCB42
                                                                          Function 000001CA7D1EBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: f2807ae1bd75188fa85f376b0ba0b714188b609a780e91e34ac1448a234a152c
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 4AF06273A5270981FB118B24E444B997360FF857A9FD40319DA6A462E4DF3EC085C383
                                                                          Function 000001CA7D1E3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 44993aca4da2e8601cf1e922fcfe321c3e9efcdd99f502c1acbbfe0ecfd2f6a1
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: 29F08C32B45B8882FA018B53B9045A9B261BF48FC9F888030EE4A07B18DF3DC4458783
                                                                          Function 000001CA7D1E5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                                          • Instruction ID: 48ae10da8c4df23e958ab8f03296e4a0b33087e67722e76d3cd1bc5552b5d880
                                                                          • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                                          • Instruction Fuzzy Hash: DE610F37A58B48C6F761CB15E450B9A77A0F788789F900115FA8E87BA8DB7DC450CF82
                                                                          Function 000001CA7D1C3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 26aa6f05d8d0c36441faf356c1eb802a2fed81e89bde6f8e5d8bf6df5ef2ad79
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 5011A733ED0B1911FA971728E442BE931807F5937CFC94629A96E063D6CA26D8C143C7
                                                                          Function 000001CA7D1F4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 3e3acebee684e582d8ce2dd1fd84b87fa86eaa0c0ec6cc8cb9dde2eb6e72f61d
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 9C11C1B3EDAB4C11F7669568D451FE531407FA83BCFC80A34A976066D68B26D84443C3
                                                                          Function 000001CA7D1BF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 72014b747d6863982a49a37313f067a39efb66854103c51deb26e26df590dc88
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 6F61D277E8030842FA679B69E544BEA3AA1FF8174CFC45815DA4E137A4DB37C8418383
                                                                          Function 000001CA7D1EAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 0322d4e37939c6260d1bb9a950ba8c41908360be786aaab989c939b8c27ee8a3
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 48617933A04B888AFB11DF65D540BDD77A0FB88B8DF444215EE4913B98DB39D084C782
                                                                          Function 000001CA7D1BA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 537ae5a17c7cede48fef7a0b6b27ac6f71ba065a8642b9b159c5fc0dfa40a52f
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: F151C133980388CAFB768B159654B9C77A0FB54B8CF984116DA8D87BD5CB7AC450C783
                                                                          Function 000001CA7D1EAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: ff6082552ba727c106ead55259fbc36506d939957c957cd3fda493e793e6ae59
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: C951D4739803888AFB758F159684BDCB7A0FB54B8EF984115EA8947BD5CB39C490C783
                                                                          Function 000001CA7D1B8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 927c2fdad09794bd25794c7f784e0a77e787d82862998c5ac5c16faddc19a449
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 61519D33A517088AFB16DF15E444F993795FB54F9CF948128DA0E43B88EB36D8818B87
                                                                          Function 000001CA7D1B83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 56ec0d371ec3460b2750359f6045c0d1bf5edbfbed1400ec1511aa951714bf4b
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: F7318A33A4174886FB169F11E844B9977A4FB44F8CF858018AE5E43B85DB3AC981C787
                                                                          Function 000001CA7D1F2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 00fa72cab6ff883e5f3b1fb8a90b0589520b73edd2e7a3f6f8eb0508b6586a7e
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 39D1EE73B06B8889F712CFA9D440ADC3BB1FB4579CF804256CE5997B9ADA35C406C782
                                                                          Function 000001CA7D1F2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: 52aec2bfa1a84c38979ad7b660f25c0f60e35b55fb02f8f4d3627a78bea016f4
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: BD91E033F4675889F762DF659440BED3BA0BB44B8CF944149DE0A97A84DB36C882C783
                                                                          Function 000001CA7D1E253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: a7a464d998a13818dff7043b415c480fc730c321ae9d0af3c7f8a224529f5646
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 2471E437E4079985F726DF259850BEA7790FB9AB8AFC4011ADD0943B88DE36C541C383
                                                                          Function 000001CA7D1B9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 663d0cdf61b7a31929ef5e369fcb4ece6e9975571219eafa033982f5a2a6eda5
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 26615733A40B888AFB229F65D4807DD7BA0FB44B8CF444215EE8D17B98DB79D195C782
                                                                          Function 000001CA7D1E2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 2baa006f8433f4dd066ae2f31979bb918442f7645726458859c6ae6fb974e8a8
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: D1510533A8478981F6368A29A168BFA7791FB86749FD50259DD4903B4ACA3BC50487C3
                                                                          Function 000001CA7D1F26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 03fc06659c014acbab491e78cbeca63ad311804e2869c2ba40f389efd7815286
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 7941A373B15B8482EB21CF25E4447EA77A0FB98798F904121EE8D87794EB3DC441C782
                                                                          Function 000001CA7D1E94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: e7ac8a37f4b25896d4bb65df61c78c916ff4b37cad3f2f8f153ed6f492886e7e
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: A8116D33605B8482EB228F15F40079977E0FB88B98F984221EE8C07759DF3DC551CB41
                                                                          Function 000001CA7D1B7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 8b3f4309db0a49c8fd5b1ddc3c9158209024aaf48e899a8248ff8660e8bc8f7a
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 77E08673A80B4890FF028F21E8506E833A4EF58B6CBC89122995C06351FA38D1E9C342
                                                                          Function 000001CA7D1B73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629244690.000001CA7D1B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: f408beb214d026d7562755bb5fd0a0bf77fc4fd21f5bae039add18967cadc347
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 8DE08673A40B48C0FF028F21D8505E87364FB58B58FC89122C94C06351EA38D1E5C342
                                                                          Function 000001CA7D1E1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: eea621f113062a6406cf7ec60adaefb11558c4a8b8e83d2aebfa4c2cb5a21360
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: C311C476A01B4881FB05CB66E404AA973A1FFC9FC9F894024DE4D83765DF3AC482D382
                                                                          Function 000001CA7D1E1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2629747459.000001CA7D1E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1ca7d1e0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: da8c3dafd84f4e9d3148870d217228cf2e181fae1a96b4a2815fc4d2442c645c
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 8FE039B6A4270886FB058B62D80878A36E1FB89B0AF848024C90907351DF7EC899C792

                                                                          Executed Functions

                                                                          Function 00007FF669701140 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000002A.00000002.1353923956.00007FF669701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF669700000, based on PE: true
                                                                          • Associated: 0000002A.00000002.1353837614.00007FF669700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 0000002A.00000002.1353985242.00007FF66970C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 0000002A.00000002.1354024143.00007FF66970F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 0000002A.00000002.1354049350.00007FF669710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 0000002A.00000002.1354577333.00007FF669C39000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 0000002A.00000002.1354607066.00007FF669C3C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_42_2_7ff669700000_eejhedztifcv.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                          • Instruction ID: 4c26abe4b774d9d2dc42bcaed63a1a4f3ad7303a5335fcc7294ccda7a75d3151
                                                                          • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                                          • Instruction Fuzzy Hash: 08B012B0D04309C4E7042F01DC413683A706B0C7C5F400030DC0C4B352CE7F50508BA0

                                                                          Execution Graph

                                                                          Execution Coverage:0.7%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:96
                                                                          Total number of Limit Nodes:3
                                                                          execution_graph 15340 17d2dd51abc 15345 17d2dd51628 GetProcessHeap 15340->15345 15342 17d2dd51ad2 Sleep SleepEx 15343 17d2dd51acb 15342->15343 15343->15342 15344 17d2dd51598 StrCmpIW StrCmpW 15343->15344 15344->15343 15346 17d2dd51648 __std_exception_copy 15345->15346 15390 17d2dd51268 GetProcessHeap 15346->15390 15348 17d2dd51650 15349 17d2dd51268 2 API calls 15348->15349 15350 17d2dd51661 15349->15350 15351 17d2dd51268 2 API calls 15350->15351 15352 17d2dd5166a 15351->15352 15353 17d2dd51268 2 API calls 15352->15353 15354 17d2dd51673 15353->15354 15355 17d2dd5168e RegOpenKeyExW 15354->15355 15356 17d2dd516c0 RegOpenKeyExW 15355->15356 15357 17d2dd518a6 15355->15357 15358 17d2dd516ff RegOpenKeyExW 15356->15358 15359 17d2dd516e9 15356->15359 15357->15343 15361 17d2dd51723 15358->15361 15362 17d2dd5173a RegOpenKeyExW 15358->15362 15394 17d2dd512bc RegQueryInfoKeyW 15359->15394 15405 17d2dd5104c RegQueryInfoKeyW 15361->15405 15365 17d2dd5175e 15362->15365 15366 17d2dd51775 RegOpenKeyExW 15362->15366 15370 17d2dd512bc 13 API calls 15365->15370 15367 17d2dd517b0 RegOpenKeyExW 15366->15367 15368 17d2dd51799 15366->15368 15372 17d2dd517d4 15367->15372 15373 17d2dd517eb RegOpenKeyExW 15367->15373 15371 17d2dd512bc 13 API calls 15368->15371 15374 17d2dd5176b RegCloseKey 15370->15374 15375 17d2dd517a6 RegCloseKey 15371->15375 15376 17d2dd512bc 13 API calls 15372->15376 15377 17d2dd5180f 15373->15377 15378 17d2dd51826 RegOpenKeyExW 15373->15378 15374->15366 15375->15367 15379 17d2dd517e1 RegCloseKey 15376->15379 15380 17d2dd5104c 5 API calls 15377->15380 15381 17d2dd51861 RegOpenKeyExW 15378->15381 15382 17d2dd5184a 15378->15382 15379->15373 15385 17d2dd5181c RegCloseKey 15380->15385 15383 17d2dd5189c RegCloseKey 15381->15383 15384 17d2dd51885 15381->15384 15386 17d2dd5104c 5 API calls 15382->15386 15383->15357 15387 17d2dd5104c 5 API calls 15384->15387 15385->15378 15388 17d2dd51857 RegCloseKey 15386->15388 15389 17d2dd51892 RegCloseKey 15387->15389 15388->15381 15389->15383 15411 17d2dd66168 15390->15411 15392 17d2dd51283 GetProcessHeap 15393 17d2dd512ae __std_exception_copy 15392->15393 15393->15348 15395 17d2dd5148a RegCloseKey 15394->15395 15396 17d2dd51327 GetProcessHeap 15394->15396 15395->15358 15402 17d2dd5133e __std_exception_copy 15396->15402 15397 17d2dd51352 RegEnumValueW 15397->15402 15398 17d2dd51476 GetProcessHeap HeapFree 15398->15395 15400 17d2dd513d3 GetProcessHeap 15400->15402 15401 17d2dd5141e lstrlenW GetProcessHeap 15401->15402 15402->15397 15402->15398 15402->15400 15402->15401 15403 17d2dd513f3 GetProcessHeap HeapFree 15402->15403 15404 17d2dd51443 StrCpyW 15402->15404 15413 17d2dd5152c 15402->15413 15403->15401 15404->15402 15406 17d2dd510bf __std_exception_copy 15405->15406 15407 17d2dd511b5 RegCloseKey 15405->15407 15406->15407 15408 17d2dd510cf RegEnumValueW 15406->15408 15409 17d2dd5114e GetProcessHeap 15406->15409 15410 17d2dd5116e GetProcessHeap HeapFree 15406->15410 15407->15362 15408->15406 15409->15406 15410->15406 15412 17d2dd66177 15411->15412 15414 17d2dd5157c 15413->15414 15415 17d2dd51546 15413->15415 15414->15402 15415->15414 15416 17d2dd5155d StrCmpIW 15415->15416 15417 17d2dd51565 StrCmpW 15415->15417 15416->15415 15417->15415 15418 17d2dd5202c 15420 17d2dd5205d 15418->15420 15419 17d2dd5213e 15420->15419 15421 17d2dd52173 15420->15421 15427 17d2dd52081 15420->15427 15422 17d2dd52178 15421->15422 15423 17d2dd521e7 15421->15423 15436 17d2dd52f04 GetProcessHeap 15422->15436 15423->15419 15426 17d2dd52f04 9 API calls 15423->15426 15425 17d2dd520b9 StrCmpNIW 15425->15427 15426->15419 15427->15419 15427->15425 15429 17d2dd51bf4 15427->15429 15430 17d2dd51c8f 15429->15430 15431 17d2dd51c1b GetProcessHeap 15429->15431 15430->15427 15432 17d2dd51c41 __std_exception_copy 15431->15432 15432->15430 15433 17d2dd51c77 GetProcessHeap HeapFree 15432->15433 15434 17d2dd5152c 2 API calls 15432->15434 15433->15430 15435 17d2dd51c6e 15434->15435 15435->15433 15438 17d2dd52f40 __std_exception_copy 15436->15438 15437 17d2dd53015 GetProcessHeap HeapFree 15437->15419 15438->15437 15439 17d2dd53010 15438->15439 15440 17d2dd52fa2 StrCmpNIW 15438->15440 15441 17d2dd51bf4 5 API calls 15438->15441 15439->15437 15440->15438 15441->15438 15442 17d2dd2273c 15444 17d2dd2276a 15442->15444 15443 17d2dd22858 LoadLibraryA 15443->15444 15444->15443 15445 17d2dd228d4 15444->15445

                                                                          Executed Functions

                                                                          Function 0000017D2DD5202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 17d2dd5202c-17d2dd52057 call 17d2dd72d00 2 17d2dd5205d-17d2dd52066 0->2 3 17d2dd5206f-17d2dd52072 2->3 4 17d2dd52068-17d2dd5206c 2->4 5 17d2dd52223-17d2dd52243 3->5 6 17d2dd52078-17d2dd5207b 3->6 4->3 7 17d2dd52081-17d2dd52093 6->7 8 17d2dd52173-17d2dd52176 6->8 7->5 11 17d2dd52099-17d2dd520a5 7->11 9 17d2dd52178-17d2dd52192 call 17d2dd52f04 8->9 10 17d2dd521e7-17d2dd521ea 8->10 9->5 22 17d2dd52198-17d2dd521ae 9->22 10->5 15 17d2dd521ec-17d2dd521ff call 17d2dd52f04 10->15 13 17d2dd520d3-17d2dd520de call 17d2dd51bbc 11->13 14 17d2dd520a7-17d2dd520b7 11->14 23 17d2dd520ff-17d2dd52111 13->23 25 17d2dd520e0-17d2dd520f8 call 17d2dd51bf4 13->25 14->13 18 17d2dd520b9-17d2dd520d1 StrCmpNIW 14->18 15->5 24 17d2dd52201-17d2dd52209 15->24 18->13 18->23 22->5 28 17d2dd521b0-17d2dd521cc 22->28 26 17d2dd52121-17d2dd52123 23->26 27 17d2dd52113-17d2dd52115 23->27 24->5 29 17d2dd5220b-17d2dd52213 24->29 25->23 40 17d2dd520fa-17d2dd520fd 25->40 33 17d2dd5212a 26->33 34 17d2dd52125-17d2dd52128 26->34 31 17d2dd5211c-17d2dd5211f 27->31 32 17d2dd52117-17d2dd5211a 27->32 35 17d2dd521d0-17d2dd521e3 28->35 36 17d2dd52216-17d2dd52221 29->36 38 17d2dd5212d-17d2dd52130 31->38 32->38 33->38 34->38 35->35 39 17d2dd521e5 35->39 36->5 36->36 41 17d2dd52132-17d2dd52138 38->41 42 17d2dd5213e-17d2dd52141 38->42 39->5 40->38 41->11 41->42 42->5 43 17d2dd52147-17d2dd5214b 42->43 44 17d2dd52162-17d2dd5216e 43->44 45 17d2dd5214d-17d2dd52150 43->45 44->5 45->5 46 17d2dd52156-17d2dd5215b 45->46 46->43 47 17d2dd5215d 46->47 47->5
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: S$dialer
                                                                          • API String ID: 756756679-3873981283
                                                                          • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                          • Instruction ID: 155143b81f3208abd6031ca8c042dd218b69dc177d281ba8a3fc227f7ed7204d
                                                                          • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                          • Instruction Fuzzy Hash: 2D519036A19F2886EB65CB26F840BEE6BB5FB04784F49D111DE0D12A46DBB5C8D6C340
                                                                          Function 0000017D2DD5328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 214331da1523383085459dc1cf3a72151d1bd42f80546dae1799ce22ecc2b291
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: BE118431A1CF8D83F7609B21F8053D926B4AF55344F5C4125E98E415B3EFB8C0C78290
                                                                          Function 0000017D2DD51ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 0000017D2DD51628: GetProcessHeap.KERNEL32 ref: 0000017D2DD51633
                                                                            • Part of subcall function 0000017D2DD51628: HeapAlloc.KERNEL32 ref: 0000017D2DD51642
                                                                            • Part of subcall function 0000017D2DD51628: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD516B2
                                                                            • Part of subcall function 0000017D2DD51628: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD516DF
                                                                            • Part of subcall function 0000017D2DD51628: RegCloseKey.ADVAPI32 ref: 0000017D2DD516F9
                                                                            • Part of subcall function 0000017D2DD51628: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51719
                                                                            • Part of subcall function 0000017D2DD51628: RegCloseKey.ADVAPI32 ref: 0000017D2DD51734
                                                                            • Part of subcall function 0000017D2DD51628: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51754
                                                                            • Part of subcall function 0000017D2DD51628: RegCloseKey.ADVAPI32 ref: 0000017D2DD5176F
                                                                            • Part of subcall function 0000017D2DD51628: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD5178F
                                                                            • Part of subcall function 0000017D2DD51628: RegCloseKey.ADVAPI32 ref: 0000017D2DD517AA
                                                                            • Part of subcall function 0000017D2DD51628: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD517CA
                                                                          • Sleep.KERNEL32 ref: 0000017D2DD51AD7
                                                                          • SleepEx.KERNELBASE ref: 0000017D2DD51ADD
                                                                            • Part of subcall function 0000017D2DD51628: RegCloseKey.ADVAPI32 ref: 0000017D2DD517E5
                                                                            • Part of subcall function 0000017D2DD51628: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51805
                                                                            • Part of subcall function 0000017D2DD51628: RegCloseKey.ADVAPI32 ref: 0000017D2DD51820
                                                                            • Part of subcall function 0000017D2DD51628: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51840
                                                                            • Part of subcall function 0000017D2DD51628: RegCloseKey.ADVAPI32 ref: 0000017D2DD5185B
                                                                            • Part of subcall function 0000017D2DD51628: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD5187B
                                                                            • Part of subcall function 0000017D2DD51628: RegCloseKey.ADVAPI32 ref: 0000017D2DD51896
                                                                            • Part of subcall function 0000017D2DD51628: RegCloseKey.ADVAPI32 ref: 0000017D2DD518A0
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: cfab3b19dcfdcf9e87aa71fa765fb915cf326640258249606d793b06c54be810
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 9A31A671208F4992FF509B26FA513E933B5AF89BD0F0C54219E0E87697EEA4D8D3C211
                                                                          Function 0000017D2DD2273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 105 17d2dd2273c-17d2dd227a4 call 17d2dd229d4 * 4 114 17d2dd229b2 105->114 115 17d2dd227aa-17d2dd227ad 105->115 116 17d2dd229b4-17d2dd229d0 114->116 115->114 117 17d2dd227b3-17d2dd227b6 115->117 117->114 118 17d2dd227bc-17d2dd227bf 117->118 118->114 119 17d2dd227c5-17d2dd227e6 118->119 119->114 121 17d2dd227ec-17d2dd2280c 119->121 122 17d2dd2280e-17d2dd22836 121->122 123 17d2dd22838-17d2dd2283f 121->123 122->122 122->123 124 17d2dd228df-17d2dd228e6 123->124 125 17d2dd22845-17d2dd22852 123->125 126 17d2dd22992-17d2dd229b0 124->126 127 17d2dd228ec-17d2dd22901 124->127 125->124 128 17d2dd22858-17d2dd2286a LoadLibraryA 125->128 126->116 127->126 129 17d2dd22907 127->129 130 17d2dd2286c-17d2dd22878 128->130 131 17d2dd228ca-17d2dd228d2 128->131 132 17d2dd2290d-17d2dd22921 129->132 133 17d2dd228c5-17d2dd228c8 130->133 131->128 134 17d2dd228d4-17d2dd228d9 131->134 136 17d2dd22923-17d2dd22934 132->136 137 17d2dd22982-17d2dd2298c 132->137 133->131 138 17d2dd2287a-17d2dd2287d 133->138 134->124 140 17d2dd2293f-17d2dd22943 136->140 141 17d2dd22936-17d2dd2293d 136->141 137->126 137->132 142 17d2dd2287f-17d2dd228a5 138->142 143 17d2dd228a7-17d2dd228b7 138->143 145 17d2dd2294d-17d2dd22951 140->145 146 17d2dd22945-17d2dd2294b 140->146 144 17d2dd22970-17d2dd22980 141->144 147 17d2dd228ba-17d2dd228c1 142->147 143->147 144->136 144->137 148 17d2dd22963-17d2dd22967 145->148 149 17d2dd22953-17d2dd22961 145->149 146->144 147->133 148->144 151 17d2dd22969-17d2dd2296c 148->151 149->144 151->144
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: fcf441e1754b082eeb0dc43f4d16f1b5c1afe7c2daf29257db32d68def31b461
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 0961CF72B09B9887DB548F15A4047ADBBB2FB54B94F58C121EE5D0778BDA38D893C700

                                                                          Non-executed Functions

                                                                          Function 0000017D2DD52B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 411 17d2dd52b2c-17d2dd52ba5 call 17d2dd72ce0 414 17d2dd52ee0-17d2dd52f03 411->414 415 17d2dd52bab-17d2dd52bb1 411->415 415->414 416 17d2dd52bb7-17d2dd52bba 415->416 416->414 417 17d2dd52bc0-17d2dd52bc3 416->417 417->414 418 17d2dd52bc9-17d2dd52bd9 GetModuleHandleA 417->418 419 17d2dd52bed 418->419 420 17d2dd52bdb-17d2dd52beb call 17d2dd66090 418->420 422 17d2dd52bf0-17d2dd52c0e 419->422 420->422 422->414 425 17d2dd52c14-17d2dd52c33 StrCmpNIW 422->425 425->414 426 17d2dd52c39-17d2dd52c3d 425->426 426->414 427 17d2dd52c43-17d2dd52c4d 426->427 427->414 428 17d2dd52c53-17d2dd52c5a 427->428 428->414 429 17d2dd52c60-17d2dd52c73 428->429 430 17d2dd52c83 429->430 431 17d2dd52c75-17d2dd52c81 429->431 432 17d2dd52c86-17d2dd52c8a 430->432 431->432 433 17d2dd52c9a 432->433 434 17d2dd52c8c-17d2dd52c98 432->434 435 17d2dd52c9d-17d2dd52ca7 433->435 434->435 436 17d2dd52d9d-17d2dd52da1 435->436 437 17d2dd52cad-17d2dd52cb0 435->437 440 17d2dd52ed2-17d2dd52eda 436->440 441 17d2dd52da7-17d2dd52daa 436->441 438 17d2dd52cc2-17d2dd52ccc 437->438 439 17d2dd52cb2-17d2dd52cbf call 17d2dd5199c 437->439 443 17d2dd52cce-17d2dd52cdb 438->443 444 17d2dd52d00-17d2dd52d0a 438->444 439->438 440->414 440->429 445 17d2dd52dac-17d2dd52db8 call 17d2dd5199c 441->445 446 17d2dd52dbb-17d2dd52dc5 441->446 443->444 451 17d2dd52cdd-17d2dd52cea 443->451 452 17d2dd52d3a-17d2dd52d3d 444->452 453 17d2dd52d0c-17d2dd52d19 444->453 445->446 448 17d2dd52df5-17d2dd52df8 446->448 449 17d2dd52dc7-17d2dd52dd4 446->449 458 17d2dd52dfa-17d2dd52e03 call 17d2dd51bbc 448->458 459 17d2dd52e05-17d2dd52e12 lstrlenW 448->459 449->448 457 17d2dd52dd6-17d2dd52de3 449->457 460 17d2dd52ced-17d2dd52cf3 451->460 455 17d2dd52d3f-17d2dd52d49 call 17d2dd51bbc 452->455 456 17d2dd52d4b-17d2dd52d58 lstrlenW 452->456 453->452 461 17d2dd52d1b-17d2dd52d28 453->461 455->456 467 17d2dd52d93-17d2dd52d98 455->467 463 17d2dd52d5a-17d2dd52d64 456->463 464 17d2dd52d7b-17d2dd52d8d call 17d2dd53844 456->464 465 17d2dd52de6-17d2dd52dec 457->465 458->459 476 17d2dd52e4a-17d2dd52e55 458->476 469 17d2dd52e14-17d2dd52e1e 459->469 470 17d2dd52e35-17d2dd52e3f call 17d2dd53844 459->470 460->467 468 17d2dd52cf9-17d2dd52cfe 460->468 471 17d2dd52d2b-17d2dd52d31 461->471 463->464 474 17d2dd52d66-17d2dd52d79 call 17d2dd5152c 463->474 464->467 479 17d2dd52e42-17d2dd52e44 464->479 475 17d2dd52dee-17d2dd52df3 465->475 465->476 467->479 468->444 468->460 469->470 480 17d2dd52e20-17d2dd52e33 call 17d2dd5152c 469->480 470->479 471->467 481 17d2dd52d33-17d2dd52d38 471->481 474->464 474->467 475->448 475->465 483 17d2dd52ecc-17d2dd52ed0 476->483 484 17d2dd52e57-17d2dd52e5b 476->484 479->440 479->476 480->470 480->476 481->452 481->471 483->440 488 17d2dd52e63-17d2dd52e7d call 17d2dd585c0 484->488 489 17d2dd52e5d-17d2dd52e61 484->489 492 17d2dd52e80-17d2dd52e83 488->492 489->488 489->492 495 17d2dd52ea6-17d2dd52ea9 492->495 496 17d2dd52e85-17d2dd52ea3 call 17d2dd585c0 492->496 495->483 498 17d2dd52eab-17d2dd52ec9 call 17d2dd585c0 495->498 496->495 498->483
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: 201516ddcaf24fdd76f134af1e762875554fce00627c25cbf5f5624f50459020
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: 7DB1AF32219F9882EB598F65E8407E96BB4FF44B94F089016DE0D53796DBB4CCD6C380
                                                                          Function 0000017D2DD57D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: d09eceb89f3b3aeb48a36599c91742e07293e75ce02d211f460f49612921f3db
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: D6314C76209F849AEB609F60F8407ED7374FB84744F48402ADA4E47A95EF78C589C750
                                                                          Function 0000017D2DD5D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: c02fd4a5eef356ca583dd9c02c32a451806272cee0a4144696469ec3958c9c8e
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 69315E36218F8496EB608F25F8407EE73B0FB89754F580126EA9D43B5ADF78C186CB40
                                                                          Function 0000017D2DD51628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: f373a902904968e4baa70c809983a53cdb0f74efc4af513bb47583a410abd3e2
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: CB71FB3A218F5986EB209F66F8506D93374FF95B88F481121DE4E47B6ADF78C486C780
                                                                          Function 0000017D2DD512BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: ca431eb5b86f1c7f31f016aeb69dd73664c1ec0d3564cef57299be2ebb00ac88
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 99513B36208F8886EB54CF62F54839AB7B5FB89B99F084124DA494775ADF7CC086C780
                                                                          Function 0000017D2DD51D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 888e83b1464c83c4bc2c18822326379b4c1162a761cc58044e87b3a2047edb67
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: 34316C79208F8EA0FA05EF6AFC517E42730AF54354F889053941D1656BAEB896CFC390
                                                                          Function 0000017D2DD26910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 253 17d2dd26910-17d2dd26916 254 17d2dd26951-17d2dd2695b 253->254 255 17d2dd26918-17d2dd2691b 253->255 258 17d2dd26a78-17d2dd26a8d 254->258 256 17d2dd2691d-17d2dd26920 255->256 257 17d2dd26945-17d2dd26984 call 17d2dd26fc0 255->257 259 17d2dd26922-17d2dd26925 256->259 260 17d2dd26938 __scrt_dllmain_crt_thread_attach 256->260 276 17d2dd26a52 257->276 277 17d2dd2698a-17d2dd2699f call 17d2dd26e54 257->277 261 17d2dd26a8f 258->261 262 17d2dd26a9c-17d2dd26ab6 call 17d2dd26e54 258->262 264 17d2dd26931-17d2dd26936 call 17d2dd26f04 259->264 265 17d2dd26927-17d2dd26930 259->265 268 17d2dd2693d-17d2dd26944 260->268 266 17d2dd26a91-17d2dd26a9b 261->266 274 17d2dd26aef-17d2dd26b20 call 17d2dd27190 262->274 275 17d2dd26ab8-17d2dd26aed call 17d2dd26f7c call 17d2dd26e1c call 17d2dd27318 call 17d2dd27130 call 17d2dd27154 call 17d2dd26fac 262->275 264->268 287 17d2dd26b31-17d2dd26b37 274->287 288 17d2dd26b22-17d2dd26b28 274->288 275->266 280 17d2dd26a54-17d2dd26a69 276->280 285 17d2dd269a5-17d2dd269b6 call 17d2dd26ec4 277->285 286 17d2dd26a6a-17d2dd26a77 call 17d2dd27190 277->286 303 17d2dd26a07-17d2dd26a11 call 17d2dd27130 285->303 304 17d2dd269b8-17d2dd269dc call 17d2dd272dc call 17d2dd26e0c call 17d2dd26e38 call 17d2dd2ac0c 285->304 286->258 293 17d2dd26b7e-17d2dd26b94 call 17d2dd2268c 287->293 294 17d2dd26b39-17d2dd26b43 287->294 288->287 292 17d2dd26b2a-17d2dd26b2c 288->292 299 17d2dd26c1f-17d2dd26c2c 292->299 312 17d2dd26b96-17d2dd26b98 293->312 313 17d2dd26bcc-17d2dd26bce 293->313 300 17d2dd26b4f-17d2dd26b5d call 17d2dd35780 294->300 301 17d2dd26b45-17d2dd26b4d 294->301 306 17d2dd26b63-17d2dd26b78 call 17d2dd26910 300->306 316 17d2dd26c15-17d2dd26c1d 300->316 301->306 303->276 326 17d2dd26a13-17d2dd26a1f call 17d2dd27180 303->326 304->303 356 17d2dd269de-17d2dd269e5 __scrt_dllmain_after_initialize_c 304->356 306->293 306->316 312->313 321 17d2dd26b9a-17d2dd26bbc call 17d2dd2268c call 17d2dd26a78 312->321 322 17d2dd26bd0-17d2dd26bd3 313->322 323 17d2dd26bd5-17d2dd26bea call 17d2dd26910 313->323 316->299 321->313 350 17d2dd26bbe-17d2dd26bc6 call 17d2dd35780 321->350 322->316 322->323 323->316 336 17d2dd26bec-17d2dd26bf6 323->336 343 17d2dd26a21-17d2dd26a2b call 17d2dd27098 326->343 344 17d2dd26a45-17d2dd26a50 326->344 341 17d2dd26c01-17d2dd26c11 call 17d2dd35780 336->341 342 17d2dd26bf8-17d2dd26bff 336->342 341->316 342->316 343->344 355 17d2dd26a2d-17d2dd26a3b 343->355 344->280 350->313 355->344 356->303 357 17d2dd269e7-17d2dd26a04 call 17d2dd2abc8 356->357 357->303
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 10541f2b35d742c4c84b7a2207444849f7b2fb7bb2936c4aa477646f18f77050
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 7C81917960CF8D86FAA4AB65B8493D966B0EF85780F5C80259A0D4779FDB39CCC78700
                                                                          Function 0000017D2DD5CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 0000017D2DD5CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,0000017D2DD60A6B,?,?,?,0000017D2DD6045C,?,?,?,0000017D2DD5C84F), ref: 0000017D2DD5CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000017D2DD60A6B,?,?,?,0000017D2DD6045C,?,?,?,0000017D2DD5C84F), ref: 0000017D2DD5CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000017D2DD60A6B,?,?,?,0000017D2DD6045C,?,?,?,0000017D2DD5C84F), ref: 0000017D2DD5CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000017D2DD60A6B,?,?,?,0000017D2DD6045C,?,?,?,0000017D2DD5C84F), ref: 0000017D2DD5CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000017D2DD60A6B,?,?,?,0000017D2DD6045C,?,?,?,0000017D2DD5C84F), ref: 0000017D2DD5CEBC
                                                                          • SetLastError.KERNEL32 ref: 0000017D2DD5CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000017D2DD60A6B,?,?,?,0000017D2DD6045C,?,?,?,0000017D2DD5C84F), ref: 0000017D2DD5CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,0000017D2DD5ECCC,?,?,?,?,0000017D2DD5BF9F,?,?,?,?,?,0000017D2DD57AB0), ref: 0000017D2DD5CF2C
                                                                            • Part of subcall function 0000017D2DD5D6CC: HeapAlloc.KERNEL32 ref: 0000017D2DD5D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000017D2DD60A6B,?,?,?,0000017D2DD6045C,?,?,?,0000017D2DD5C84F), ref: 0000017D2DD5CF54
                                                                            • Part of subcall function 0000017D2DD5D744: HeapFree.KERNEL32 ref: 0000017D2DD5D75A
                                                                            • Part of subcall function 0000017D2DD5D744: GetLastError.KERNEL32 ref: 0000017D2DD5D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000017D2DD60A6B,?,?,?,0000017D2DD6045C,?,?,?,0000017D2DD5C84F), ref: 0000017D2DD5CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000017D2DD60A6B,?,?,?,0000017D2DD6045C,?,?,?,0000017D2DD5C84F), ref: 0000017D2DD5CF76
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: d68e572aac73047c3c51cb78b25c2777a471a73fa15f95309a12a5a131a6f134
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 30414F3424DF4C41FA68A77975563E923B29F457B0F1C1B24A93E4A6E7EEA894D38300
                                                                          Function 0000017D2DD52244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: e1779b7dc264c41871ab8402e7fa592fe41db8376b26c2f7e3fe8b356875aab4
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: D4215336618B8883F710CB25F44439977B0FB897A4F584215EA5D03BA9CF7CC18ACB80
                                                                          Function 0000017D2DD5A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 632 17d2dd5a544-17d2dd5a5ac call 17d2dd5b414 635 17d2dd5a5b2-17d2dd5a5b5 632->635 636 17d2dd5aa13-17d2dd5aa1b call 17d2dd5c748 632->636 635->636 637 17d2dd5a5bb-17d2dd5a5c1 635->637 639 17d2dd5a690-17d2dd5a6a2 637->639 640 17d2dd5a5c7-17d2dd5a5cb 637->640 642 17d2dd5a963-17d2dd5a967 639->642 643 17d2dd5a6a8-17d2dd5a6ac 639->643 640->639 644 17d2dd5a5d1-17d2dd5a5dc 640->644 645 17d2dd5a9a0-17d2dd5a9aa call 17d2dd59634 642->645 646 17d2dd5a969-17d2dd5a970 642->646 643->642 647 17d2dd5a6b2-17d2dd5a6bd 643->647 644->639 648 17d2dd5a5e2-17d2dd5a5e7 644->648 645->636 659 17d2dd5a9ac-17d2dd5a9cb call 17d2dd57940 645->659 646->636 649 17d2dd5a976-17d2dd5a99b call 17d2dd5aa1c 646->649 647->642 651 17d2dd5a6c3-17d2dd5a6ca 647->651 648->639 652 17d2dd5a5ed-17d2dd5a5f7 call 17d2dd59634 648->652 649->645 655 17d2dd5a894-17d2dd5a8a0 651->655 656 17d2dd5a6d0-17d2dd5a707 call 17d2dd59a10 651->656 652->659 663 17d2dd5a5fd-17d2dd5a628 call 17d2dd59634 * 2 call 17d2dd59d24 652->663 655->645 660 17d2dd5a8a6-17d2dd5a8aa 655->660 656->655 668 17d2dd5a70d-17d2dd5a715 656->668 665 17d2dd5a8ba-17d2dd5a8c2 660->665 666 17d2dd5a8ac-17d2dd5a8b8 call 17d2dd59ce4 660->666 700 17d2dd5a62a-17d2dd5a62e 663->700 701 17d2dd5a648-17d2dd5a652 call 17d2dd59634 663->701 665->645 667 17d2dd5a8c8-17d2dd5a8d5 call 17d2dd598b4 665->667 666->665 680 17d2dd5a8db-17d2dd5a8e3 666->680 667->645 667->680 673 17d2dd5a719-17d2dd5a74b 668->673 677 17d2dd5a751-17d2dd5a75c 673->677 678 17d2dd5a887-17d2dd5a88e 673->678 677->678 681 17d2dd5a762-17d2dd5a77b 677->681 678->655 678->673 682 17d2dd5a8e9-17d2dd5a8ed 680->682 683 17d2dd5a9f6-17d2dd5aa12 call 17d2dd59634 * 2 call 17d2dd5c6a8 680->683 685 17d2dd5a781-17d2dd5a7c6 call 17d2dd59cf8 * 2 681->685 686 17d2dd5a874-17d2dd5a879 681->686 687 17d2dd5a900 682->687 688 17d2dd5a8ef-17d2dd5a8fe call 17d2dd59ce4 682->688 683->636 713 17d2dd5a804-17d2dd5a80a 685->713 714 17d2dd5a7c8-17d2dd5a7ee call 17d2dd59cf8 call 17d2dd5ac38 685->714 692 17d2dd5a884 686->692 696 17d2dd5a903-17d2dd5a90d call 17d2dd5b4ac 687->696 688->696 692->678 696->645 711 17d2dd5a913-17d2dd5a961 call 17d2dd59944 call 17d2dd59b50 696->711 700->701 705 17d2dd5a630-17d2dd5a63b 700->705 701->639 717 17d2dd5a654-17d2dd5a674 call 17d2dd59634 * 2 call 17d2dd5b4ac 701->717 705->701 710 17d2dd5a63d-17d2dd5a642 705->710 710->636 710->701 711->645 718 17d2dd5a80c-17d2dd5a810 713->718 719 17d2dd5a87b 713->719 733 17d2dd5a7f0-17d2dd5a802 714->733 734 17d2dd5a815-17d2dd5a872 call 17d2dd5a470 714->734 738 17d2dd5a68b 717->738 739 17d2dd5a676-17d2dd5a680 call 17d2dd5b59c 717->739 718->685 724 17d2dd5a880 719->724 724->692 733->713 733->714 734->724 738->639 742 17d2dd5a9f0-17d2dd5a9f5 call 17d2dd5c6a8 739->742 743 17d2dd5a686-17d2dd5a9ef call 17d2dd592ac call 17d2dd5aff4 call 17d2dd594a0 739->743 742->683 743->742
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: bdeaed834d91e066082b2cd880e464d4d74c043ab12675f5ad6e09e9ad3862f2
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 8DE17C72608F588AEB209F65E4803DD7BB0FB45798F582116EE8D57B9ACB74D0C6CB00
                                                                          Function 0000017D2DD29944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 511 17d2dd29944-17d2dd299ac call 17d2dd2a814 514 17d2dd29e13-17d2dd29e1b call 17d2dd2bb48 511->514 515 17d2dd299b2-17d2dd299b5 511->515 515->514 516 17d2dd299bb-17d2dd299c1 515->516 518 17d2dd29a90-17d2dd29aa2 516->518 519 17d2dd299c7-17d2dd299cb 516->519 521 17d2dd29d63-17d2dd29d67 518->521 522 17d2dd29aa8-17d2dd29aac 518->522 519->518 523 17d2dd299d1-17d2dd299dc 519->523 526 17d2dd29da0-17d2dd29daa call 17d2dd28a34 521->526 527 17d2dd29d69-17d2dd29d70 521->527 522->521 524 17d2dd29ab2-17d2dd29abd 522->524 523->518 525 17d2dd299e2-17d2dd299e7 523->525 524->521 529 17d2dd29ac3-17d2dd29aca 524->529 525->518 530 17d2dd299ed-17d2dd299f7 call 17d2dd28a34 525->530 526->514 537 17d2dd29dac-17d2dd29dcb call 17d2dd26d40 526->537 527->514 531 17d2dd29d76-17d2dd29d9b call 17d2dd29e1c 527->531 534 17d2dd29ad0-17d2dd29b07 call 17d2dd28e10 529->534 535 17d2dd29c94-17d2dd29ca0 529->535 530->537 545 17d2dd299fd-17d2dd29a28 call 17d2dd28a34 * 2 call 17d2dd29124 530->545 531->526 534->535 549 17d2dd29b0d-17d2dd29b15 534->549 535->526 538 17d2dd29ca6-17d2dd29caa 535->538 542 17d2dd29cac-17d2dd29cb8 call 17d2dd290e4 538->542 543 17d2dd29cba-17d2dd29cc2 538->543 542->543 556 17d2dd29cdb-17d2dd29ce3 542->556 543->526 548 17d2dd29cc8-17d2dd29cd5 call 17d2dd28cb4 543->548 579 17d2dd29a48-17d2dd29a52 call 17d2dd28a34 545->579 580 17d2dd29a2a-17d2dd29a2e 545->580 548->526 548->556 553 17d2dd29b19-17d2dd29b4b 549->553 558 17d2dd29b51-17d2dd29b5c 553->558 559 17d2dd29c87-17d2dd29c8e 553->559 560 17d2dd29df6-17d2dd29e12 call 17d2dd28a34 * 2 call 17d2dd2baa8 556->560 561 17d2dd29ce9-17d2dd29ced 556->561 558->559 562 17d2dd29b62-17d2dd29b7b 558->562 559->535 559->553 560->514 564 17d2dd29cef-17d2dd29cfe call 17d2dd290e4 561->564 565 17d2dd29d00 561->565 566 17d2dd29c74-17d2dd29c79 562->566 567 17d2dd29b81-17d2dd29bc6 call 17d2dd290f8 * 2 562->567 575 17d2dd29d03-17d2dd29d0d call 17d2dd2a8ac 564->575 565->575 571 17d2dd29c84 566->571 592 17d2dd29c04-17d2dd29c0a 567->592 593 17d2dd29bc8-17d2dd29bee call 17d2dd290f8 call 17d2dd2a038 567->593 571->559 575->526 590 17d2dd29d13-17d2dd29d61 call 17d2dd28d44 call 17d2dd28f50 575->590 579->518 596 17d2dd29a54-17d2dd29a74 call 17d2dd28a34 * 2 call 17d2dd2a8ac 579->596 580->579 584 17d2dd29a30-17d2dd29a3b 580->584 584->579 589 17d2dd29a3d-17d2dd29a42 584->589 589->514 589->579 590->526 600 17d2dd29c7b 592->600 601 17d2dd29c0c-17d2dd29c10 592->601 611 17d2dd29bf0-17d2dd29c02 593->611 612 17d2dd29c15-17d2dd29c72 call 17d2dd29870 593->612 617 17d2dd29a76-17d2dd29a80 call 17d2dd2a99c 596->617 618 17d2dd29a8b 596->618 602 17d2dd29c80 600->602 601->567 602->571 611->592 611->593 612->602 621 17d2dd29df0-17d2dd29df5 call 17d2dd2baa8 617->621 622 17d2dd29a86-17d2dd29def call 17d2dd286ac call 17d2dd2a3f4 call 17d2dd288a0 617->622 618->518 621->560 622->621
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: cd1909da564486c33fd5c65385533ee64d4be228643e36edc2a68ea4a3a6425f
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: F6E18C72648B888AEB609B65E4883DD77B0FB85798F184115EE8D57B9FCB34C5D2C700
                                                                          Function 0000017D2DD5F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: cff03d2ade0e020ec692bca3fec052358bdd6c7ad0630a59d247d7c5ded0803b
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: FA418232319F4851FB15CB66B8047D623B5FF45BA0F5D46259D0E8B78AEA78C4878390
                                                                          Function 0000017D2DD5104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 783 17d2dd5104c-17d2dd510b9 RegQueryInfoKeyW 784 17d2dd510bf-17d2dd510c9 783->784 785 17d2dd511b5-17d2dd511d0 783->785 784->785 786 17d2dd510cf-17d2dd5111f RegEnumValueW 784->786 787 17d2dd511a5-17d2dd511af 786->787 788 17d2dd51125-17d2dd5112a 786->788 787->785 787->786 788->787 789 17d2dd5112c-17d2dd51135 788->789 790 17d2dd51147-17d2dd5114c 789->790 791 17d2dd51137 789->791 793 17d2dd5114e-17d2dd51193 GetProcessHeap call 17d2dd66168 GetProcessHeap HeapFree 790->793 794 17d2dd51199-17d2dd511a3 790->794 792 17d2dd5113b-17d2dd5113f 791->792 792->787 795 17d2dd51141-17d2dd51145 792->795 793->794 794->787 795->790 795->792
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 7ceb33411e866d5e6bad0885634960f762de516c8c48caabf9af1da6179ea09c
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 35415F36218F84C6E760CF61F44479A77B1F789B98F088129DA8947759DF7CC48ACB80
                                                                          Function 0000017D2DD5D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,0000017D2DD5C7DE,?,?,?,?,?,?,?,?,0000017D2DD5CF9D,?,?,00000001), ref: 0000017D2DD5D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000017D2DD5C7DE,?,?,?,?,?,?,?,?,0000017D2DD5CF9D,?,?,00000001), ref: 0000017D2DD5D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000017D2DD5C7DE,?,?,?,?,?,?,?,?,0000017D2DD5CF9D,?,?,00000001), ref: 0000017D2DD5D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000017D2DD5C7DE,?,?,?,?,?,?,?,?,0000017D2DD5CF9D,?,?,00000001), ref: 0000017D2DD5D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000017D2DD5C7DE,?,?,?,?,?,?,?,?,0000017D2DD5CF9D,?,?,00000001), ref: 0000017D2DD5D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 5154c93d068d10a1e945b58184a0e0201f16f14cb9cb9ab8264952e70cf091d5
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: AB114C3064CB4C41FA68A739B9523E96275AF447F0F1C5324E82E4A6EBDEA8C4C38210
                                                                          Function 0000017D2DD57510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: e2c28e9c43fdaf6d7950bc8e7dcfae3bff719fb9d48d50af83f38ace045fed18
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: B681AF3060CF4EA6FAB0AB66B4413D926B0AF45B80F2C4455E90D47797EBB8C8C78740
                                                                          Function 0000017D2DD59DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 82f7838ad94713cf2084c215003bcf0328065fd8f0f8ad9d488098c119fc8392
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: 6D31C23121BF48A1EE119B86B8007E522B4BF48BA0F5D06259D2D4B796EF78C6D78340
                                                                          Function 0000017D2DD63DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: ea3a63099e4bd6fc9fc88f750c7bc55e678addbdfab8018aa84a990dcdc11d56
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 7F115E31218F8486E7508B56F84435976B0FB88FE4F084224EA6E87796CB3CC49687C4
                                                                          Function 0000017D2DD53790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 14e430fe00e95c50cec8d9cb46a6a5414bd8b7d062380db77b6ae17ec3c80415
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 11115B3A708B8983EF189B21F4042A966B0FB89B85F480069DE8D07796EF3DC586C744
                                                                          Function 0000017D2DD55B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: 335ccaf47bda0d5dd0922acdaab73b54d7caffec967b7b5861b83fc30812af85
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: E7D17B76209F8881DA71DF06F49439A77B0F788B84F140256EACD47B6ADF78C592CB40
                                                                          Function 0000017D2DD52F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: 0230e169c366584fc835d7048ce1a4f9b827dda45302ed53d4d2da1fb762844c
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: D4315C36709F5983EA54DF16B9407AA6BB0FF44B84F0C81249E4C47B56EB78D4EA8780
                                                                          Function 0000017D2DD514A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 80memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID: C:\Windows\system32\lsass.exe
                                                                          • API String ID: 3168794593-3553486595
                                                                          • Opcode ID: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction ID: 2d5b6617ece1dd570ac47f263be0d53089bc250c903f123d4342631771f7ed81
                                                                          • Opcode Fuzzy Hash: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction Fuzzy Hash: 51316DBF54DFC88AE3518F75B8552992BB0FB99F40F0D8096DB8843247EA2D948687C0
                                                                          Function 0000017D2DD5CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: bbc6a41099dd5a17270725d9b36443500c25c3cae1af76ce33926e4c6c33bdd2
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: 67115C3424DF8841FA64A739B5553A92272AF857B0F1C0724E83E4A7EBDEA884C38310
                                                                          Function 0000017D2DD5199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 3df08bc0e274fd3b34b5b0dbf9f02f2257eae06cdf6fe6a10ddfa2816b121c7d
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: B3010535308B8882EA64DB52B85879963B5FB88BC4F884075DE5D43756DF3DC98A8780
                                                                          Function 0000017D2DD536C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: f24fa2aad1f6ccfe3c5f40d64530b4ff01bea0f5f75abe919ea4a6c477ed8970
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: BC012979619F8982FB249B21F80879977B0FF49B86F084464CD4D07766EF3DC19A8780
                                                                          Function 0000017D2DD59005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: a81db0b67a2eb7f1a73ed3c669436fa5414171ee8f5b59af52ebe3c390cd136c
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 3651A436709B1886DB14DF25F448B9937B6FB58B88F188524DA0E4774AEBB5D8C2C740
                                                                          Function 0000017D2DD58FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: bb9ee6d5d2854114a24f2ca4c814b681745e9581d68bb0e9d4f3a3abf8f9be72
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 2931E036208B5897E710DF25F848B9937B5FB44B88F088518EE4E0778ADB79D982C744
                                                                          Function 0000017D2DD51A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: 5ba28880476b1b58ce267a7bdad5310d6327c2677bc23d1de7ae17b14c72ffd6
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: A2F03136308B8992E7708F25F9947996774FB48B98F884020DA4D4655ADA6DC6CFCB80
                                                                          Function 0000017D2DD5BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: a7a9063c7dca6d67b69c39055377418c24b560d5b242d4ac3647c1b5c43d6db2
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: BEF06D75219F4C91EB108F64F8443A96330EF89BA1F580259DA6E466E6DF3CC0CAC3C0
                                                                          Function 0000017D2DD53044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: d1af86b7dc9d4c02dc9e9ba88acbca0d8203c7d254f4a35dd1ad92e41bb022f5
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: ECF0F879618FC892EA148F57B914199A675AF48FD0F0C9160EE4E47B2ADE28C4968780
                                                                          Function 0000017D2DD550D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: e7bb3d7a424d16d6639218f3a29322317eeb4f967574d6a86b6659e314bd5c8b
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: B402C43261DB8886EB61CF59F49079AB7B0F7C4790F144115EA8E87BA9DBBCC485CB00
                                                                          Function 0000017D2DD55710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: fe8b9f1cb658fcbb6f3a66605413847c88da993d077414e375bd751c5d8fdec5
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: A461C63651DF88C6E6618F15F44435AB7B0FB88784F581255EA8E47BAADBBCC486CF00
                                                                          Function 0000017D2DD64104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: a2e73b0dc39c3a45163b5e1fe24a4393a9607e531bb5d94db0e97e30a564c429
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 7211A332A5CF5815F6A41668F4513E911706F783B8F1C4625A97E076DFCA2CE8C352C0
                                                                          Function 0000017D2DD33504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 477c9a34daed5c8165e8d81058373679db092c7b8c61830a0374f52ce82835b2
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 5811773361CF5917FAD41528FB553E911B16FD8374F8C4628A9EE0A6D7CA24D8C34A00
                                                                          Function 0000017D2DD59650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1452528299-0
                                                                          • Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                          • Instruction ID: 43d9dddd7d87b068f499d0fdd4dce39bb763552f788187762af13b592a091dc5
                                                                          • Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                          • Instruction Fuzzy Hash: A1114C34209F9842FE549725B8843E922B1AF48BE0F0C5624D92E077DFDA78C8CBC700
                                                                          Function 0000017D2DD2F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 404a8fd3a07e50e84a6b6d7519f50f470db59ed2827b0a5a5bd42659157b0151
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: F3617D76608F4C42FA668A7AF5497EA2AB1AF85740F9D4C15CA0E177DFDB34C8C38200
                                                                          Function 0000017D2DD5AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 7690aaae0e4b2262e5bca8c680bb55033b9461ae702e00063689349ef27dbae7
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: CD614B36608B588AEB20DF65E4403DD77B0FB44B88F085215EE4D17B9ADBB8D59AC740
                                                                          Function 0000017D2DD5AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 154700f38c1b69783df6a378d411671468d94bd339d233544ea2a5e0ab197207
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 0551907610CB988AEB648B15B48439977B0FB54B84F1C6116EA4D47B96CBB8E4EAC700
                                                                          Function 0000017D2DD2A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 5febf20ca8be60a294598188ac8e06a527c5694235806c0fd98dbb137e8aa58c
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 9C518E3210CB88CAFB648B55A54839877B0FB55B94F1C6116DA9D87BDBCB38D5D2C700
                                                                          Function 0000017D2DD28405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: ebaa93514360deb3c4a0a09a1e9737b1dd9c88c483c05ef692c930f299638c4c
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 4A51AB32649B088BEB54CB15F448BA937B5FB54B98F588124DA4E4378FEB34C8C28B04
                                                                          Function 0000017D2DD283E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: fe002749a5d160103fa0e0e47d814535d87942aed18f2ca8a6d465f99c7a9653
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: A0318D32249B4496E754DF11F84879977B9FB44B98F198114EE9E07B8FDB38C982CB04
                                                                          Function 0000017D2DD62058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 7152cc84080426dd393db4e38e76c3e4fe8dbea9a1cbbda6f4e6e3b4679a9860
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 35D1CF32718B8889E711CFA9E4403DC3BB5FB55798F588216CE5D97B9ADA34C587C380
                                                                          Function 0000017D2DD62980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: b044381306ab9c6176738c66a68acd90023a20d202c02ae602019e1ccdecad08
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: 79918172618F5899F7609F69B4403ED2FB0EB54B88F188109DE4E67A9ADA35C4C7C7C0
                                                                          Function 0000017D2DD57960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: b33fbbc4129736c9bf654a6e7fd5a1510d97486ebb9906592996c4b0fc058f04
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: 93112A36754F498AEB00CF60F8553A833B4FB19758F481E21DA6D467A9DF78C19A8380
                                                                          Function 0000017D2DD5253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: c0d3531c21c4d31313f67105679082d8c56846684e84a2b0545e0e951a74e749
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 4571D736208F8A46E725DF25F8443EA6BB4FB89784F484016DD4D53B8ADEB5C58AC700
                                                                          Function 0000017D2DD29E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 1839f8c3ad161bc230c463d9a6d868dcf13723bc0d4c69507e66fae6d60f642e
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 84614732609B888AEB20DF65E4843DD77B0FB48B98F084215EF4D17B9ADB38D596C710
                                                                          Function 0000017D2DD52330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 5d967f130145fd2457fc1d8960457ffbf35bdc14831b63443ba8836e30615b82
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: 6251193220CB8981E634CE29B4543FA6B75FB95744F4C8125DD9E03B4BDAB9C58AC780
                                                                          Function 0000017D2DD626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 533c181d1c4fc9b0d992494bedecaf397c0798d3602d327ef67923b0e5bd60ba
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 6E41A232719B8482EB20DF25F8447E967B0FB98794F588021EE4D87799DB7CC582C780
                                                                          Function 0000017D2DD594A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: 7501787f3bdaefa2e8ecfcba4a6aeb5f79ff854105b5d2d6e2058d57a5b9088e
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 9F111936219F8482EB618B15F44039977F5FB88B94F5C4224EA8D07759DF78C592CB40
                                                                          Function 0000017D2DD27356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 6f68ef48875825ce838e86f1a341d560eb1e4ad070bd9e76c7a0e58232261100
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: ACE08671644F4C90DF018F21F8402D833B0DF58B64B4C9122995C07316FA38D1EAC710
                                                                          Function 0000017D2DD273B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2643916103.0000017D2DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd20000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 2445f953400bc03a80d3df9aa50630c983575cfd672fe7edebf9eeb921a494bc
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 79E08C71A44F4C80DF028F21E8802D873B0EB68B64B8C9122CA5C07316EA38D1EAC310
                                                                          Function 0000017D2DD51BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 9cee9b783636be087741f5e1b8df2ae14b651d31430e169093af8b925976ad96
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 18113A39605F8881EA54DB66B8082A9B7B1FB89FC0F1C4168DE4D97767DE79D4838380
                                                                          Function 0000017D2DD51268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002B.00000002.2644113965.0000017D2DD50000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_43_2_17d2dd50000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: f1bcd8aa1abc8590651bf66f0bbd1f21628ae84c1cd742650bcaa24afb1b9de1
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 2FE03939641B4886EB048B62F80838A36F1EB89B06F0880248A0947352DF7D84DAC7D0

                                                                          Execution Graph

                                                                          Execution Coverage:0.7%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:74
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 14978 22f4b8f273c 14980 22f4b8f276a 14978->14980 14979 22f4b8f2858 LoadLibraryA 14979->14980 14980->14979 14981 22f4b8f28d4 14980->14981 14982 22f4b921abc 14987 22f4b921628 GetProcessHeap 14982->14987 14984 22f4b921ad2 Sleep SleepEx 14985 22f4b921acb 14984->14985 14985->14984 14986 22f4b921598 StrCmpIW StrCmpW 14985->14986 14986->14985 14988 22f4b921648 __std_exception_copy 14987->14988 15032 22f4b921268 GetProcessHeap 14988->15032 14990 22f4b921650 14991 22f4b921268 2 API calls 14990->14991 14992 22f4b921661 14991->14992 14993 22f4b921268 2 API calls 14992->14993 14994 22f4b92166a 14993->14994 14995 22f4b921268 2 API calls 14994->14995 14996 22f4b921673 14995->14996 14997 22f4b92168e RegOpenKeyExW 14996->14997 14998 22f4b9216c0 RegOpenKeyExW 14997->14998 14999 22f4b9218a6 14997->14999 15000 22f4b9216ff RegOpenKeyExW 14998->15000 15001 22f4b9216e9 14998->15001 14999->14985 15003 22f4b921723 15000->15003 15004 22f4b92173a RegOpenKeyExW 15000->15004 15036 22f4b9212bc RegQueryInfoKeyW 15001->15036 15047 22f4b92104c RegQueryInfoKeyW 15003->15047 15007 22f4b921775 RegOpenKeyExW 15004->15007 15008 22f4b92175e 15004->15008 15009 22f4b9217b0 RegOpenKeyExW 15007->15009 15010 22f4b921799 15007->15010 15012 22f4b9212bc 13 API calls 15008->15012 15014 22f4b9217d4 15009->15014 15015 22f4b9217eb RegOpenKeyExW 15009->15015 15013 22f4b9212bc 13 API calls 15010->15013 15016 22f4b92176b RegCloseKey 15012->15016 15017 22f4b9217a6 RegCloseKey 15013->15017 15018 22f4b9212bc 13 API calls 15014->15018 15019 22f4b92180f 15015->15019 15020 22f4b921826 RegOpenKeyExW 15015->15020 15016->15007 15017->15009 15021 22f4b9217e1 RegCloseKey 15018->15021 15022 22f4b92104c 5 API calls 15019->15022 15023 22f4b921861 RegOpenKeyExW 15020->15023 15024 22f4b92184a 15020->15024 15021->15015 15027 22f4b92181c RegCloseKey 15022->15027 15025 22f4b921885 15023->15025 15026 22f4b92189c RegCloseKey 15023->15026 15028 22f4b92104c 5 API calls 15024->15028 15029 22f4b92104c 5 API calls 15025->15029 15026->14999 15027->15020 15030 22f4b921857 RegCloseKey 15028->15030 15031 22f4b921892 RegCloseKey 15029->15031 15030->15023 15031->15026 15053 22f4b936168 15032->15053 15034 22f4b921283 GetProcessHeap 15035 22f4b9212ae __std_exception_copy 15034->15035 15035->14990 15037 22f4b92148a RegCloseKey 15036->15037 15038 22f4b921327 GetProcessHeap 15036->15038 15037->15000 15039 22f4b92133e __std_exception_copy 15038->15039 15040 22f4b921352 RegEnumValueW 15039->15040 15041 22f4b921476 GetProcessHeap HeapFree 15039->15041 15043 22f4b9213d3 GetProcessHeap 15039->15043 15044 22f4b92141e lstrlenW GetProcessHeap 15039->15044 15045 22f4b9213f3 GetProcessHeap HeapFree 15039->15045 15046 22f4b921443 StrCpyW 15039->15046 15055 22f4b92152c 15039->15055 15040->15039 15041->15037 15043->15039 15044->15039 15045->15044 15046->15039 15048 22f4b9211b5 RegCloseKey 15047->15048 15051 22f4b9210bf __std_exception_copy 15047->15051 15048->15004 15049 22f4b9210cf RegEnumValueW 15049->15051 15050 22f4b92114e GetProcessHeap 15050->15051 15051->15048 15051->15049 15051->15050 15052 22f4b92116e GetProcessHeap HeapFree 15051->15052 15052->15051 15054 22f4b936177 15053->15054 15056 22f4b92157c 15055->15056 15057 22f4b921546 15055->15057 15056->15039 15057->15056 15058 22f4b921565 StrCmpW 15057->15058 15059 22f4b92155d StrCmpIW 15057->15059 15058->15057 15059->15057

                                                                          Executed Functions

                                                                          Function 0000022F4B92328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 499753e5498616a5248436bfd7ad92956633407b8286327215e6ea229ab40278
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: 92115E28E18200A6FBE8BFE1EB2D35B23B4A754344F8049349B4682597EFFCC148C311
                                                                          Function 0000022F4B921ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 0000022F4B921628: GetProcessHeap.KERNEL32 ref: 0000022F4B921633
                                                                            • Part of subcall function 0000022F4B921628: HeapAlloc.KERNEL32 ref: 0000022F4B921642
                                                                            • Part of subcall function 0000022F4B921628: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9216B2
                                                                            • Part of subcall function 0000022F4B921628: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9216DF
                                                                            • Part of subcall function 0000022F4B921628: RegCloseKey.ADVAPI32 ref: 0000022F4B9216F9
                                                                            • Part of subcall function 0000022F4B921628: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921719
                                                                            • Part of subcall function 0000022F4B921628: RegCloseKey.ADVAPI32 ref: 0000022F4B921734
                                                                            • Part of subcall function 0000022F4B921628: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921754
                                                                            • Part of subcall function 0000022F4B921628: RegCloseKey.ADVAPI32 ref: 0000022F4B92176F
                                                                            • Part of subcall function 0000022F4B921628: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B92178F
                                                                            • Part of subcall function 0000022F4B921628: RegCloseKey.ADVAPI32 ref: 0000022F4B9217AA
                                                                            • Part of subcall function 0000022F4B921628: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9217CA
                                                                          • Sleep.KERNEL32 ref: 0000022F4B921AD7
                                                                          • SleepEx.KERNELBASE ref: 0000022F4B921ADD
                                                                            • Part of subcall function 0000022F4B921628: RegCloseKey.ADVAPI32 ref: 0000022F4B9217E5
                                                                            • Part of subcall function 0000022F4B921628: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921805
                                                                            • Part of subcall function 0000022F4B921628: RegCloseKey.ADVAPI32 ref: 0000022F4B921820
                                                                            • Part of subcall function 0000022F4B921628: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921840
                                                                            • Part of subcall function 0000022F4B921628: RegCloseKey.ADVAPI32 ref: 0000022F4B92185B
                                                                            • Part of subcall function 0000022F4B921628: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B92187B
                                                                            • Part of subcall function 0000022F4B921628: RegCloseKey.ADVAPI32 ref: 0000022F4B921896
                                                                            • Part of subcall function 0000022F4B921628: RegCloseKey.ADVAPI32 ref: 0000022F4B9218A0
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: cfcf9aca8d9fa6c356e958a7aeb12d4f996e4ae4aaeb90c34f58094a98a870a3
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 2831AC6DE1066161FBD8BFF6D76936B23B4AB44BC0F0459319F098769BEE98C471C210
                                                                          Function 0000022F4B923844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 57 22f4b923844-22f4b92384f 58 22f4b923851-22f4b923864 StrCmpNIW 57->58 59 22f4b923869-22f4b923870 57->59 58->59 60 22f4b923866 58->60 60->59
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: dialer
                                                                          • API String ID: 0-3528709123
                                                                          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction ID: 606930cdb4700d14d3951725284149e6cd9df57b4dff78a4ff21b0a3433bbc43
                                                                          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction Fuzzy Hash: 4DD05E68F15205AAFB98AFE6C9EC6622370EB08744F8C9030CA0045151DB98899DDB10
                                                                          Function 0000022F4B8F273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 4c50ac63591964c54a9a2d23cedf9431965fbbf44280cedf0482e598f9c02324
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 8D61223AF0129497DF94AF54C204F2A73A2F754BA5F588131EF490778AEA78D853C700

                                                                          Non-executed Functions

                                                                          Function 0000022F4B922B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 367 22f4b922b2c-22f4b922ba5 call 22f4b942ce0 370 22f4b922ee0-22f4b922f03 367->370 371 22f4b922bab-22f4b922bb1 367->371 371->370 372 22f4b922bb7-22f4b922bba 371->372 372->370 373 22f4b922bc0-22f4b922bc3 372->373 373->370 374 22f4b922bc9-22f4b922bd9 GetModuleHandleA 373->374 375 22f4b922bed 374->375 376 22f4b922bdb-22f4b922beb call 22f4b936090 374->376 378 22f4b922bf0-22f4b922c0e 375->378 376->378 378->370 381 22f4b922c14-22f4b922c33 StrCmpNIW 378->381 381->370 382 22f4b922c39-22f4b922c3d 381->382 382->370 383 22f4b922c43-22f4b922c4d 382->383 383->370 384 22f4b922c53-22f4b922c5a 383->384 384->370 385 22f4b922c60-22f4b922c73 384->385 386 22f4b922c75-22f4b922c81 385->386 387 22f4b922c83 385->387 388 22f4b922c86-22f4b922c8a 386->388 387->388 389 22f4b922c9a 388->389 390 22f4b922c8c-22f4b922c98 388->390 391 22f4b922c9d-22f4b922ca7 389->391 390->391 392 22f4b922d9d-22f4b922da1 391->392 393 22f4b922cad-22f4b922cb0 391->393 394 22f4b922ed2-22f4b922eda 392->394 395 22f4b922da7-22f4b922daa 392->395 396 22f4b922cc2-22f4b922ccc 393->396 397 22f4b922cb2-22f4b922cbf call 22f4b92199c 393->397 394->370 394->385 398 22f4b922dbb-22f4b922dc5 395->398 399 22f4b922dac-22f4b922db8 call 22f4b92199c 395->399 401 22f4b922d00-22f4b922d0a 396->401 402 22f4b922cce-22f4b922cdb 396->402 397->396 407 22f4b922df5-22f4b922df8 398->407 408 22f4b922dc7-22f4b922dd4 398->408 399->398 404 22f4b922d3a-22f4b922d3d 401->404 405 22f4b922d0c-22f4b922d19 401->405 402->401 403 22f4b922cdd-22f4b922cea 402->403 412 22f4b922ced-22f4b922cf3 403->412 414 22f4b922d3f-22f4b922d49 call 22f4b921bbc 404->414 415 22f4b922d4b-22f4b922d58 lstrlenW 404->415 405->404 413 22f4b922d1b-22f4b922d28 405->413 410 22f4b922e05-22f4b922e12 lstrlenW 407->410 411 22f4b922dfa-22f4b922e03 call 22f4b921bbc 407->411 408->407 417 22f4b922dd6-22f4b922de3 408->417 421 22f4b922e35-22f4b922e3f call 22f4b923844 410->421 422 22f4b922e14-22f4b922e1e 410->422 411->410 436 22f4b922e4a-22f4b922e55 411->436 419 22f4b922d93-22f4b922d98 412->419 420 22f4b922cf9-22f4b922cfe 412->420 423 22f4b922d2b-22f4b922d31 413->423 414->415 414->419 425 22f4b922d5a-22f4b922d64 415->425 426 22f4b922d7b-22f4b922d8d call 22f4b923844 415->426 427 22f4b922de6-22f4b922dec 417->427 430 22f4b922e42-22f4b922e44 419->430 420->401 420->412 421->430 422->421 431 22f4b922e20-22f4b922e33 call 22f4b92152c 422->431 423->419 432 22f4b922d33-22f4b922d38 423->432 425->426 435 22f4b922d66-22f4b922d79 call 22f4b92152c 425->435 426->419 426->430 427->436 437 22f4b922dee-22f4b922df3 427->437 430->394 430->436 431->421 431->436 432->404 432->423 435->419 435->426 441 22f4b922e57-22f4b922e5b 436->441 442 22f4b922ecc-22f4b922ed0 436->442 437->407 437->427 446 22f4b922e63-22f4b922e7d call 22f4b9285c0 441->446 447 22f4b922e5d-22f4b922e61 441->447 442->394 449 22f4b922e80-22f4b922e83 446->449 447->446 447->449 451 22f4b922e85-22f4b922ea3 call 22f4b9285c0 449->451 452 22f4b922ea6-22f4b922ea9 449->452 451->452 452->442 454 22f4b922eab-22f4b922ec9 call 22f4b9285c0 452->454 454->442
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: bcf7f1ee5ddb0453fe9bd56a1718b2b306548187ea50fb95823794d523efe43d
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: CBB1BF3AE10650A2FF9CAFA5D66876A73B4FB44B84F045836EF0957796DBB8C844C340
                                                                          Function 0000022F4B927D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: a04e2be782a9479eefdbbbc9edbcf7652d8c43eded4af119ba3e2e7215a11d47
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: B8313C76A05A809AEBA4AFA0E8943EE6370F788744F444439DB4D57B95EF78C548C710
                                                                          Function 0000022F4B92D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 43af27b815cd5b64c3f44c815349252d9f52db7ade0dad81ec23985faf94ec88
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: F531BF3AA04B8096EBA4EF65E89439E33B0F788754F440535EB8D43B96DF78C145CB00
                                                                          Function 0000022F4B921628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: e5766046f156c363c883a85334d0fbf2df80b36a5027c18cc8da2133ea49a9b5
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 5C71243AF10A1095EB50AFE6E9A965A3374F789B88F002531DF4D8776ADF78C464C740
                                                                          Function 0000022F4B9212BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: 46f71d7faf0e95b6912db930efd0f35ae2342ef1ddce4bcae0a06502c4c35caa
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 5B51273AA04B8496EB94EFA2E66835B77B1F789B89F048134DB490771ADFBCC055C700
                                                                          Function 0000022F4B921D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: d207d9220f18b6cea06c763a37e9b0cb56c9ff3a490cc8220af777ee07cf9adf
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: 7A31B26CD1090AB0FE8CFFE5EA796E63330BB08344F9458339619425639EFC8669D350
                                                                          Function 0000022F4B8F6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 209 22f4b8f6910-22f4b8f6916 210 22f4b8f6918-22f4b8f691b 209->210 211 22f4b8f6951-22f4b8f695b 209->211 213 22f4b8f691d-22f4b8f6920 210->213 214 22f4b8f6945-22f4b8f6984 call 22f4b8f6fc0 210->214 212 22f4b8f6a78-22f4b8f6a8d 211->212 218 22f4b8f6a9c-22f4b8f6ab6 call 22f4b8f6e54 212->218 219 22f4b8f6a8f 212->219 216 22f4b8f6938 __scrt_dllmain_crt_thread_attach 213->216 217 22f4b8f6922-22f4b8f6925 213->217 229 22f4b8f698a-22f4b8f699f call 22f4b8f6e54 214->229 230 22f4b8f6a52 214->230 225 22f4b8f693d-22f4b8f6944 216->225 221 22f4b8f6927-22f4b8f6930 217->221 222 22f4b8f6931-22f4b8f6936 call 22f4b8f6f04 217->222 232 22f4b8f6ab8-22f4b8f6aed call 22f4b8f6f7c call 22f4b8f6e1c call 22f4b8f7318 call 22f4b8f7130 call 22f4b8f7154 call 22f4b8f6fac 218->232 233 22f4b8f6aef-22f4b8f6b20 call 22f4b8f7190 218->233 223 22f4b8f6a91-22f4b8f6a9b 219->223 222->225 242 22f4b8f6a6a-22f4b8f6a77 call 22f4b8f7190 229->242 243 22f4b8f69a5-22f4b8f69b6 call 22f4b8f6ec4 229->243 235 22f4b8f6a54-22f4b8f6a69 230->235 232->223 244 22f4b8f6b22-22f4b8f6b28 233->244 245 22f4b8f6b31-22f4b8f6b37 233->245 242->212 262 22f4b8f69b8-22f4b8f69dc call 22f4b8f72dc call 22f4b8f6e0c call 22f4b8f6e38 call 22f4b8fac0c 243->262 263 22f4b8f6a07-22f4b8f6a11 call 22f4b8f7130 243->263 244->245 246 22f4b8f6b2a-22f4b8f6b2c 244->246 247 22f4b8f6b7e-22f4b8f6b94 call 22f4b8f268c 245->247 248 22f4b8f6b39-22f4b8f6b43 245->248 252 22f4b8f6c1f-22f4b8f6c2c 246->252 270 22f4b8f6bcc-22f4b8f6bce 247->270 271 22f4b8f6b96-22f4b8f6b98 247->271 253 22f4b8f6b45-22f4b8f6b4d 248->253 254 22f4b8f6b4f-22f4b8f6b5d call 22f4b905780 248->254 259 22f4b8f6b63-22f4b8f6b78 call 22f4b8f6910 253->259 254->259 274 22f4b8f6c15-22f4b8f6c1d 254->274 259->247 259->274 262->263 312 22f4b8f69de-22f4b8f69e5 __scrt_dllmain_after_initialize_c 262->312 263->230 283 22f4b8f6a13-22f4b8f6a1f call 22f4b8f7180 263->283 272 22f4b8f6bd5-22f4b8f6bea call 22f4b8f6910 270->272 273 22f4b8f6bd0-22f4b8f6bd3 270->273 271->270 279 22f4b8f6b9a-22f4b8f6bbc call 22f4b8f268c call 22f4b8f6a78 271->279 272->274 293 22f4b8f6bec-22f4b8f6bf6 272->293 273->272 273->274 274->252 279->270 304 22f4b8f6bbe-22f4b8f6bc6 call 22f4b905780 279->304 301 22f4b8f6a45-22f4b8f6a50 283->301 302 22f4b8f6a21-22f4b8f6a2b call 22f4b8f7098 283->302 298 22f4b8f6bf8-22f4b8f6bff 293->298 299 22f4b8f6c01-22f4b8f6c11 call 22f4b905780 293->299 298->274 299->274 301->235 302->301 311 22f4b8f6a2d-22f4b8f6a3b 302->311 304->270 311->301 312->263 313 22f4b8f69e7-22f4b8f6a04 call 22f4b8fabc8 312->313 313->263
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 44c41662410089b528ca2d48acd593e41cddb88394403bf67763fb9a239446ba
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 8781BF39E00201A6FAD0BFE5D659B5B22B1EB89782F5482359B4583797FBF9C847C700
                                                                          Function 0000022F4B92CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 0000022F4B92CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,0000022F4B930A6B,?,?,?,0000022F4B93045C,?,?,?,0000022F4B92C84F), ref: 0000022F4B92CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000022F4B930A6B,?,?,?,0000022F4B93045C,?,?,?,0000022F4B92C84F), ref: 0000022F4B92CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000022F4B930A6B,?,?,?,0000022F4B93045C,?,?,?,0000022F4B92C84F), ref: 0000022F4B92CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000022F4B930A6B,?,?,?,0000022F4B93045C,?,?,?,0000022F4B92C84F), ref: 0000022F4B92CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000022F4B930A6B,?,?,?,0000022F4B93045C,?,?,?,0000022F4B92C84F), ref: 0000022F4B92CEBC
                                                                          • SetLastError.KERNEL32 ref: 0000022F4B92CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000022F4B930A6B,?,?,?,0000022F4B93045C,?,?,?,0000022F4B92C84F), ref: 0000022F4B92CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,0000022F4B92ECCC,?,?,?,?,0000022F4B92BF9F,?,?,?,?,?,0000022F4B927AB0), ref: 0000022F4B92CF2C
                                                                            • Part of subcall function 0000022F4B92D6CC: HeapAlloc.KERNEL32 ref: 0000022F4B92D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000022F4B930A6B,?,?,?,0000022F4B93045C,?,?,?,0000022F4B92C84F), ref: 0000022F4B92CF54
                                                                            • Part of subcall function 0000022F4B92D744: HeapFree.KERNEL32 ref: 0000022F4B92D75A
                                                                            • Part of subcall function 0000022F4B92D744: GetLastError.KERNEL32 ref: 0000022F4B92D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000022F4B930A6B,?,?,?,0000022F4B93045C,?,?,?,0000022F4B92C84F), ref: 0000022F4B92CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000022F4B930A6B,?,?,?,0000022F4B93045C,?,?,?,0000022F4B92C84F), ref: 0000022F4B92CF76
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: 43cd81bcdb26728153ee64f1615efb2ef4fe9c99b681245c46ce7db633faee17
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 86413C6CE0124461FAEC7FA1D77E36B22725F457B0F240F34AB36066E7DAAC8851C200
                                                                          Function 0000022F4B922244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: 05906820ac88f93dd4f39b3c0b5c824dab056eed99cf60f72fbd9261573551f1
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: 6521603AA1864093FB54AF65F66835B73B0F789BA4F541235DB5902AA9CFBCC149CF00
                                                                          Function 0000022F4B92A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 588 22f4b92a544-22f4b92a5ac call 22f4b92b414 591 22f4b92a5b2-22f4b92a5b5 588->591 592 22f4b92aa13-22f4b92aa1b call 22f4b92c748 588->592 591->592 593 22f4b92a5bb-22f4b92a5c1 591->593 595 22f4b92a690-22f4b92a6a2 593->595 596 22f4b92a5c7-22f4b92a5cb 593->596 598 22f4b92a963-22f4b92a967 595->598 599 22f4b92a6a8-22f4b92a6ac 595->599 596->595 600 22f4b92a5d1-22f4b92a5dc 596->600 603 22f4b92a9a0-22f4b92a9aa call 22f4b929634 598->603 604 22f4b92a969-22f4b92a970 598->604 599->598 601 22f4b92a6b2-22f4b92a6bd 599->601 600->595 602 22f4b92a5e2-22f4b92a5e7 600->602 601->598 607 22f4b92a6c3-22f4b92a6ca 601->607 602->595 608 22f4b92a5ed-22f4b92a5f7 call 22f4b929634 602->608 603->592 614 22f4b92a9ac-22f4b92a9cb call 22f4b927940 603->614 604->592 605 22f4b92a976-22f4b92a99b call 22f4b92aa1c 604->605 605->603 611 22f4b92a6d0-22f4b92a707 call 22f4b929a10 607->611 612 22f4b92a894-22f4b92a8a0 607->612 608->614 622 22f4b92a5fd-22f4b92a628 call 22f4b929634 * 2 call 22f4b929d24 608->622 611->612 626 22f4b92a70d-22f4b92a715 611->626 612->603 615 22f4b92a8a6-22f4b92a8aa 612->615 619 22f4b92a8ba-22f4b92a8c2 615->619 620 22f4b92a8ac-22f4b92a8b8 call 22f4b929ce4 615->620 619->603 625 22f4b92a8c8-22f4b92a8d5 call 22f4b9298b4 619->625 620->619 635 22f4b92a8db-22f4b92a8e3 620->635 656 22f4b92a62a-22f4b92a62e 622->656 657 22f4b92a648-22f4b92a652 call 22f4b929634 622->657 625->603 625->635 631 22f4b92a719-22f4b92a74b 626->631 632 22f4b92a751-22f4b92a75c 631->632 633 22f4b92a887-22f4b92a88e 631->633 632->633 637 22f4b92a762-22f4b92a77b 632->637 633->612 633->631 638 22f4b92a9f6-22f4b92aa12 call 22f4b929634 * 2 call 22f4b92c6a8 635->638 639 22f4b92a8e9-22f4b92a8ed 635->639 641 22f4b92a781-22f4b92a7c6 call 22f4b929cf8 * 2 637->641 642 22f4b92a874-22f4b92a879 637->642 638->592 643 22f4b92a8ef-22f4b92a8fe call 22f4b929ce4 639->643 644 22f4b92a900 639->644 669 22f4b92a804-22f4b92a80a 641->669 670 22f4b92a7c8-22f4b92a7ee call 22f4b929cf8 call 22f4b92ac38 641->670 648 22f4b92a884 642->648 652 22f4b92a903-22f4b92a90d call 22f4b92b4ac 643->652 644->652 648->633 652->603 667 22f4b92a913-22f4b92a961 call 22f4b929944 call 22f4b929b50 652->667 656->657 661 22f4b92a630-22f4b92a63b 656->661 657->595 673 22f4b92a654-22f4b92a674 call 22f4b929634 * 2 call 22f4b92b4ac 657->673 661->657 666 22f4b92a63d-22f4b92a642 661->666 666->592 666->657 667->603 677 22f4b92a87b 669->677 678 22f4b92a80c-22f4b92a810 669->678 689 22f4b92a7f0-22f4b92a802 670->689 690 22f4b92a815-22f4b92a872 call 22f4b92a470 670->690 694 22f4b92a676-22f4b92a680 call 22f4b92b59c 673->694 695 22f4b92a68b 673->695 679 22f4b92a880 677->679 678->641 679->648 689->669 689->670 690->679 698 22f4b92a9f0-22f4b92a9f5 call 22f4b92c6a8 694->698 699 22f4b92a686-22f4b92a9ef call 22f4b9292ac call 22f4b92aff4 call 22f4b9294a0 694->699 695->595 698->638 699->698
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: 2a02c290a53c1189dee5bf018af1a8916d4d54de72c2aaec13b2c8ff930c8b50
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 29E18C3AE007409AFBA8AFA5D65939E77B0F755B98F000935DB8957B96CB78C082C700
                                                                          Function 0000022F4B8F9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 467 22f4b8f9944-22f4b8f99ac call 22f4b8fa814 470 22f4b8f9e13-22f4b8f9e1b call 22f4b8fbb48 467->470 471 22f4b8f99b2-22f4b8f99b5 467->471 471->470 472 22f4b8f99bb-22f4b8f99c1 471->472 474 22f4b8f99c7-22f4b8f99cb 472->474 475 22f4b8f9a90-22f4b8f9aa2 472->475 474->475 479 22f4b8f99d1-22f4b8f99dc 474->479 477 22f4b8f9aa8-22f4b8f9aac 475->477 478 22f4b8f9d63-22f4b8f9d67 475->478 477->478 480 22f4b8f9ab2-22f4b8f9abd 477->480 482 22f4b8f9d69-22f4b8f9d70 478->482 483 22f4b8f9da0-22f4b8f9daa call 22f4b8f8a34 478->483 479->475 481 22f4b8f99e2-22f4b8f99e7 479->481 480->478 484 22f4b8f9ac3-22f4b8f9aca 480->484 481->475 485 22f4b8f99ed-22f4b8f99f7 call 22f4b8f8a34 481->485 482->470 486 22f4b8f9d76-22f4b8f9d9b call 22f4b8f9e1c 482->486 483->470 493 22f4b8f9dac-22f4b8f9dcb call 22f4b8f6d40 483->493 488 22f4b8f9c94-22f4b8f9ca0 484->488 489 22f4b8f9ad0-22f4b8f9b07 call 22f4b8f8e10 484->489 485->493 501 22f4b8f99fd-22f4b8f9a28 call 22f4b8f8a34 * 2 call 22f4b8f9124 485->501 486->483 488->483 494 22f4b8f9ca6-22f4b8f9caa 488->494 489->488 505 22f4b8f9b0d-22f4b8f9b15 489->505 498 22f4b8f9cac-22f4b8f9cb8 call 22f4b8f90e4 494->498 499 22f4b8f9cba-22f4b8f9cc2 494->499 498->499 511 22f4b8f9cdb-22f4b8f9ce3 498->511 499->483 504 22f4b8f9cc8-22f4b8f9cd5 call 22f4b8f8cb4 499->504 533 22f4b8f9a2a-22f4b8f9a2e 501->533 534 22f4b8f9a48-22f4b8f9a52 call 22f4b8f8a34 501->534 504->483 504->511 509 22f4b8f9b19-22f4b8f9b4b 505->509 513 22f4b8f9c87-22f4b8f9c8e 509->513 514 22f4b8f9b51-22f4b8f9b5c 509->514 516 22f4b8f9ce9-22f4b8f9ced 511->516 517 22f4b8f9df6-22f4b8f9e12 call 22f4b8f8a34 * 2 call 22f4b8fbaa8 511->517 513->488 513->509 514->513 518 22f4b8f9b62-22f4b8f9b7b 514->518 520 22f4b8f9d00 516->520 521 22f4b8f9cef-22f4b8f9cfe call 22f4b8f90e4 516->521 517->470 522 22f4b8f9c74-22f4b8f9c79 518->522 523 22f4b8f9b81-22f4b8f9bc6 call 22f4b8f90f8 * 2 518->523 526 22f4b8f9d03-22f4b8f9d0d call 22f4b8fa8ac 520->526 521->526 528 22f4b8f9c84 522->528 548 22f4b8f9bc8-22f4b8f9bee call 22f4b8f90f8 call 22f4b8fa038 523->548 549 22f4b8f9c04-22f4b8f9c0a 523->549 526->483 546 22f4b8f9d13-22f4b8f9d61 call 22f4b8f8d44 call 22f4b8f8f50 526->546 528->513 533->534 540 22f4b8f9a30-22f4b8f9a3b 533->540 534->475 552 22f4b8f9a54-22f4b8f9a74 call 22f4b8f8a34 * 2 call 22f4b8fa8ac 534->552 540->534 545 22f4b8f9a3d-22f4b8f9a42 540->545 545->470 545->534 546->483 567 22f4b8f9c15-22f4b8f9c72 call 22f4b8f9870 548->567 568 22f4b8f9bf0-22f4b8f9c02 548->568 556 22f4b8f9c0c-22f4b8f9c10 549->556 557 22f4b8f9c7b 549->557 573 22f4b8f9a8b 552->573 574 22f4b8f9a76-22f4b8f9a80 call 22f4b8fa99c 552->574 556->523 561 22f4b8f9c80 557->561 561->528 567->561 568->548 568->549 573->475 577 22f4b8f9a86-22f4b8f9def call 22f4b8f86ac call 22f4b8fa3f4 call 22f4b8f88a0 574->577 578 22f4b8f9df0-22f4b8f9df5 call 22f4b8fbaa8 574->578 577->578 578->517
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: fe26667269d8011ccc73069bfa6e4b4c25f03e493cc576837db71b885a00b806
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: F5E1B23AA047409AEBA0EFA5D548B9E37B0F7A5799F100135EF4957B57EB74C092C700
                                                                          Function 0000022F4B92F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: ddb198e122b73e8a3f28c7f5a39207ffb200a7d8f85c176143a44c7ded816286
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: FE41E62AF15A1061FE99EF96EA6C75733B1B749BA0F0449359F0987786DEBCC445C300
                                                                          Function 0000022F4B92104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 739 22f4b92104c-22f4b9210b9 RegQueryInfoKeyW 740 22f4b9210bf-22f4b9210c9 739->740 741 22f4b9211b5-22f4b9211d0 739->741 740->741 742 22f4b9210cf-22f4b92111f RegEnumValueW 740->742 743 22f4b9211a5-22f4b9211af 742->743 744 22f4b921125-22f4b92112a 742->744 743->741 743->742 744->743 745 22f4b92112c-22f4b921135 744->745 746 22f4b921147-22f4b92114c 745->746 747 22f4b921137 745->747 749 22f4b921199-22f4b9211a3 746->749 750 22f4b92114e-22f4b921193 GetProcessHeap call 22f4b936168 GetProcessHeap HeapFree 746->750 748 22f4b92113b-22f4b92113f 747->748 748->743 751 22f4b921141-22f4b921145 748->751 749->743 750->749 751->746 751->748
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: ce9cefd1f562b99d9dbd7395918815e3e2e756b4851a030e7b44f7ae27ca4f18
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 7B417B36A14B8096E7A4DFA1E55839A77B1F389B88F048139DB8907659DF7CC499CB00
                                                                          Function 0000022F4B92D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,0000022F4B92C7DE,?,?,?,?,?,?,?,?,0000022F4B92CF9D,?,?,00000001), ref: 0000022F4B92D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000022F4B92C7DE,?,?,?,?,?,?,?,?,0000022F4B92CF9D,?,?,00000001), ref: 0000022F4B92D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000022F4B92C7DE,?,?,?,?,?,?,?,?,0000022F4B92CF9D,?,?,00000001), ref: 0000022F4B92D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000022F4B92C7DE,?,?,?,?,?,?,?,?,0000022F4B92CF9D,?,?,00000001), ref: 0000022F4B92D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000022F4B92C7DE,?,?,?,?,?,?,?,?,0000022F4B92CF9D,?,?,00000001), ref: 0000022F4B92D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 68759005852adcf3171e0ff60abff8fc8c588892bed47c8f11c2368566aedfeb
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: 82116028E0524461FAEC7FA5D77A36B6271AF457A0F184B349A3906AEBDEACC441D200
                                                                          Function 0000022F4B927510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 6f5e93a162b23b54c21195d557574761c6a2a135c6bf61360d10f18f6c10e5af
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 4581BE28E05211A6FAD8BFE5D7793AB66B0AB85780F1448359B04637A7DBFCCC45C701
                                                                          Function 0000022F4B929DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: cfa57f484c19428b64e88ae7352f6a3b0abaf1da1530dbc16454f581c9e117d6
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: 2431C639E12640B1FE99AF92F62875626B4BB59BA0F590D399F1E07392DFBCC445C300
                                                                          Function 0000022F4B933DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 1f689572b639900c57dde68c5b7bd88d2cd7f37c2ae033ee2b9bfa03f010a894
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 7F115125A18B5096E790AF92FA6831A77B0F78CFE4F045234EB5987796CBB8C454C740
                                                                          Function 0000022F4B923790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 0ed048e5e3b52fc56552343c1a854fdca816720b0fdf5b44690934109365be18
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 3F115A2AB0874096FF98AFA2E62826A63B4F749B84F040438DF8907756EF6DC505C704
                                                                          Function 0000022F4B925B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: ec0cbce3550fec8339a6e946288d8a6108edade13ae5567d057380e43e41bcc5
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: 14D1BE3AA08B5491EAB4AF46E59435B77B0F788B84F110536EB8D47B66DF7CC550CB00
                                                                          Function 0000022F4B922F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: 1fe216bd1476280168fbe223966ae833535e2b5a5efe5b68f78fbeaaa7c07e44
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: E231842AF05B51A6FA98EF96D66876B77B0FB45B84F0848309F4847756DB78C461C300
                                                                          Function 0000022F4B9214A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 80memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID: C:\Windows\system32\svchost.exe
                                                                          • API String ID: 3168794593-4180442734
                                                                          • Opcode ID: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction ID: 7dfe08a534faba01666aadb2be99fbc9db53ae29dd44e0011bdb459922bf7198
                                                                          • Opcode Fuzzy Hash: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction Fuzzy Hash: A43161AF90DAD06AE795AFE5DA7D25A3FB0F789F40F09E035DB4403247EAA49414C740
                                                                          Function 0000022F4B92CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: d3266ebbe43a9fec14f105a120a596306493a29438e3ff2f7fd42589a7465f76
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: F511812CE4525461FAEC7FA1D77D36B22716F457B0F140B349A36466EBDDEC8441D200
                                                                          Function 0000022F4B92199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 004fd8f340ca5b41107a55182fc68f3281f30205b4f9deed366c2bfe8af398c8
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: E9015B25B04A4092FB94EF92E56835A63B1FB8CBC0F488435DF4943756DEBCC559C700
                                                                          Function 0000022F4B9236C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: 1992661986cf1566927de62f5cca71c9a2d4ed13dfab2835674116920dfabc6b
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: BF013C68E1974096FFA8AF92E92C31733B0BB49B82F044434CE4906766EFBCC048C700
                                                                          Function 0000022F4B929005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 482f879c7e6b7ab2153be2aa01afc45c6a515368fdaac379362e051d810bd858
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 0D51713AE01600AAFB9CAF56E56CB5A27B5F364B88F118938DB064374BD7B9C841C740
                                                                          Function 0000022F4B928FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: ca2171d7c76aee7f477534414f33c5d96a25f7bebd3a1d9c4e6aef0a79c9e0d2
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 37318D39A05640A6F798EF52F96CB1A37B5F754B88F058838EF460378ADBB9C940C704
                                                                          Function 0000022F4B921A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: 133a9a88c9ce776ca9d3774703c0ae81491e522cc050deba10d5b16b629dbfb0
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: B2F04426B04641A2F7A0AFA1FAA875B6770F74CBC8F845030DB4946556DFBCC65DCB00
                                                                          Function 0000022F4B923044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 33430503d34f6028afa2e6784cae20d1f33c5f091b07b75320c5c1eaa92182e3
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: AFF05418A1878092EA846F92FA2815A6370AB4CFC0F085130DF464771ADE6CC445C700
                                                                          Function 0000022F4B92BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: 73331a4341462ddd0d7341031c51da7f8e96f244de989222a1b7c81b8d3c4b1d
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 22F0C269A15A04A1FB54AFA8E56C35B2370EB89760F401639CB6A452F6CFBCC088C300
                                                                          Function 0000022F4B9250D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: 35a1819444abcae43ab1af2435fe22c5b4441829e1bdc6549ee2656936f65343
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: 6602DA36A19B8096E7A4DF95E5A475BB7B1F384780F104425EB8E47BA9DBBCC444CB00
                                                                          Function 0000022F4B925710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: b2a8a2331181c9d90e6b9cc24cb1e91e3f03e9ebea6c57d9cd61cef64ffbd4e3
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: 2561D73AD19A40D6E6E4AF95E66831B77B0F388784F500535EB8D47BAADBBCC454CB00
                                                                          Function 0000022F4B934104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 7413b50f1ebe62556fd5f8ba29c38d3d2eb0ba9e014ba1d3bf1791436f4138ec
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: F311862AE10E5031F6E47DDCD67F36715606B7C3A4F0AA634AB76067D7C6A4C841C301
                                                                          Function 0000022F4B903504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 58d1251d3a4caaa5be95a61a0ec51b05bc2509f4479b3e5a54803fbfe94b208e
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: C611462AE1CE5131FAD43E98D67D36713B16B5C374F488638AB6A566F786A4C441D100
                                                                          Function 0000022F4B8FF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 67c5dc967233ec2ba9eff5d819f7d6002f33cf9720fff51d128b32dc81497d34
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 83617E3AE0224062FAE5BFE4D658B2B36B0E781782F544535DB06137A7FBB4C983C200
                                                                          Function 0000022F4B92AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 1d628da4b4ef0021f2d30ec3c3050d09a040e4882c757620e9b77fc0d25bb80c
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 3D61793BE00A849AFB54EFA5D25439E77B1F754B88F044625EF4913B9ACBB8C485C700
                                                                          Function 0000022F4B92AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: faefc77f3f04d8ada6a7abfa0fe30a78de85419a5f34c5658667cfa8b82c1201
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 4C51A07BD006809AFBA8AF91D6A839A77B0F354B94F144935DB4947B96CBBCC452C700
                                                                          Function 0000022F4B8FA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 85b8b23fe03455be863dcbd90ee44b4065f943986a77b00014456155e2ef9cbf
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 1351E63AA00280DAEBB4AF95D648B5A77B0F354BA6F144135DB49877C7EBB8C493C700
                                                                          Function 0000022F4B8F8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: ca06418ecc77814415e76949edbbaeb6fd96717694d8294dacc9475fe9ca23cc
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 7B518B3AB01608EBEB94EF55E648F1A37A5F358B99F508134DB164778AFBB4C842C704
                                                                          Function 0000022F4B8F83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: c2f07b366d6af2614ab0022f69670992defa05defc0c15891b58b7cbc29ec9d6
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 9831AF39B01644E7E794EF51E948B1A3BB4F344B89F558034EF5A03786EBB8C942C704
                                                                          Function 0000022F4B932058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: e0f14149c9858a34f957c565355aecc73758d46192fbe9cdae21f52be54db59e
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 75D12436B04A80A9EB95DFF9D65839E3BB1F348798F009235CF5997B9ADA74C406C340
                                                                          Function 0000022F4B932980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: 57122028f5d53c02883f600eadc49a6396775f81f38f02548465b3eef2a825eb
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: EC91D936F14650A5FF98AFB5D6683AE3BB0B709B88F146139DF0657686DBB8C481C700
                                                                          Function 0000022F4B927960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: 02d1edb0a5e1cca039bca6663e81e070966819762127b03230a92844af748570
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: CB117326B14F1199EB40DFA0E8693A933B4F319758F441E31DB6D467A5DFB8C1A4C380
                                                                          Function 0000022F4B92253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: edd5805ef3becc3b88349778882c95b5b12efe4fc6c6a26829ab48fc4fee1c99
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 3871E62AE0478055FBACBFA5DA683AB77B4F385B84F440836DF0943B96DAB8C544C700
                                                                          Function 0000022F4B8F9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 0ffabecdf41bcabb357420606bdc30180c917a6a9d8feee04490687f31be5e26
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 3761993AA00B44DAEB60EFA5D14479E77B1F394B8DF044225EF4907B9AEBB8C156C700
                                                                          Function 0000022F4B922330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: dfc7ffcc73b3e11647f509b5b3e025f722843702818dd276fee68ac56059c76b
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: 8351A12AE08781A1FEACAEA9E27C36B7661F385740F454935DF4903B5ACABDC504C740
                                                                          Function 0000022F4B9326F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 51a8b5eeb4e5ff50c2e66dde0cc123fdf87a4a6a0d6266f526e22efb781dce26
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 4A41C336B15B8092EB60AF65E5583AA77B0F388794F505031EF4E87795DBBCC441CB40
                                                                          Function 0000022F4B9294A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: 541ee36eacddfabf60ee726d306f997b15ea919d41eb024aa812d4f660364ce5
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: DB114936A09B8092EBA49F15F55825A77E0F788B94F184634EF8C07759DF7CC551CB00
                                                                          Function 0000022F4B8F7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 55c80d3c338a0f90901285bd0ce2c41312c51eb2db4c664788685bd73fbad8fc
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: E2E08661B40B48E1DF419F61E99429973B0DB59B64B8891329A5C46312FA78D1E9C300
                                                                          Function 0000022F4B8F73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2634829706.0000022F4B8F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b8f0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 89a22d88f48f7fcc7d6ac2f02ba3dee9c3b8767fa78641d9caf5808c7b310efd
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 41E08661B00B48D0DF419F61D5942997370E759B54B889132CA5C06312FA78D1E9C300
                                                                          Function 0000022F4B921BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 7ff828ae3143df2aaebd1ee6216806e1023660a880acafb97f17a6dcd5bd222a
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 14115E29E01B5491EA88EFE6E51822A77B1F789FC0F1850359F4D43766DEB8C462C340
                                                                          Function 0000022F4B921268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.2635230246.0000022F4B920000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_22f4b920000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 3e1e9a40939542c600504de3384a6c328f8b6d35d2671f485f6e89c9c26a68de
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 6CE03939A0160486EB44AFA2D92834A3AE1EB8DB06F04D0348E0907352DFBD8499C750

                                                                          Execution Graph

                                                                          Execution Coverage:1.6%
                                                                          Dynamic/Decrypted Code Coverage:95.1%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:123
                                                                          Total number of Limit Nodes:16
                                                                          execution_graph 15311 262f1ca273c 15313 262f1ca276a 15311->15313 15312 262f1ca28d4 15313->15312 15314 262f1ca27c5 VirtualAlloc 15313->15314 15314->15312 15316 262f1ca27ec 15314->15316 15315 262f1ca2858 LoadLibraryA 15315->15316 15316->15312 15316->15315 15317 262f1cd5cf0 15318 262f1cd5cfd 15317->15318 15319 262f1cd5d09 15318->15319 15328 262f1cd5e1a 15318->15328 15320 262f1cd5d8d 15319->15320 15321 262f1cd5d3e 15319->15321 15322 262f1cd5d66 SetThreadContext 15321->15322 15322->15320 15323 262f1cd5efe 15325 262f1cd5f1e 15323->15325 15339 262f1cd43e0 15323->15339 15324 262f1cd5e41 VirtualProtect FlushInstructionCache 15324->15328 15335 262f1cd4df0 GetCurrentProcess 15325->15335 15327 262f1cd5f23 15330 262f1cd5f77 15327->15330 15331 262f1cd5f37 ResumeThread 15327->15331 15328->15323 15328->15324 15343 262f1cd7940 15330->15343 15332 262f1cd5f6b 15331->15332 15332->15327 15334 262f1cd5fbf 15336 262f1cd4e0c 15335->15336 15337 262f1cd4e53 15336->15337 15338 262f1cd4e22 VirtualProtect FlushInstructionCache 15336->15338 15337->15327 15338->15336 15341 262f1cd43fc 15339->15341 15340 262f1cd445f 15340->15325 15341->15340 15342 262f1cd4412 VirtualFree 15341->15342 15342->15341 15344 262f1cd7949 15343->15344 15345 262f1cd7954 15344->15345 15346 262f1cd812c IsProcessorFeaturePresent 15344->15346 15345->15334 15347 262f1cd8144 capture_previous_context 15346->15347 15347->15334 15348 262f1cd554d 15350 262f1cd5554 15348->15350 15349 262f1cd55bb 15350->15349 15351 262f1cd5637 VirtualProtect 15350->15351 15352 262f1cd5671 15351->15352 15353 262f1cd5663 GetLastError 15351->15353 15353->15352 15354 262f1cd1abc 15359 262f1cd1628 GetProcessHeap 15354->15359 15356 262f1cd1ad2 Sleep SleepEx 15357 262f1cd1acb 15356->15357 15357->15356 15358 262f1cd1598 StrCmpIW StrCmpW 15357->15358 15358->15357 15360 262f1cd1648 __free_lconv_num 15359->15360 15404 262f1cd1268 GetProcessHeap 15360->15404 15362 262f1cd1650 15363 262f1cd1268 2 API calls 15362->15363 15364 262f1cd1661 15363->15364 15365 262f1cd1268 2 API calls 15364->15365 15366 262f1cd166a 15365->15366 15367 262f1cd1268 2 API calls 15366->15367 15368 262f1cd1673 15367->15368 15369 262f1cd168e RegOpenKeyExW 15368->15369 15370 262f1cd16c0 RegOpenKeyExW 15369->15370 15371 262f1cd18a6 15369->15371 15372 262f1cd16ff RegOpenKeyExW 15370->15372 15373 262f1cd16e9 15370->15373 15371->15357 15375 262f1cd173a RegOpenKeyExW 15372->15375 15376 262f1cd1723 15372->15376 15415 262f1cd12bc RegQueryInfoKeyW 15373->15415 15378 262f1cd175e 15375->15378 15379 262f1cd1775 RegOpenKeyExW 15375->15379 15408 262f1cd104c RegQueryInfoKeyW 15376->15408 15382 262f1cd12bc 13 API calls 15378->15382 15383 262f1cd17b0 RegOpenKeyExW 15379->15383 15384 262f1cd1799 15379->15384 15385 262f1cd176b RegCloseKey 15382->15385 15387 262f1cd17eb RegOpenKeyExW 15383->15387 15388 262f1cd17d4 15383->15388 15386 262f1cd12bc 13 API calls 15384->15386 15385->15379 15389 262f1cd17a6 RegCloseKey 15386->15389 15391 262f1cd180f 15387->15391 15392 262f1cd1826 RegOpenKeyExW 15387->15392 15390 262f1cd12bc 13 API calls 15388->15390 15389->15383 15396 262f1cd17e1 RegCloseKey 15390->15396 15393 262f1cd104c 5 API calls 15391->15393 15394 262f1cd1861 RegOpenKeyExW 15392->15394 15395 262f1cd184a 15392->15395 15397 262f1cd181c RegCloseKey 15393->15397 15399 262f1cd189c RegCloseKey 15394->15399 15400 262f1cd1885 15394->15400 15398 262f1cd104c 5 API calls 15395->15398 15396->15387 15397->15392 15401 262f1cd1857 RegCloseKey 15398->15401 15399->15371 15402 262f1cd104c 5 API calls 15400->15402 15401->15394 15403 262f1cd1892 RegCloseKey 15402->15403 15403->15399 15426 262f1ce6168 15404->15426 15406 262f1cd1283 GetProcessHeap 15407 262f1cd12ae __free_lconv_num 15406->15407 15407->15362 15409 262f1cd10bf 15408->15409 15410 262f1cd11b5 RegCloseKey 15408->15410 15409->15410 15411 262f1cd10cf RegEnumValueW 15409->15411 15410->15375 15413 262f1cd1125 __free_lconv_num 15411->15413 15412 262f1cd114e GetProcessHeap 15412->15413 15413->15410 15413->15411 15413->15412 15414 262f1cd116e GetProcessHeap HeapFree 15413->15414 15414->15413 15416 262f1cd148a RegCloseKey 15415->15416 15417 262f1cd1327 GetProcessHeap 15415->15417 15416->15372 15421 262f1cd133e __free_lconv_num 15417->15421 15418 262f1cd1476 GetProcessHeap HeapFree 15418->15416 15419 262f1cd1352 RegEnumValueW 15419->15421 15421->15418 15421->15419 15422 262f1cd141e lstrlenW GetProcessHeap 15421->15422 15423 262f1cd13d3 GetProcessHeap 15421->15423 15424 262f1cd13f3 GetProcessHeap HeapFree 15421->15424 15425 262f1cd1443 StrCpyW 15421->15425 15428 262f1cd152c 15421->15428 15422->15421 15423->15421 15424->15422 15425->15421 15427 262f1ce6177 15426->15427 15429 262f1cd1546 15428->15429 15432 262f1cd157c 15428->15432 15430 262f1cd155d StrCmpIW 15429->15430 15431 262f1cd1565 StrCmpW 15429->15431 15429->15432 15430->15429 15431->15429 15432->15421 15433 262f1cd3ab9 15434 262f1cd3a06 15433->15434 15435 262f1cd3a56 VirtualQuery 15434->15435 15436 262f1cd3a70 15434->15436 15437 262f1cd3a8a VirtualAlloc 15434->15437 15435->15434 15435->15436 15437->15436 15438 262f1cd3abb GetLastError 15437->15438 15438->15434 15438->15436 15439 262f1cd28c8 15441 262f1cd290e 15439->15441 15440 262f1cd2970 15441->15440 15443 262f1cd3844 15441->15443 15444 262f1cd3851 StrCmpNIW 15443->15444 15445 262f1cd3866 15443->15445 15444->15445 15445->15441

                                                                          Executed Functions

                                                                          Function 00000262F1CD1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 162cc10300e87f2e0ef0f468f36b720f9018e9fc9290d6ef0c852e4d82a3a8bd
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 0971F736310E31C6EB509F66E89C69937B5F784B88F801121DA9E47FA9DE3AC548C345
                                                                          Function 00000262F1CD3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 2a4f39d000dc5e0ff51a22112409821ed963dcfd8cb1496f1ec10a3734d539db
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 1A11757A310FA0C2EF549B21E40C269B6B0FB88B84F850039DE9A07B94EF3EC509C705
                                                                          Function 00000262F1CD5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 59 262f1cd5b30-262f1cd5b57 60 262f1cd5b6b-262f1cd5b76 GetCurrentThreadId 59->60 61 262f1cd5b59-262f1cd5b68 59->61 62 262f1cd5b78-262f1cd5b7d 60->62 63 262f1cd5b82-262f1cd5b89 60->63 61->60 64 262f1cd5faf-262f1cd5fc6 call 262f1cd7940 62->64 65 262f1cd5b9b-262f1cd5baf 63->65 66 262f1cd5b8b-262f1cd5b96 call 262f1cd5960 63->66 69 262f1cd5bbe-262f1cd5bc4 65->69 66->64 72 262f1cd5bca-262f1cd5bd3 69->72 73 262f1cd5c95-262f1cd5cb6 69->73 75 262f1cd5c1a-262f1cd5c8d call 262f1cd4510 call 262f1cd44b0 call 262f1cd4470 72->75 76 262f1cd5bd5-262f1cd5c18 call 262f1cd85c0 72->76 78 262f1cd5e1f-262f1cd5e30 call 262f1cd74bf 73->78 79 262f1cd5cbc-262f1cd5cdc GetThreadContext 73->79 87 262f1cd5c90 75->87 76->87 90 262f1cd5e35-262f1cd5e3b 78->90 83 262f1cd5e1a 79->83 84 262f1cd5ce2-262f1cd5d03 79->84 83->78 84->83 93 262f1cd5d09-262f1cd5d12 84->93 87->69 94 262f1cd5efe-262f1cd5f0e 90->94 95 262f1cd5e41-262f1cd5e98 VirtualProtect FlushInstructionCache 90->95 97 262f1cd5d92-262f1cd5da3 93->97 98 262f1cd5d14-262f1cd5d25 93->98 106 262f1cd5f1e-262f1cd5f2a call 262f1cd4df0 94->106 107 262f1cd5f10-262f1cd5f17 94->107 101 262f1cd5e9a-262f1cd5ea4 95->101 102 262f1cd5ec9-262f1cd5ef9 call 262f1cd78ac 95->102 103 262f1cd5e15 97->103 104 262f1cd5da5-262f1cd5dc3 97->104 99 262f1cd5d8d 98->99 100 262f1cd5d27-262f1cd5d3c 98->100 99->103 100->99 108 262f1cd5d3e-262f1cd5d88 call 262f1cd3970 SetThreadContext 100->108 101->102 109 262f1cd5ea6-262f1cd5ec1 call 262f1cd4390 101->109 102->90 104->103 110 262f1cd5dc5-262f1cd5e10 call 262f1cd3900 call 262f1cd74dd 104->110 120 262f1cd5f2f-262f1cd5f35 106->120 107->106 112 262f1cd5f19 call 262f1cd43e0 107->112 108->99 109->102 110->103 112->106 124 262f1cd5f77-262f1cd5f95 120->124 125 262f1cd5f37-262f1cd5f75 ResumeThread call 262f1cd78ac 120->125 128 262f1cd5f97-262f1cd5fa6 124->128 129 262f1cd5fa9 124->129 125->120 128->129 129->64
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                          • Instruction ID: f515dcaf2d8ca959d8117a1283b462ed4ccb653c08f730e0e3b6dd192dd2003e
                                                                          • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                          • Instruction Fuzzy Hash: 74D19676204F98C1DA609B0AE49835AB7B0F388B84F504226EE9E47FA9DF3DC555CF11
                                                                          Function 00000262F1CD50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 131 262f1cd50d0-262f1cd50fc 132 262f1cd50fe-262f1cd5106 131->132 133 262f1cd510d-262f1cd5116 131->133 132->133 134 262f1cd5127-262f1cd5130 133->134 135 262f1cd5118-262f1cd5120 133->135 136 262f1cd5141-262f1cd514a 134->136 137 262f1cd5132-262f1cd513a 134->137 135->134 138 262f1cd514c-262f1cd5151 136->138 139 262f1cd5156-262f1cd5161 GetCurrentThreadId 136->139 137->136 140 262f1cd56d3-262f1cd56da 138->140 141 262f1cd516d-262f1cd5174 139->141 142 262f1cd5163-262f1cd5168 139->142 143 262f1cd5181-262f1cd518a 141->143 144 262f1cd5176-262f1cd517c 141->144 142->140 145 262f1cd518c-262f1cd5191 143->145 146 262f1cd5196-262f1cd51a2 143->146 144->140 145->140 147 262f1cd51ce-262f1cd5225 call 262f1cd56e0 * 2 146->147 148 262f1cd51a4-262f1cd51c9 146->148 153 262f1cd523a-262f1cd5243 147->153 154 262f1cd5227-262f1cd522e 147->154 148->140 157 262f1cd5255-262f1cd525e 153->157 158 262f1cd5245-262f1cd5252 153->158 155 262f1cd5230 154->155 156 262f1cd5236 154->156 159 262f1cd52b0-262f1cd52b6 155->159 160 262f1cd52a6-262f1cd52aa 156->160 161 262f1cd5260-262f1cd5270 157->161 162 262f1cd5273-262f1cd5298 call 262f1cd7870 157->162 158->157 164 262f1cd52b8-262f1cd52d4 call 262f1cd4390 159->164 165 262f1cd52e5-262f1cd52eb 159->165 160->159 161->162 170 262f1cd529e 162->170 171 262f1cd532d-262f1cd5342 call 262f1cd3cc0 162->171 164->165 175 262f1cd52d6-262f1cd52de 164->175 168 262f1cd52ed-262f1cd530c call 262f1cd78ac 165->168 169 262f1cd5315-262f1cd5328 165->169 168->169 169->140 170->160 178 262f1cd5351-262f1cd535a 171->178 179 262f1cd5344-262f1cd534c 171->179 175->165 180 262f1cd536c-262f1cd53ba call 262f1cd8c60 178->180 181 262f1cd535c-262f1cd5369 178->181 179->160 184 262f1cd53c2-262f1cd53ca 180->184 181->180 185 262f1cd53d0-262f1cd54bb call 262f1cd7440 184->185 186 262f1cd54d7-262f1cd54df 184->186 198 262f1cd54bf-262f1cd54ce call 262f1cd4060 185->198 199 262f1cd54bd 185->199 187 262f1cd54e1-262f1cd54f4 call 262f1cd4590 186->187 188 262f1cd5523-262f1cd552b 186->188 202 262f1cd54f6 187->202 203 262f1cd54f8-262f1cd5521 187->203 191 262f1cd552d-262f1cd5535 188->191 192 262f1cd5537-262f1cd5546 188->192 191->192 195 262f1cd5554-262f1cd5561 191->195 196 262f1cd554f 192->196 197 262f1cd5548 192->197 200 262f1cd5563 195->200 201 262f1cd5564-262f1cd55b9 call 262f1cd85c0 195->201 196->195 197->196 207 262f1cd54d0 198->207 208 262f1cd54d2 198->208 199->186 200->201 210 262f1cd55bb-262f1cd55c3 201->210 211 262f1cd55c8-262f1cd5661 call 262f1cd4510 call 262f1cd4470 VirtualProtect 201->211 202->188 203->186 207->186 208->184 216 262f1cd5671-262f1cd56d1 211->216 217 262f1cd5663-262f1cd5668 GetLastError 211->217 216->140 217->216
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                          • Instruction ID: b2b6570a131ed07fa27134079986df203cba60a0634c7f222d769f1e73e1ebbf
                                                                          • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                          • Instruction Fuzzy Hash: A902A536219B94C6EB60CB55E49835AB7B0F3C4B94F504026EA9E87FA8DF79C458CF01
                                                                          Function 00000262F1CD39E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocQuery
                                                                          • String ID:
                                                                          • API String ID: 31662377-0
                                                                          • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction ID: f5d4ca8b0c7221f02f22334eb3d859529a50ccd313fad52f8f1fe78a8b9eb8bc
                                                                          • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction Fuzzy Hash: E3312B72719E94C1EA309A55E44E35AB6B0F388784F901535F5DF06FE8DB7EC1888B06
                                                                          Function 00000262F1CD328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 1cb0b201c473f7d4aa60c0edbe03fa02cc738559a98e3751f0b64c66dd15a5c1
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: 3911ADB1620E31C2FB60AB20FA0D36AB2B4A744B04FC06139D96781ED1EF7BC14D8217
                                                                          Function 00000262F1CD4DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 3733156554-0
                                                                          • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                          • Instruction ID: 69158a12e240613d168a8efeae7f989a42e166dd776a10eb5d72f847b8422932
                                                                          • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                          • Instruction Fuzzy Hash: 6AF01D36218F14C0D6319B02E44935ABBB0E388BD4F940121FA9E03FA9CA3AC5988F01
                                                                          Function 00000262F1CA273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 265 262f1ca273c-262f1ca27a4 call 262f1ca29d4 * 4 274 262f1ca27aa-262f1ca27ad 265->274 275 262f1ca29b2 265->275 274->275 276 262f1ca27b3-262f1ca27b6 274->276 277 262f1ca29b4-262f1ca29d0 275->277 276->275 278 262f1ca27bc-262f1ca27bf 276->278 278->275 279 262f1ca27c5-262f1ca27e6 VirtualAlloc 278->279 279->275 280 262f1ca27ec-262f1ca280c 279->280 281 262f1ca280e-262f1ca2836 280->281 282 262f1ca2838-262f1ca283f 280->282 281->281 281->282 283 262f1ca28df-262f1ca28e6 282->283 284 262f1ca2845-262f1ca2852 282->284 285 262f1ca28ec-262f1ca2901 283->285 286 262f1ca2992-262f1ca29b0 283->286 284->283 287 262f1ca2858-262f1ca286a LoadLibraryA 284->287 285->286 288 262f1ca2907 285->288 286->277 289 262f1ca286c-262f1ca2878 287->289 290 262f1ca28ca-262f1ca28d2 287->290 293 262f1ca290d-262f1ca2921 288->293 294 262f1ca28c5-262f1ca28c8 289->294 290->287 291 262f1ca28d4-262f1ca28d9 290->291 291->283 296 262f1ca2982-262f1ca298c 293->296 297 262f1ca2923-262f1ca2934 293->297 294->290 295 262f1ca287a-262f1ca287d 294->295 301 262f1ca287f-262f1ca28a5 295->301 302 262f1ca28a7-262f1ca28b7 295->302 296->286 296->293 299 262f1ca293f-262f1ca2943 297->299 300 262f1ca2936-262f1ca293d 297->300 304 262f1ca294d-262f1ca2951 299->304 305 262f1ca2945-262f1ca294b 299->305 303 262f1ca2970-262f1ca2980 300->303 306 262f1ca28ba-262f1ca28c1 301->306 302->306 303->296 303->297 307 262f1ca2963-262f1ca2967 304->307 308 262f1ca2953-262f1ca2961 304->308 305->303 306->294 307->303 310 262f1ca2969-262f1ca296c 307->310 308->303 310->303
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: AllocLibraryLoadVirtual
                                                                          • String ID:
                                                                          • API String ID: 3550616410-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: a34336a910fdf5e8fe98ec8d4af113be88c168f61e4fe22353fc71cdf5eec74a
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 51610532B01AB0C7DB55CF25902C72DB3A2F754BA4F988139DE5907BC8DA39D856E701
                                                                          Function 00000262F1CD1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00000262F1CD1628: GetProcessHeap.KERNEL32 ref: 00000262F1CD1633
                                                                            • Part of subcall function 00000262F1CD1628: HeapAlloc.KERNEL32 ref: 00000262F1CD1642
                                                                            • Part of subcall function 00000262F1CD1628: RegOpenKeyExW.ADVAPI32 ref: 00000262F1CD16B2
                                                                            • Part of subcall function 00000262F1CD1628: RegOpenKeyExW.ADVAPI32 ref: 00000262F1CD16DF
                                                                            • Part of subcall function 00000262F1CD1628: RegCloseKey.ADVAPI32 ref: 00000262F1CD16F9
                                                                            • Part of subcall function 00000262F1CD1628: RegOpenKeyExW.ADVAPI32 ref: 00000262F1CD1719
                                                                            • Part of subcall function 00000262F1CD1628: RegCloseKey.ADVAPI32 ref: 00000262F1CD1734
                                                                            • Part of subcall function 00000262F1CD1628: RegOpenKeyExW.ADVAPI32 ref: 00000262F1CD1754
                                                                            • Part of subcall function 00000262F1CD1628: RegCloseKey.ADVAPI32 ref: 00000262F1CD176F
                                                                            • Part of subcall function 00000262F1CD1628: RegOpenKeyExW.ADVAPI32 ref: 00000262F1CD178F
                                                                            • Part of subcall function 00000262F1CD1628: RegCloseKey.ADVAPI32 ref: 00000262F1CD17AA
                                                                            • Part of subcall function 00000262F1CD1628: RegOpenKeyExW.ADVAPI32 ref: 00000262F1CD17CA
                                                                          • Sleep.KERNEL32 ref: 00000262F1CD1AD7
                                                                          • SleepEx.KERNELBASE ref: 00000262F1CD1ADD
                                                                            • Part of subcall function 00000262F1CD1628: RegCloseKey.ADVAPI32 ref: 00000262F1CD17E5
                                                                            • Part of subcall function 00000262F1CD1628: RegOpenKeyExW.ADVAPI32 ref: 00000262F1CD1805
                                                                            • Part of subcall function 00000262F1CD1628: RegCloseKey.ADVAPI32 ref: 00000262F1CD1820
                                                                            • Part of subcall function 00000262F1CD1628: RegOpenKeyExW.ADVAPI32 ref: 00000262F1CD1840
                                                                            • Part of subcall function 00000262F1CD1628: RegCloseKey.ADVAPI32 ref: 00000262F1CD185B
                                                                            • Part of subcall function 00000262F1CD1628: RegOpenKeyExW.ADVAPI32 ref: 00000262F1CD187B
                                                                            • Part of subcall function 00000262F1CD1628: RegCloseKey.ADVAPI32 ref: 00000262F1CD1896
                                                                            • Part of subcall function 00000262F1CD1628: RegCloseKey.ADVAPI32 ref: 00000262F1CD18A0
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: dd08e81586b102c995daeeeea5f39df5e02c09987114728e66334726611cffdb
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 1431DDB1200E62D1FB549B26DA5D3A933B4AB44FC0F8854319E2B87ED6FF16C459C312

                                                                          Non-executed Functions

                                                                          Function 00000262F1CD2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 573 262f1cd2b2c-262f1cd2ba5 call 262f1cf2ce0 576 262f1cd2ee0-262f1cd2f03 573->576 577 262f1cd2bab-262f1cd2bb1 573->577 577->576 578 262f1cd2bb7-262f1cd2bba 577->578 578->576 579 262f1cd2bc0-262f1cd2bc3 578->579 579->576 580 262f1cd2bc9-262f1cd2bd9 GetModuleHandleA 579->580 581 262f1cd2bdb-262f1cd2beb call 262f1ce6090 580->581 582 262f1cd2bed 580->582 584 262f1cd2bf0-262f1cd2c0e 581->584 582->584 584->576 587 262f1cd2c14-262f1cd2c33 StrCmpNIW 584->587 587->576 588 262f1cd2c39-262f1cd2c3d 587->588 588->576 589 262f1cd2c43-262f1cd2c4d 588->589 589->576 590 262f1cd2c53-262f1cd2c5a 589->590 590->576 591 262f1cd2c60-262f1cd2c73 590->591 592 262f1cd2c83 591->592 593 262f1cd2c75-262f1cd2c81 591->593 594 262f1cd2c86-262f1cd2c8a 592->594 593->594 595 262f1cd2c9a 594->595 596 262f1cd2c8c-262f1cd2c98 594->596 597 262f1cd2c9d-262f1cd2ca7 595->597 596->597 598 262f1cd2d9d-262f1cd2da1 597->598 599 262f1cd2cad-262f1cd2cb0 597->599 600 262f1cd2da7-262f1cd2daa 598->600 601 262f1cd2ed2-262f1cd2eda 598->601 602 262f1cd2cc2-262f1cd2ccc 599->602 603 262f1cd2cb2-262f1cd2cbf call 262f1cd199c 599->603 604 262f1cd2dbb-262f1cd2dc5 600->604 605 262f1cd2dac-262f1cd2db8 call 262f1cd199c 600->605 601->576 601->591 607 262f1cd2cce-262f1cd2cdb 602->607 608 262f1cd2d00-262f1cd2d0a 602->608 603->602 612 262f1cd2dc7-262f1cd2dd4 604->612 613 262f1cd2df5-262f1cd2df8 604->613 605->604 607->608 615 262f1cd2cdd-262f1cd2cea 607->615 609 262f1cd2d3a-262f1cd2d3d 608->609 610 262f1cd2d0c-262f1cd2d19 608->610 617 262f1cd2d3f-262f1cd2d49 call 262f1cd1bbc 609->617 618 262f1cd2d4b-262f1cd2d58 lstrlenW 609->618 610->609 616 262f1cd2d1b-262f1cd2d28 610->616 612->613 620 262f1cd2dd6-262f1cd2de3 612->620 621 262f1cd2dfa-262f1cd2e03 call 262f1cd1bbc 613->621 622 262f1cd2e05-262f1cd2e12 lstrlenW 613->622 623 262f1cd2ced-262f1cd2cf3 615->623 626 262f1cd2d2b-262f1cd2d31 616->626 617->618 633 262f1cd2d93-262f1cd2d98 617->633 628 262f1cd2d7b-262f1cd2d8d call 262f1cd3844 618->628 629 262f1cd2d5a-262f1cd2d64 618->629 630 262f1cd2de6-262f1cd2dec 620->630 621->622 641 262f1cd2e4a-262f1cd2e55 621->641 624 262f1cd2e35-262f1cd2e3f call 262f1cd3844 622->624 625 262f1cd2e14-262f1cd2e1e 622->625 632 262f1cd2cf9-262f1cd2cfe 623->632 623->633 635 262f1cd2e42-262f1cd2e44 624->635 625->624 634 262f1cd2e20-262f1cd2e33 call 262f1cd152c 625->634 626->633 636 262f1cd2d33-262f1cd2d38 626->636 628->633 628->635 629->628 639 262f1cd2d66-262f1cd2d79 call 262f1cd152c 629->639 640 262f1cd2dee-262f1cd2df3 630->640 630->641 632->608 632->623 633->635 634->624 634->641 635->601 635->641 636->609 636->626 639->628 639->633 640->613 640->630 646 262f1cd2ecc-262f1cd2ed0 641->646 647 262f1cd2e57-262f1cd2e5b 641->647 646->601 651 262f1cd2e5d-262f1cd2e61 647->651 652 262f1cd2e63-262f1cd2e7d call 262f1cd85c0 647->652 651->652 654 262f1cd2e80-262f1cd2e83 651->654 652->654 657 262f1cd2ea6-262f1cd2ea9 654->657 658 262f1cd2e85-262f1cd2ea3 call 262f1cd85c0 654->658 657->646 660 262f1cd2eab-262f1cd2ec9 call 262f1cd85c0 657->660 658->657 660->646
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: a177fddec4b88f16ad46b532f8d0131db3d251d55888a683a3291251559f78e9
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: 9BB16C72210E60C6EB689F25D44C7A9B3B5F744B85F84502AEE5A53FD4EB36CC48C742
                                                                          Function 00000262F1CD7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: efcd35b1337ab5df1fe294d76f9b706763eb5fa9cb9746bd727f4cee349ea837
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: DA311972215FA0CAEB609F61E8487ED7374F784748F84442ADA8E57B98EF39C548C711
                                                                          Function 00000262F1CDD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: da021ba86110892effe39d4fc11828f8e823c15a7bb22e1c0f27b3b3a58a8297
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: CB314F36214F90C6DB60CF25E8483AE73B4F789B54F940125EA9E43B98DF39C559CB01
                                                                          Function 00000262F1CD12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: 8b2d74f67ada98dcabe44bd247889f986e2a56db0fc33629ede240e1049ec8c9
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: AE512736210BA5C6EB55CF62E54C39AB7B1F789F99F844124DA8A07B98DF3DC049CB01
                                                                          Function 00000262F1CD1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 3a74d2599801aa6a1e11c32b3677720e74a77169cd2eab6a390e9b77b6f4c89c
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: C0316D74610E6AE0FA04EBA9E85D7E87331A714744FC05077D86A07DE6EE7AC24DC362
                                                                          Function 00000262F1CA6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 415 262f1ca6910-262f1ca6916 416 262f1ca6951-262f1ca695b 415->416 417 262f1ca6918-262f1ca691b 415->417 418 262f1ca6a78-262f1ca6a8d 416->418 419 262f1ca691d-262f1ca6920 417->419 420 262f1ca6945-262f1ca6984 call 262f1ca6fc0 417->420 423 262f1ca6a9c-262f1ca6ab6 call 262f1ca6e54 418->423 424 262f1ca6a8f 418->424 421 262f1ca6922-262f1ca6925 419->421 422 262f1ca6938 __scrt_dllmain_crt_thread_attach 419->422 435 262f1ca698a-262f1ca699f call 262f1ca6e54 420->435 436 262f1ca6a52 420->436 427 262f1ca6931-262f1ca6936 call 262f1ca6f04 421->427 428 262f1ca6927-262f1ca6930 421->428 431 262f1ca693d-262f1ca6944 422->431 438 262f1ca6aef-262f1ca6b20 call 262f1ca7190 423->438 439 262f1ca6ab8-262f1ca6aed call 262f1ca6f7c call 262f1ca6e1c call 262f1ca7318 call 262f1ca7130 call 262f1ca7154 call 262f1ca6fac 423->439 429 262f1ca6a91-262f1ca6a9b 424->429 427->431 448 262f1ca6a6a-262f1ca6a77 call 262f1ca7190 435->448 449 262f1ca69a5-262f1ca69b6 call 262f1ca6ec4 435->449 440 262f1ca6a54-262f1ca6a69 436->440 450 262f1ca6b31-262f1ca6b37 438->450 451 262f1ca6b22-262f1ca6b28 438->451 439->429 448->418 468 262f1ca69b8-262f1ca69dc call 262f1ca72dc call 262f1ca6e0c call 262f1ca6e38 call 262f1caac0c 449->468 469 262f1ca6a07-262f1ca6a11 call 262f1ca7130 449->469 452 262f1ca6b7e-262f1ca6b94 call 262f1ca268c 450->452 453 262f1ca6b39-262f1ca6b43 450->453 451->450 457 262f1ca6b2a-262f1ca6b2c 451->457 476 262f1ca6bcc-262f1ca6bce 452->476 477 262f1ca6b96-262f1ca6b98 452->477 458 262f1ca6b4f-262f1ca6b5d call 262f1cb5780 453->458 459 262f1ca6b45-262f1ca6b4d 453->459 464 262f1ca6c1f-262f1ca6c2c 457->464 465 262f1ca6b63-262f1ca6b78 call 262f1ca6910 458->465 480 262f1ca6c15-262f1ca6c1d 458->480 459->465 465->452 465->480 468->469 517 262f1ca69de-262f1ca69e5 __scrt_dllmain_after_initialize_c 468->517 469->436 488 262f1ca6a13-262f1ca6a1f call 262f1ca7180 469->488 478 262f1ca6bd0-262f1ca6bd3 476->478 479 262f1ca6bd5-262f1ca6bea call 262f1ca6910 476->479 477->476 485 262f1ca6b9a-262f1ca6bbc call 262f1ca268c call 262f1ca6a78 477->485 478->479 478->480 479->480 497 262f1ca6bec-262f1ca6bf6 479->497 480->464 485->476 510 262f1ca6bbe-262f1ca6bc6 call 262f1cb5780 485->510 506 262f1ca6a21-262f1ca6a2b call 262f1ca7098 488->506 507 262f1ca6a45-262f1ca6a50 488->507 503 262f1ca6c01-262f1ca6c11 call 262f1cb5780 497->503 504 262f1ca6bf8-262f1ca6bff 497->504 503->480 504->480 506->507 518 262f1ca6a2d-262f1ca6a3b 506->518 507->440 510->476 517->469 519 262f1ca69e7-262f1ca6a04 call 262f1caabc8 517->519 518->507 519->469
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 0e9dfa9ba647b6cb2cca73de8109350fb044866cc330f2674e80b782b893b8e3
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 4A81B131700E71C6FA529B66947D39962F0A785F80FD480359A8987FD7DB3BC84E8702
                                                                          Function 00000262F1CDCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 00000262F1CDCE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000262F1CE0A6B,?,?,?,00000262F1CE045C,?,?,?,00000262F1CDC84F), ref: 00000262F1CDCE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000262F1CE0A6B,?,?,?,00000262F1CE045C,?,?,?,00000262F1CDC84F), ref: 00000262F1CDCE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000262F1CE0A6B,?,?,?,00000262F1CE045C,?,?,?,00000262F1CDC84F), ref: 00000262F1CDCE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000262F1CE0A6B,?,?,?,00000262F1CE045C,?,?,?,00000262F1CDC84F), ref: 00000262F1CDCEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000262F1CE0A6B,?,?,?,00000262F1CE045C,?,?,?,00000262F1CDC84F), ref: 00000262F1CDCEBC
                                                                          • SetLastError.KERNEL32 ref: 00000262F1CDCED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000262F1CE0A6B,?,?,?,00000262F1CE045C,?,?,?,00000262F1CDC84F), ref: 00000262F1CDCF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,00000262F1CDECCC,?,?,?,?,00000262F1CDBF9F,?,?,?,?,?,00000262F1CD7AB0), ref: 00000262F1CDCF2C
                                                                            • Part of subcall function 00000262F1CDD6CC: HeapAlloc.KERNEL32 ref: 00000262F1CDD721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000262F1CE0A6B,?,?,?,00000262F1CE045C,?,?,?,00000262F1CDC84F), ref: 00000262F1CDCF54
                                                                            • Part of subcall function 00000262F1CDD744: HeapFree.KERNEL32 ref: 00000262F1CDD75A
                                                                            • Part of subcall function 00000262F1CDD744: GetLastError.KERNEL32 ref: 00000262F1CDD764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000262F1CE0A6B,?,?,?,00000262F1CE045C,?,?,?,00000262F1CDC84F), ref: 00000262F1CDCF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000262F1CE0A6B,?,?,?,00000262F1CE045C,?,?,?,00000262F1CDC84F), ref: 00000262F1CDCF76
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: d06c3d33f0f0fd0271a37b1289249116d06ceeb430432acfb907694d34498e0a
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: FD414170341E64C1FA69A735955D36D32B1AB847B0FD40B38AA3746ED6DE2B940B820B
                                                                          Function 00000262F1CD2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: 0ea8ddb42258dda75713cf8af91465ce8e8a78f01ede03bf60da084cf4e0b9be
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: F9213D32624B60C2FB10CB25E44C35977B0F789BA4F900225EA9A03EE8CF3DC549CB01
                                                                          Function 00000262F1CDA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: 58bbee964291ef7a1c134da0f52c8e406f854176cdcd209ea994e6a8979c7ea1
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: E5E19D76600BA0CAEB609F25D48D39D77B0F785B98F900126EEAA57FD5CB35C089C702
                                                                          Function 00000262F1CA9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 6b38e376778b149bdc4c3b380cedac2756958ca53bbab11c65d89ff85828ace3
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: C4E1AD32600F60CAEB628B65D4AE39D77B0F745B88F900125EE8987FD9CB35C499C742
                                                                          Function 00000262F1CDF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 971e2b2f94565b96c39bb62ced53fa46b29d5b9aeb7626148599951c3138b5b8
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: D7418132311E20D1EA1ACB56A80C75973B5BB45BA0F8541399D2B97BC4EF3AC44E8356
                                                                          Function 00000262F1CD104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 2efe49ca40e7873f17f2b68a3be79d0dbfb95e7132eac6a5a2eb20c80eeaff34
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 47416D33214F94C6E760CF61E44879E77B1F389B98F848129DA8A07B98DF39C589CB41
                                                                          Function 00000262F1CDD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000262F1CDC7DE,?,?,?,?,?,?,?,?,00000262F1CDCF9D,?,?,00000001), ref: 00000262F1CDD087
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000262F1CDC7DE,?,?,?,?,?,?,?,?,00000262F1CDCF9D,?,?,00000001), ref: 00000262F1CDD0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000262F1CDC7DE,?,?,?,?,?,?,?,?,00000262F1CDCF9D,?,?,00000001), ref: 00000262F1CDD0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000262F1CDC7DE,?,?,?,?,?,?,?,?,00000262F1CDCF9D,?,?,00000001), ref: 00000262F1CDD0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000262F1CDC7DE,?,?,?,?,?,?,?,?,00000262F1CDCF9D,?,?,00000001), ref: 00000262F1CDD0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 820928b7479fd351fce2649da040f22c56de618b943f07477389abe3c93ddb75
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: 43116370B04E64C1FA685735995D3797171AB847F0FD44335983B06EDADE2BD40B8202
                                                                          Function 00000262F1CD7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 7211ad9d6946ce46b383be27fe99703570c9c10e6a01704c1e265bb96fdcd71e
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: B581E431600F71C6FA50AB67984E35932B0A785B88FD54435996A43FD6EB3BC84D8703
                                                                          Function 00000262F1CD9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 594f1bafc856d3893149251d18731171b5591d061620a8c510eaacab37603846
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: 4B31B035212E60E1EE129B46A45C75972B4B748BA0F9906359D7F0BFD0DF3AC449C302
                                                                          Function 00000262F1CE3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 14673d5ced4b66fc83c68de323fbdd6b1489ff4b37213dfb289c5fd47534d038
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: FF114F31320FA0C6E7508B56E85C31976B0F788FE5F844235EA9A87BE4DF7AC9188745
                                                                          Function 00000262F1CD2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: 64c08a5114c7a6086307fb48856dbc9f686564c89c43232cf22d0abf90b4150b
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: 7D318B32701F71C2EA15DF56A54C769B7B0FB44B80F8884389E9A47F95EB3AD4A98301
                                                                          Function 00000262F1CD14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 80memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID: C:\Windows\system32\dwm.exe
                                                                          • API String ID: 3168794593-3609004125
                                                                          • Opcode ID: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction ID: 44e1152b7863bb9b5c3f84e982e3eb927e907ea64dad4eee753e5f4e4bebec2d
                                                                          • Opcode Fuzzy Hash: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction Fuzzy Hash: F4318FB7529FF0CAE7568BB5985D2492FB0F785F40F899035DAC503AC7EA2AC4088702
                                                                          Function 00000262F1CDCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: d6b5690b273dde7f86d1aef24005c9843eb03217595945b6431cec2bc08f3bdb
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: 1C115C30700EA0C1FA68A731954D37932B2AB847F0F944738A93747EDADE2BD40A8206
                                                                          Function 00000262F1CD199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 4e5e5c9f592a94b35fcc19fc5a254d532979f6271d4486124a607123559c275e
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: ED013531310EA1C2EA60DB52A84C35A63B1B788FC0F884035DE9A43B94DE3AC9898701
                                                                          Function 00000262F1CD36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: 6cba21a4af934833e3eb2d3d44d937bf6f4740555bc069a1712a68904c824b22
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 3A01F375221F60C2EB249B61E80C31976B0BB49B86F850439C99A07BA4EF3EC50C8716
                                                                          Function 00000262F1CD8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: 308ce32e7411e87eab6d2806d4a3004e8ba28075277838c5d5c20db3d123e404
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: B451D13A311A20C6EB14DF25E85CB6937B6F345B88F908138DA6743BC8DB36D848C702
                                                                          Function 00000262F1CD1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: f82c31242e31d407b2306c6930e02845cac712b6177922ae2e0cb7a41ec940b0
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 33F03C32714A61D2EB608B61E8CC75967B0F748B98FC44030DA8A46D94DB2EC68DCB01
                                                                          Function 00000262F1CDBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: b440c6b17e2f2db1e5b56e6d9735305995e3fe1d05fd780c0ed9454c074bdac1
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 88F06D71221F24C1EB148F25E84D3696370FB89BA5F940229CAAB46AE4CF2EC14C8742
                                                                          Function 00000262F1CD3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: df11b0761cea6230b71b1c40b6af23e9633ad912a449cec17baf7e3fbe88cbd0
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: EDF05870324FA0C2EA108B12B90C129A270AB48FD0F889130EE9A07F98DF29C4498701
                                                                          Function 00000262F1CD5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                          • Instruction ID: c5e72abcfce9d79b8b7567304ceb78ee16b8cd055a3aa9df2eaf4005f17435df
                                                                          • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                          • Instruction Fuzzy Hash: 4E619536529F94C6E6608B16E44D31AB7F0F388784F910126EA9E47FA8DB7AC4598F01
                                                                          Function 00000262F1CE4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 952807aa8fc61c7a0db381fec0d1238efe038242c98caa6c498a4c6b26e50c80
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: E2117332B10F7391FE7415A8D45D3A511716BBC3B8FD90634A976C7ED6DA2AC8498302
                                                                          Function 00000262F1CB3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 86fd9da19b3e7711020116dfbdbff4163035235e29876a1cd1bb7a4f50a89112
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: AA110672A10E31D1FB64D169E45D36910A06B68370FC8A738ED76C6FD7CB26C84C4212
                                                                          Function 00000262F1CAF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 2693d75cc8a488b232686ff892eab7a8759045e31ec2c5ca6fae8e57f74764f9
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: D861B536600E60C2FA6F9BA5D56C36E6AB1E785780FD14535CA0A13FE5DB36D84D8303
                                                                          Function 00000262F1CDAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: e1a20fd508caf8a5f6765fb50d681b03690da12f7eb7d60a8bb628ac6abbe8ef
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 78616736600F94CAEB20DF65D48839D77B0F384B98F444226EF5A17B98DB39C599C702
                                                                          Function 00000262F1CDAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: e5ed4b0152f49c0584dddd997cf4ef3ea3f20a19e60deff956db04587ce3b8b6
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: B3518E72100AA0CAEB648F25948C35D77B0F354B85F944165DAAA47FD5CB39D469C702
                                                                          Function 00000262F1CAA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: cc31e3b1dfcfdf7aeedbaa52416e1423e52d3f8c216e73a053aa67470b5f28ef
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 7D51C132100BA0CAEB758F55946C35C77B0F359B84F984226DB8987FD5CB7AD46AC702
                                                                          Function 00000262F1CA8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: efbe961e6b335ef7d56e398f86f0b5f3ec05cd67d3f30bdc0fa12f15912bc9e8
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 5F51AE32A11A20CBEB56DB16E46CB1937B5F354B99F908134DE9643BCCEB36C8498706
                                                                          Function 00000262F1CA83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 05a2582f9f2a6767bc9f2ee15fce962ba51685f6fc6f45ca99ea4af669743e36
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 3131AF31601A60DBE716DF12E86C71937B4F340B89F858028EE9B43BC9DB3AC949C706
                                                                          Function 00000262F1CE2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 8d17b31efa7475d674c976f0faebc428cce531d4e84e975da1d5a3a3e9c3de9e
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 04D1F272714AA0C9E711CFB9D44839C3BB1F354B98F84422ACE5AA7FD9DA36C50AC741
                                                                          Function 00000262F1CE2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: 9cfef866bf38972d2de149b9677fc042e8c1b929b052f182c3db5e27ed9b98a4
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: C891BD72B10E70C5FB609F65948C3AD2BB0B744B88F94512DDE4A67EC5DB36C48AC702
                                                                          Function 00000262F1CD7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: e01a779cea9c93616cd5f610ee93c3cd7353dec22c12f9fd5c10b425570b4b5e
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: 81112E32710F21C9EB00CF61E8593A833B4F759B68F841E35DA6D46BA4DB79C1988381
                                                                          Function 00000262F1CD253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: 89e297436789c9c4a704c7320c297aae3d163685001dcc85eb85acc3ebbcb7ba
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 2C717F36200FA1C5E6359A25D84C3AA77B4F785B84F86003ADD2A53FC9DB36C5498701
                                                                          Function 00000262F1CA9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: eef630dc3bc335752803be99c518d3569bc3ab5f1573de092e965d7aeb617247
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: B1617532A00B94CAEB22CF65D4A939D77B0F348B88F444225EF4957BD9DB3AD099C701
                                                                          Function 00000262F1CD2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 581490ec37eb12b4a49e26f746fbe94e91d80e0a7dc13fbd6d0b42662468dd3c
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: 2551B332204BA1C1E6759A2AA45C7AAB7B1F385790FC5013ADD6B03FD9DA3BC50D8742
                                                                          Function 00000262F1CE26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: ff9e6a88fde6903ee08071c4cd7e32a881b35447146b2413937c6eeff5d318d2
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: A0419F33214AA0C2DB208F25E84C3AA77B0F798794F804035EE4E87B94EB3DC549C741
                                                                          Function 00000262F1CD94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: ef5009e02e70c4d5282558955f89a2fc2d9ae05583a6035f1908105723be9ce8
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 12111936214F9082EB618B15E45825977E5F788B94F984220EA8E07BA9EF3DC555CB00
                                                                          Function 00000262F1CA7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 7bf5f5965613a0a8b1d9dfa8b824b68f951a15287d7b07ca51ce1174b80c9a98
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 88E08671A40F84D1DF028F22E85829833B0DB59B64B889132D95C46395FA38D1FEC701
                                                                          Function 00000262F1CA73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670820791.00000262F1CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1ca0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: ba80466b532ef0c5e980a269dca26dcd20034a65d9df5038e5d6078ae73a35b7
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 5DE08671A00F44C0DF028F21D4541987370E759B64BC89132D94C46391EA38D1E9C301
                                                                          Function 00000262F1CD1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: c2dd492a370e18534819ce78c266ab2d626ad6c2575c03d119badc930bcd18a0
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: DE116D35611F65C1EA05DB66A40C22973B1FB89FC0F984038DE8E43BA5DF7AC446C301
                                                                          Function 00000262F1CD1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.2670867164.00000262F1CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_262f1cd0000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: e0bac6b3f5b15c70722f9493a1e9469b73309d7d80f815f2ab4276cd36964230
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 21E06D35621A24C6EB058FA2D80C34E36F1FB89F16F84C028C98907791DF7EC499C751

                                                                          Execution Graph

                                                                          Execution Coverage:0.7%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:74
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 14941 23942b11abc 14946 23942b11628 GetProcessHeap 14941->14946 14943 23942b11ad2 Sleep SleepEx 14944 23942b11acb 14943->14944 14944->14943 14945 23942b11598 StrCmpIW StrCmpW 14944->14945 14945->14944 14947 23942b11648 __std_exception_copy 14946->14947 14991 23942b11268 GetProcessHeap 14947->14991 14949 23942b11650 14950 23942b11268 2 API calls 14949->14950 14951 23942b11661 14950->14951 14952 23942b11268 2 API calls 14951->14952 14953 23942b1166a 14952->14953 14954 23942b11268 2 API calls 14953->14954 14955 23942b11673 14954->14955 14956 23942b1168e RegOpenKeyExW 14955->14956 14957 23942b116c0 RegOpenKeyExW 14956->14957 14958 23942b118a6 14956->14958 14959 23942b116e9 14957->14959 14960 23942b116ff RegOpenKeyExW 14957->14960 14958->14944 14995 23942b112bc RegQueryInfoKeyW 14959->14995 14962 23942b1173a RegOpenKeyExW 14960->14962 14963 23942b11723 14960->14963 14964 23942b1175e 14962->14964 14965 23942b11775 RegOpenKeyExW 14962->14965 15006 23942b1104c RegQueryInfoKeyW 14963->15006 14968 23942b112bc 13 API calls 14964->14968 14969 23942b11799 14965->14969 14970 23942b117b0 RegOpenKeyExW 14965->14970 14972 23942b1176b RegCloseKey 14968->14972 14973 23942b112bc 13 API calls 14969->14973 14974 23942b117eb RegOpenKeyExW 14970->14974 14975 23942b117d4 14970->14975 14972->14965 14976 23942b117a6 RegCloseKey 14973->14976 14978 23942b1180f 14974->14978 14979 23942b11826 RegOpenKeyExW 14974->14979 14977 23942b112bc 13 API calls 14975->14977 14976->14970 14982 23942b117e1 RegCloseKey 14977->14982 14983 23942b1104c 5 API calls 14978->14983 14980 23942b1184a 14979->14980 14981 23942b11861 RegOpenKeyExW 14979->14981 14984 23942b1104c 5 API calls 14980->14984 14985 23942b1189c RegCloseKey 14981->14985 14986 23942b11885 14981->14986 14982->14974 14987 23942b1181c RegCloseKey 14983->14987 14988 23942b11857 RegCloseKey 14984->14988 14985->14958 14989 23942b1104c 5 API calls 14986->14989 14987->14979 14988->14981 14990 23942b11892 RegCloseKey 14989->14990 14990->14985 15012 23942b26168 14991->15012 14993 23942b11283 GetProcessHeap 14994 23942b112ae __std_exception_copy 14993->14994 14994->14949 14996 23942b1148a RegCloseKey 14995->14996 14997 23942b11327 GetProcessHeap 14995->14997 14996->14960 14998 23942b1133e __std_exception_copy 14997->14998 14999 23942b11352 RegEnumValueW 14998->14999 15000 23942b11476 GetProcessHeap HeapFree 14998->15000 15002 23942b1141e lstrlenW GetProcessHeap 14998->15002 15003 23942b113d3 GetProcessHeap 14998->15003 15004 23942b11443 StrCpyW 14998->15004 15005 23942b113f3 GetProcessHeap HeapFree 14998->15005 15014 23942b1152c 14998->15014 14999->14998 15000->14996 15002->14998 15003->14998 15004->14998 15005->15002 15007 23942b111b5 RegCloseKey 15006->15007 15010 23942b110bf __std_exception_copy 15006->15010 15007->14962 15008 23942b110cf RegEnumValueW 15008->15010 15009 23942b1114e GetProcessHeap 15009->15010 15010->15007 15010->15008 15010->15009 15011 23942b1116e GetProcessHeap HeapFree 15010->15011 15011->15010 15013 23942b26177 15012->15013 15015 23942b1157c 15014->15015 15018 23942b11546 15014->15018 15015->14998 15016 23942b1155d StrCmpIW 15016->15018 15017 23942b11565 StrCmpW 15017->15018 15018->15015 15018->15016 15018->15017 15019 23942ae273c 15021 23942ae276a 15019->15021 15020 23942ae2858 LoadLibraryA 15020->15021 15021->15020 15022 23942ae28d4 15021->15022

                                                                          Executed Functions

                                                                          Function 0000023942B11628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 8e95634b417f9c2d9da6f32b8bf17eb9a4111fbeb57898cc911cc05395a135c5
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: F6712D36730B5285EB109F25E89C69923A4FB87B88F001111DF8E57B69DFBCC686C750
                                                                          Function 0000023942B1328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: f6ed66e6c857628b1aec2f6fea2e40741d54a2e76cc1fb3134c341e7300a5224
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: 59118030A3474382FB609B61F84D779A294BB97384F5081269BC682691FFFCC7CA8314
                                                                          Function 0000023942B11ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 0000023942B11628: GetProcessHeap.KERNEL32 ref: 0000023942B11633
                                                                            • Part of subcall function 0000023942B11628: HeapAlloc.KERNEL32 ref: 0000023942B11642
                                                                            • Part of subcall function 0000023942B11628: RegOpenKeyExW.ADVAPI32 ref: 0000023942B116B2
                                                                            • Part of subcall function 0000023942B11628: RegOpenKeyExW.ADVAPI32 ref: 0000023942B116DF
                                                                            • Part of subcall function 0000023942B11628: RegCloseKey.ADVAPI32 ref: 0000023942B116F9
                                                                            • Part of subcall function 0000023942B11628: RegOpenKeyExW.ADVAPI32 ref: 0000023942B11719
                                                                            • Part of subcall function 0000023942B11628: RegCloseKey.ADVAPI32 ref: 0000023942B11734
                                                                            • Part of subcall function 0000023942B11628: RegOpenKeyExW.ADVAPI32 ref: 0000023942B11754
                                                                            • Part of subcall function 0000023942B11628: RegCloseKey.ADVAPI32 ref: 0000023942B1176F
                                                                            • Part of subcall function 0000023942B11628: RegOpenKeyExW.ADVAPI32 ref: 0000023942B1178F
                                                                            • Part of subcall function 0000023942B11628: RegCloseKey.ADVAPI32 ref: 0000023942B117AA
                                                                            • Part of subcall function 0000023942B11628: RegOpenKeyExW.ADVAPI32 ref: 0000023942B117CA
                                                                          • Sleep.KERNEL32 ref: 0000023942B11AD7
                                                                          • SleepEx.KERNELBASE ref: 0000023942B11ADD
                                                                            • Part of subcall function 0000023942B11628: RegCloseKey.ADVAPI32 ref: 0000023942B117E5
                                                                            • Part of subcall function 0000023942B11628: RegOpenKeyExW.ADVAPI32 ref: 0000023942B11805
                                                                            • Part of subcall function 0000023942B11628: RegCloseKey.ADVAPI32 ref: 0000023942B11820
                                                                            • Part of subcall function 0000023942B11628: RegOpenKeyExW.ADVAPI32 ref: 0000023942B11840
                                                                            • Part of subcall function 0000023942B11628: RegCloseKey.ADVAPI32 ref: 0000023942B1185B
                                                                            • Part of subcall function 0000023942B11628: RegOpenKeyExW.ADVAPI32 ref: 0000023942B1187B
                                                                            • Part of subcall function 0000023942B11628: RegCloseKey.ADVAPI32 ref: 0000023942B11896
                                                                            • Part of subcall function 0000023942B11628: RegCloseKey.ADVAPI32 ref: 0000023942B118A0
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: c0b36ddecb4b78bb1cc064b77a00913705e26ff548cf8165a7e1bab33c7c9d27
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: F931F26123164781FF549B2ADA4937A23A5BB47BC0F0454219F898779BEEACCAD3C210
                                                                          Function 0000023942AE273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 110 23942ae273c-23942ae27a4 call 23942ae29d4 * 4 119 23942ae29b2 110->119 120 23942ae27aa-23942ae27ad 110->120 122 23942ae29b4-23942ae29d0 119->122 120->119 121 23942ae27b3-23942ae27b6 120->121 121->119 123 23942ae27bc-23942ae27bf 121->123 123->119 124 23942ae27c5-23942ae27e6 123->124 124->119 126 23942ae27ec-23942ae280c 124->126 127 23942ae2838-23942ae283f 126->127 128 23942ae280e-23942ae2836 126->128 129 23942ae2845-23942ae2852 127->129 130 23942ae28df-23942ae28e6 127->130 128->127 128->128 129->130 133 23942ae2858-23942ae286a LoadLibraryA 129->133 131 23942ae2992-23942ae29b0 130->131 132 23942ae28ec-23942ae2901 130->132 131->122 132->131 134 23942ae2907 132->134 135 23942ae286c-23942ae2878 133->135 136 23942ae28ca-23942ae28d2 133->136 139 23942ae290d-23942ae2921 134->139 140 23942ae28c5-23942ae28c8 135->140 136->133 137 23942ae28d4-23942ae28d9 136->137 137->130 142 23942ae2923-23942ae2934 139->142 143 23942ae2982-23942ae298c 139->143 140->136 141 23942ae287a-23942ae287d 140->141 147 23942ae28a7-23942ae28b7 141->147 148 23942ae287f-23942ae28a5 141->148 145 23942ae2936-23942ae293d 142->145 146 23942ae293f-23942ae2943 142->146 143->131 143->139 149 23942ae2970-23942ae2980 145->149 150 23942ae2945-23942ae294b 146->150 151 23942ae294d-23942ae2951 146->151 152 23942ae28ba-23942ae28c1 147->152 148->152 149->142 149->143 150->149 154 23942ae2963-23942ae2967 151->154 155 23942ae2953-23942ae2961 151->155 152->140 154->149 156 23942ae2969-23942ae296c 154->156 155->149 156->149
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 15a706ecd1b405147a48140e3fbf88b857eb186e307940224290b178e3835ab6
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 0E611232B6169087EB54CF95900872DB3A2FB65BA8F189121DF990B7C8DE7CD993C700

                                                                          Non-executed Functions

                                                                          Function 0000023942B12B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 363 23942b12b2c-23942b12ba5 call 23942b32ce0 366 23942b12bab-23942b12bb1 363->366 367 23942b12ee0-23942b12f03 363->367 366->367 368 23942b12bb7-23942b12bba 366->368 368->367 369 23942b12bc0-23942b12bc3 368->369 369->367 370 23942b12bc9-23942b12bd9 GetModuleHandleA 369->370 371 23942b12bdb-23942b12beb call 23942b26090 370->371 372 23942b12bed 370->372 374 23942b12bf0-23942b12c0e 371->374 372->374 374->367 377 23942b12c14-23942b12c33 StrCmpNIW 374->377 377->367 378 23942b12c39-23942b12c3d 377->378 378->367 379 23942b12c43-23942b12c4d 378->379 379->367 380 23942b12c53-23942b12c5a 379->380 380->367 381 23942b12c60-23942b12c73 380->381 382 23942b12c83 381->382 383 23942b12c75-23942b12c81 381->383 384 23942b12c86-23942b12c8a 382->384 383->384 385 23942b12c9a 384->385 386 23942b12c8c-23942b12c98 384->386 387 23942b12c9d-23942b12ca7 385->387 386->387 388 23942b12d9d-23942b12da1 387->388 389 23942b12cad-23942b12cb0 387->389 390 23942b12ed2-23942b12eda 388->390 391 23942b12da7-23942b12daa 388->391 392 23942b12cc2-23942b12ccc 389->392 393 23942b12cb2-23942b12cbf call 23942b1199c 389->393 390->367 390->381 394 23942b12dac-23942b12db8 call 23942b1199c 391->394 395 23942b12dbb-23942b12dc5 391->395 397 23942b12cce-23942b12cdb 392->397 398 23942b12d00-23942b12d0a 392->398 393->392 394->395 400 23942b12df5-23942b12df8 395->400 401 23942b12dc7-23942b12dd4 395->401 397->398 403 23942b12cdd-23942b12cea 397->403 404 23942b12d3a-23942b12d3d 398->404 405 23942b12d0c-23942b12d19 398->405 411 23942b12dfa-23942b12e03 call 23942b11bbc 400->411 412 23942b12e05-23942b12e12 lstrlenW 400->412 401->400 410 23942b12dd6-23942b12de3 401->410 413 23942b12ced-23942b12cf3 403->413 408 23942b12d4b-23942b12d58 lstrlenW 404->408 409 23942b12d3f-23942b12d49 call 23942b11bbc 404->409 405->404 406 23942b12d1b-23942b12d28 405->406 414 23942b12d2b-23942b12d31 406->414 416 23942b12d5a-23942b12d64 408->416 417 23942b12d7b-23942b12d8d call 23942b13844 408->417 409->408 421 23942b12d93-23942b12d98 409->421 418 23942b12de6-23942b12dec 410->418 411->412 430 23942b12e4a-23942b12e55 411->430 422 23942b12e14-23942b12e1e 412->422 423 23942b12e35-23942b12e3f call 23942b13844 412->423 420 23942b12cf9-23942b12cfe 413->420 413->421 414->421 426 23942b12d33-23942b12d38 414->426 416->417 429 23942b12d66-23942b12d79 call 23942b1152c 416->429 417->421 424 23942b12e42-23942b12e44 417->424 418->430 431 23942b12dee-23942b12df3 418->431 420->398 420->413 421->424 422->423 425 23942b12e20-23942b12e33 call 23942b1152c 422->425 423->424 424->390 424->430 425->423 425->430 426->404 426->414 429->417 429->421 436 23942b12ecc-23942b12ed0 430->436 437 23942b12e57-23942b12e5b 430->437 431->400 431->418 436->390 441 23942b12e5d-23942b12e61 437->441 442 23942b12e63-23942b12e7d call 23942b185c0 437->442 441->442 444 23942b12e80-23942b12e83 441->444 442->444 447 23942b12ea6-23942b12ea9 444->447 448 23942b12e85-23942b12ea3 call 23942b185c0 444->448 447->436 449 23942b12eab-23942b12ec9 call 23942b185c0 447->449 448->447 449->436
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: a6acf68b3921f701c8504bca25139df1e7b4bdc3607fc547ce9d744e90d2a69e
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: B7B19362230AA286EB648F25D84877963A5F747BC4F545016DF8953795DFBCCEC2C340
                                                                          Function 0000023942B17D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 315b2f58abf9bf9a1873c310fd848496801c496d9154e0ec45ebcbc619b3c56d
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: E5316D72215B818AEB609F64E8883ED7364F786744F44402ADB8E57B98EF7CC789C710
                                                                          Function 0000023942B1D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: a1bf3ea65b53a230693ceb58b7ec858648380258a01017bacab39c83b8775197
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 8D312F36224B8185DB608F25E8483AE73A4F78A794F544125EBDD43B95DF7CC696CB00
                                                                          Function 0000023942B112BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: 1f58c1730686cff35fae4be151adb5fbdd9a5d371eadc9521cfc252201a034d6
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 32513836620B8586EB54CF62E54C36A77A1F78AFC9F048124DB8907719DF7CD28ACB10
                                                                          Function 0000023942B11D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 5d84426d5822a5146854de49aca2f59d9a837ffb8b89124756eff3ea606ab116
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: 3C316264130A5BA0EA05EB69FC6D6E46321B707384FD054139AD9836A6DEFC87CBC360
                                                                          Function 0000023942AE6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 205 23942ae6910-23942ae6916 206 23942ae6918-23942ae691b 205->206 207 23942ae6951-23942ae695b 205->207 208 23942ae6945-23942ae6984 call 23942ae6fc0 206->208 209 23942ae691d-23942ae6920 206->209 210 23942ae6a78-23942ae6a8d 207->210 225 23942ae6a52 208->225 226 23942ae698a-23942ae699f call 23942ae6e54 208->226 211 23942ae6938 __scrt_dllmain_crt_thread_attach 209->211 212 23942ae6922-23942ae6925 209->212 213 23942ae6a8f 210->213 214 23942ae6a9c-23942ae6ab6 call 23942ae6e54 210->214 220 23942ae693d-23942ae6944 211->220 216 23942ae6927-23942ae6930 212->216 217 23942ae6931-23942ae6936 call 23942ae6f04 212->217 218 23942ae6a91-23942ae6a9b 213->218 228 23942ae6ab8-23942ae6aed call 23942ae6f7c call 23942ae6e1c call 23942ae7318 call 23942ae7130 call 23942ae7154 call 23942ae6fac 214->228 229 23942ae6aef-23942ae6b20 call 23942ae7190 214->229 217->220 230 23942ae6a54-23942ae6a69 225->230 237 23942ae69a5-23942ae69b6 call 23942ae6ec4 226->237 238 23942ae6a6a-23942ae6a77 call 23942ae7190 226->238 228->218 239 23942ae6b31-23942ae6b37 229->239 240 23942ae6b22-23942ae6b28 229->240 257 23942ae6a07-23942ae6a11 call 23942ae7130 237->257 258 23942ae69b8-23942ae69dc call 23942ae72dc call 23942ae6e0c call 23942ae6e38 call 23942aeac0c 237->258 238->210 245 23942ae6b7e-23942ae6b94 call 23942ae268c 239->245 246 23942ae6b39-23942ae6b43 239->246 240->239 244 23942ae6b2a-23942ae6b2c 240->244 251 23942ae6c1f-23942ae6c2c 244->251 266 23942ae6b96-23942ae6b98 245->266 267 23942ae6bcc-23942ae6bce 245->267 252 23942ae6b45-23942ae6b4d 246->252 253 23942ae6b4f-23942ae6b5d call 23942af5780 246->253 260 23942ae6b63-23942ae6b78 call 23942ae6910 252->260 253->260 270 23942ae6c15-23942ae6c1d 253->270 257->225 278 23942ae6a13-23942ae6a1f call 23942ae7180 257->278 258->257 308 23942ae69de-23942ae69e5 __scrt_dllmain_after_initialize_c 258->308 260->245 260->270 266->267 275 23942ae6b9a-23942ae6bbc call 23942ae268c call 23942ae6a78 266->275 268 23942ae6bd5-23942ae6bea call 23942ae6910 267->268 269 23942ae6bd0-23942ae6bd3 267->269 268->270 287 23942ae6bec-23942ae6bf6 268->287 269->268 269->270 270->251 275->267 302 23942ae6bbe-23942ae6bc6 call 23942af5780 275->302 295 23942ae6a45-23942ae6a50 278->295 296 23942ae6a21-23942ae6a2b call 23942ae7098 278->296 292 23942ae6bf8-23942ae6bff 287->292 293 23942ae6c01-23942ae6c11 call 23942af5780 287->293 292->270 293->270 295->230 296->295 307 23942ae6a2d-23942ae6a3b 296->307 302->267 307->295 308->257 309 23942ae69e7-23942ae6a04 call 23942aeabc8 308->309 309->257
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: caf12f7a350e9b8d44ee4a57aca92316fafc694d0e01f291f42c6b5726c6cece
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 6481D1216B060186FA54ABE6984935962A0F797F84F5C88259FC44B7D6DFFCCBC78700
                                                                          Function 0000023942B1CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 0000023942B1CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,0000023942B20A6B,?,?,?,0000023942B2045C,?,?,?,0000023942B1C84F), ref: 0000023942B1CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000023942B20A6B,?,?,?,0000023942B2045C,?,?,?,0000023942B1C84F), ref: 0000023942B1CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000023942B20A6B,?,?,?,0000023942B2045C,?,?,?,0000023942B1C84F), ref: 0000023942B1CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000023942B20A6B,?,?,?,0000023942B2045C,?,?,?,0000023942B1C84F), ref: 0000023942B1CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000023942B20A6B,?,?,?,0000023942B2045C,?,?,?,0000023942B1C84F), ref: 0000023942B1CEBC
                                                                          • SetLastError.KERNEL32 ref: 0000023942B1CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000023942B20A6B,?,?,?,0000023942B2045C,?,?,?,0000023942B1C84F), ref: 0000023942B1CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,0000023942B1ECCC,?,?,?,?,0000023942B1BF9F,?,?,?,?,?,0000023942B17AB0), ref: 0000023942B1CF2C
                                                                            • Part of subcall function 0000023942B1D6CC: HeapAlloc.KERNEL32 ref: 0000023942B1D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023942B20A6B,?,?,?,0000023942B2045C,?,?,?,0000023942B1C84F), ref: 0000023942B1CF54
                                                                            • Part of subcall function 0000023942B1D744: HeapFree.KERNEL32 ref: 0000023942B1D75A
                                                                            • Part of subcall function 0000023942B1D744: GetLastError.KERNEL32 ref: 0000023942B1D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023942B20A6B,?,?,?,0000023942B2045C,?,?,?,0000023942B1C84F), ref: 0000023942B1CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023942B20A6B,?,?,?,0000023942B2045C,?,?,?,0000023942B1C84F), ref: 0000023942B1CF76
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: ad34361947ada7336f86b31bf6a30ea32a5efe1354d09a1a9eb47ec0705df2a1
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: E1413B2123124742FA6AA735555D3792282BF877F0F240724ABB6477E6DEEC96C3C602
                                                                          Function 0000023942B12244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: b91cd49770797e91654f6589a5bf3b0ced0199a432c8182d52d05585c0e07e28
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: F521413662475282F7108B25F44C36A73A0F78BBE5F504215DB9943BA8CFBCC68ACB10
                                                                          Function 0000023942B1A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 584 23942b1a544-23942b1a5ac call 23942b1b414 587 23942b1a5b2-23942b1a5b5 584->587 588 23942b1aa13-23942b1aa1b call 23942b1c748 584->588 587->588 589 23942b1a5bb-23942b1a5c1 587->589 591 23942b1a690-23942b1a6a2 589->591 592 23942b1a5c7-23942b1a5cb 589->592 594 23942b1a963-23942b1a967 591->594 595 23942b1a6a8-23942b1a6ac 591->595 592->591 596 23942b1a5d1-23942b1a5dc 592->596 599 23942b1a969-23942b1a970 594->599 600 23942b1a9a0-23942b1a9aa call 23942b19634 594->600 595->594 597 23942b1a6b2-23942b1a6bd 595->597 596->591 598 23942b1a5e2-23942b1a5e7 596->598 597->594 601 23942b1a6c3-23942b1a6ca 597->601 598->591 602 23942b1a5ed-23942b1a5f7 call 23942b19634 598->602 599->588 603 23942b1a976-23942b1a99b call 23942b1aa1c 599->603 600->588 613 23942b1a9ac-23942b1a9cb call 23942b17940 600->613 605 23942b1a6d0-23942b1a707 call 23942b19a10 601->605 606 23942b1a894-23942b1a8a0 601->606 602->613 618 23942b1a5fd-23942b1a628 call 23942b19634 * 2 call 23942b19d24 602->618 603->600 605->606 622 23942b1a70d-23942b1a715 605->622 606->600 610 23942b1a8a6-23942b1a8aa 606->610 615 23942b1a8ba-23942b1a8c2 610->615 616 23942b1a8ac-23942b1a8b8 call 23942b19ce4 610->616 615->600 621 23942b1a8c8-23942b1a8d5 call 23942b198b4 615->621 616->615 628 23942b1a8db-23942b1a8e3 616->628 653 23942b1a62a-23942b1a62e 618->653 654 23942b1a648-23942b1a652 call 23942b19634 618->654 621->600 621->628 626 23942b1a719-23942b1a74b 622->626 630 23942b1a751-23942b1a75c 626->630 631 23942b1a887-23942b1a88e 626->631 633 23942b1a8e9-23942b1a8ed 628->633 634 23942b1a9f6-23942b1aa12 call 23942b19634 * 2 call 23942b1c6a8 628->634 630->631 635 23942b1a762-23942b1a77b 630->635 631->606 631->626 637 23942b1a900 633->637 638 23942b1a8ef-23942b1a8fe call 23942b19ce4 633->638 634->588 639 23942b1a781-23942b1a7c6 call 23942b19cf8 * 2 635->639 640 23942b1a874-23942b1a879 635->640 643 23942b1a903-23942b1a90d call 23942b1b4ac 637->643 638->643 665 23942b1a804-23942b1a80a 639->665 666 23942b1a7c8-23942b1a7ee call 23942b19cf8 call 23942b1ac38 639->666 646 23942b1a884 640->646 643->600 663 23942b1a913-23942b1a961 call 23942b19944 call 23942b19b50 643->663 646->631 653->654 656 23942b1a630-23942b1a63b 653->656 654->591 669 23942b1a654-23942b1a674 call 23942b19634 * 2 call 23942b1b4ac 654->669 656->654 662 23942b1a63d-23942b1a642 656->662 662->588 662->654 663->600 673 23942b1a80c-23942b1a810 665->673 674 23942b1a87b 665->674 684 23942b1a7f0-23942b1a802 666->684 685 23942b1a815-23942b1a872 call 23942b1a470 666->685 690 23942b1a68b 669->690 691 23942b1a676-23942b1a680 call 23942b1b59c 669->691 673->639 678 23942b1a880 674->678 678->646 684->665 684->666 685->678 690->591 694 23942b1a9f0-23942b1a9f5 call 23942b1c6a8 691->694 695 23942b1a686-23942b1a9ef call 23942b192ac call 23942b1aff4 call 23942b194a0 691->695 694->634 695->694
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: 509c5f4b31c8dd97d519f852364254b292217338161d423dea8d118605589a27
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: F7E17F72624B818AEB209F65D4883AD77A0F747BD8F140215EFC957B99CB78E2D2C740
                                                                          Function 0000023942AE9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 463 23942ae9944-23942ae99ac call 23942aea814 466 23942ae9e13-23942ae9e1b call 23942aebb48 463->466 467 23942ae99b2-23942ae99b5 463->467 467->466 468 23942ae99bb-23942ae99c1 467->468 470 23942ae99c7-23942ae99cb 468->470 471 23942ae9a90-23942ae9aa2 468->471 470->471 475 23942ae99d1-23942ae99dc 470->475 473 23942ae9aa8-23942ae9aac 471->473 474 23942ae9d63-23942ae9d67 471->474 473->474 476 23942ae9ab2-23942ae9abd 473->476 478 23942ae9da0-23942ae9daa call 23942ae8a34 474->478 479 23942ae9d69-23942ae9d70 474->479 475->471 477 23942ae99e2-23942ae99e7 475->477 476->474 481 23942ae9ac3-23942ae9aca 476->481 477->471 482 23942ae99ed-23942ae99f7 call 23942ae8a34 477->482 478->466 489 23942ae9dac-23942ae9dcb call 23942ae6d40 478->489 479->466 483 23942ae9d76-23942ae9d9b call 23942ae9e1c 479->483 485 23942ae9c94-23942ae9ca0 481->485 486 23942ae9ad0-23942ae9b07 call 23942ae8e10 481->486 482->489 497 23942ae99fd-23942ae9a28 call 23942ae8a34 * 2 call 23942ae9124 482->497 483->478 485->478 490 23942ae9ca6-23942ae9caa 485->490 486->485 501 23942ae9b0d-23942ae9b15 486->501 494 23942ae9cac-23942ae9cb8 call 23942ae90e4 490->494 495 23942ae9cba-23942ae9cc2 490->495 494->495 507 23942ae9cdb-23942ae9ce3 494->507 495->478 500 23942ae9cc8-23942ae9cd5 call 23942ae8cb4 495->500 530 23942ae9a48-23942ae9a52 call 23942ae8a34 497->530 531 23942ae9a2a-23942ae9a2e 497->531 500->478 500->507 505 23942ae9b19-23942ae9b4b 501->505 509 23942ae9c87-23942ae9c8e 505->509 510 23942ae9b51-23942ae9b5c 505->510 513 23942ae9df6-23942ae9e12 call 23942ae8a34 * 2 call 23942aebaa8 507->513 514 23942ae9ce9-23942ae9ced 507->514 509->485 509->505 510->509 515 23942ae9b62-23942ae9b7b 510->515 513->466 516 23942ae9cef-23942ae9cfe call 23942ae90e4 514->516 517 23942ae9d00 514->517 518 23942ae9c74-23942ae9c79 515->518 519 23942ae9b81-23942ae9bc6 call 23942ae90f8 * 2 515->519 527 23942ae9d03-23942ae9d0d call 23942aea8ac 516->527 517->527 523 23942ae9c84 518->523 544 23942ae9bc8-23942ae9bee call 23942ae90f8 call 23942aea038 519->544 545 23942ae9c04-23942ae9c0a 519->545 523->509 527->478 542 23942ae9d13-23942ae9d61 call 23942ae8d44 call 23942ae8f50 527->542 530->471 548 23942ae9a54-23942ae9a74 call 23942ae8a34 * 2 call 23942aea8ac 530->548 531->530 535 23942ae9a30-23942ae9a3b 531->535 535->530 540 23942ae9a3d-23942ae9a42 535->540 540->466 540->530 542->478 563 23942ae9c15-23942ae9c72 call 23942ae9870 544->563 564 23942ae9bf0-23942ae9c02 544->564 552 23942ae9c7b 545->552 553 23942ae9c0c-23942ae9c10 545->553 568 23942ae9a76-23942ae9a80 call 23942aea99c 548->568 569 23942ae9a8b 548->569 554 23942ae9c80 552->554 553->519 554->523 563->554 564->544 564->545 573 23942ae9a86-23942ae9def call 23942ae86ac call 23942aea3f4 call 23942ae88a0 568->573 574 23942ae9df0-23942ae9df5 call 23942aebaa8 568->574 569->471 573->574 574->513
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 073912d3211c5d6717307d2f309cd06fe85d05d1636f728bfc057ea8065464e1
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: 46E19D72660B418AFB60DFA5D48839D77A0F786B98F000115EF895BB9ACB78D2D3C705
                                                                          Function 0000023942B1F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 6f09c8afb4744aa4f42c16c278fae59e5da394e82cbe07c496c427064fdf3a43
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 8A41D662331B1281FA16CB16A84C7652395F74BBE0F1941259F8E87784EEBCC6C7C350
                                                                          Function 0000023942B1104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 735 23942b1104c-23942b110b9 RegQueryInfoKeyW 736 23942b110bf-23942b110c9 735->736 737 23942b111b5-23942b111d0 735->737 736->737 738 23942b110cf-23942b1111f RegEnumValueW 736->738 739 23942b111a5-23942b111af 738->739 740 23942b11125-23942b1112a 738->740 739->737 739->738 740->739 741 23942b1112c-23942b11135 740->741 742 23942b11147-23942b1114c 741->742 743 23942b11137 741->743 745 23942b11199-23942b111a3 742->745 746 23942b1114e-23942b11193 GetProcessHeap call 23942b26168 GetProcessHeap HeapFree 742->746 744 23942b1113b-23942b1113f 743->744 744->739 747 23942b11141-23942b11145 744->747 745->739 746->745 747->742 747->744
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: ba2e1a69578fa26a8eb83c5b8d2ac302807f51cbbda50584621712cd8f64e72a
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: BB416033624B85C6E760CF21E4487AAB7A1F38AB99F048119DB8907758DF7CD5D6CB00
                                                                          Function 0000023942B1D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,0000023942B1C7DE,?,?,?,?,?,?,?,?,0000023942B1CF9D,?,?,00000001), ref: 0000023942B1D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000023942B1C7DE,?,?,?,?,?,?,?,?,0000023942B1CF9D,?,?,00000001), ref: 0000023942B1D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000023942B1C7DE,?,?,?,?,?,?,?,?,0000023942B1CF9D,?,?,00000001), ref: 0000023942B1D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000023942B1C7DE,?,?,?,?,?,?,?,?,0000023942B1CF9D,?,?,00000001), ref: 0000023942B1D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,0000023942B1C7DE,?,?,?,?,?,?,?,?,0000023942B1CF9D,?,?,00000001), ref: 0000023942B1D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 1366050ce7901682985b7bf589f054659e8773b74c0cd1428d08d3fa763177e0
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: F0115E2072464741FA68A7355A5D3797245BB477F0F244325AAB9877EADEECC6C3C300
                                                                          Function 0000023942B17510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: fac1d9ea20639018c545c796994c51a6349c67e2045e7664030306e392332911
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: C381A16163034386FB50AB29A84D3B96290BB477C0F248495AFD547796EBFCCBC7A710
                                                                          Function 0000023942B19DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 8e2889272daa88d2947e958fd6f51755779e79237471ab9d41a56a59431c0cd8
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: C331C722222F82D1EE15DB02E5487752294B74BBE0F5909259FAD07798DFBDC6CB8314
                                                                          Function 0000023942B23DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 44262b9d8466f2c7b704b98cde3ada5aece7e77720a6c996d800aa764bf28769
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 12119021330B8182E7508B12F84C319A2A4F78BFE5F140215EB9A87794CFBCCA868750
                                                                          Function 0000023942B13790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 6d78b6ab06c7c64b8a33ebf2251cdb695a45f71392c3723117dc17bbcffd75bd
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: D9115B26724B82C2EF149B21F40C66AA2A0FB8BBC5F440029DFC907794EF7DC686C714
                                                                          Function 0000023942B15B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: fb5e2bef970acb4034aecacb76368e30c76a1bf963be145c9e38c67f6f937ea4
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: 17D19C76224B8985DA70DB0AE49436A77A0F38ABC4F144116EBCD47BA5DF7CC682CB50
                                                                          Function 0000023942B12F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: 064c722188d233ad65b930cc70b5d07b99ade6ac42e459fa3451119cc07e8000
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: 77318222721B6682E614DF16E54C779A7A0FB57BC4F0841249FC847B55EF7CD6E28700
                                                                          Function 0000023942B114A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 80memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID: C:\Windows\system32\svchost.exe
                                                                          • API String ID: 3168794593-4180442734
                                                                          • Opcode ID: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction ID: c8b53b3ecd09693694152222658e1a39a340923377275ab5dac0079b3d425c02
                                                                          • Opcode Fuzzy Hash: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction Fuzzy Hash: BF31C9A7929BE14AF351CF75A85D2592F60F787F42F099015DBC003247E97CA6C2C710
                                                                          Function 0000023942B1CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: dde30ba085f46f4be51c0527e20ead402f76c30e788019a484bcf12f8054e561
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: F0113D2023178341FA65A725665D3396242BF877F0F144725ABB6877DADEEC86C3C701
                                                                          Function 0000023942B1199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: f409e17eebd297bf9963a5e552d7556d9f7d2eb4a0fc8c0255c232cf5353d79f
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: CA016D21720B8282EB14DB52B44C35963A1F78ABC1F484035DFA943755DF7CCACAC710
                                                                          Function 0000023942B136C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: b0caa4f5406828a1d39c246a49c1e7bc2fd622be21ad0fd35cefd66e73b13d1e
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: B5012D7562174282FB249B22F84C72663A0BB4BB86F140425CFC907755EFBDC69AC714
                                                                          Function 0000023942B19005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 53f5518fb106970c30f56deb6f623ca7e9cce37319c403db4fff949b66d3a64d
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: D051B532721A8296EB14DB15E44CB6937A6F347BC8F148124DB974374CEBB9DAD2C708
                                                                          Function 0000023942B18FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: b9f75dc467751a99437ae7f03861d494dcd42f8ff6a56fb7fb8d31bb7ccbd68e
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: A3317832220B8196E7149B11E84C76937A5F347BC8F158114AF9603789DBBDCAD2C708
                                                                          Function 0000023942B11A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: 7ca44ef29f4aff3bcab73f95657e8595597cd3d0611ff8467564ac0cf8c78ebf
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 52F0312273464292E7608B25F99C7696760F74ABC8F948020DB9947699DBBCC7CECB10
                                                                          Function 0000023942B13044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: a1628757d0e9da781840cd611e3f79bf31a9c160a25f0478d2664ec4a4615cc8
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: 4BF0891072478281EA004B17BA1C1156260B74BFD0F049130DFD647718DF7CC6C68710
                                                                          Function 0000023942B1BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: 41dd131dfa2b13d3b94f2975155a8e1987f367c92947d5c0744863424d67b722
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: B2F0626122170681EB148B24F44C36A6320FB8BBA1F540219CBEA451E4CFACC6C69350
                                                                          Function 0000023942B150D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: c86a1d372a19ab8a2744613c9679dd834f9d58daf48a29dc023fcc98bc137003
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: 5F02B732229B8586E760CB55E49436AB7A0F3C67D4F104016EBCE87BA9DFBCC595CB40
                                                                          Function 0000023942B15710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: 224ea272dc5eecf1d0052d918d1ef293b74cd5bf02aa352f521ac72b73274aea
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: F961B936539A85C6E760CB15E45832AB7A4F38A7C4F105116EBDD47BA8DBBCC685CB00
                                                                          Function 0000023942B24104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: da746408b6cc68a3cb8bd09f2db51aecfc04f3aee712ae28c6d27dee3989b8e7
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: D1115426A30F6311F7641568F45D36529717F6B3B5F180A24E7F62AED6CAACCAC34120
                                                                          Function 0000023942AF3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: bcfb743df6b1fb7b95f5edcc7ebcb7be68c3a5eff787f8e2b9f49dd2d6ab7bfe
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: E111A722630AD119FB941528E44D36991917BDB3B4F4B4638AFE606ED6CAECCBC74310
                                                                          Function 0000023942AEF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: d199e228225c13f6ae760aed665bfbd7965bc8e44ba4255bb8646d476e028407
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: DD61C3325A064442FA699BE9E44C32A66A1F787740F554415CFC68B7E4EBFCCBC78300
                                                                          Function 0000023942B1AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 34e72fca31f5eb4414bda259b86940dd9f3e4ef6086a5234e3626a0a57130d90
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: CF618D33620B85CAEB20DF65D4843AD7BA0F746BD8F044215EF9917B98DBB8D696C700
                                                                          Function 0000023942B1AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 29e17a76cbabb995257f6db8a5ca0e1810aa87abfe664f9ba87808eb57e71e1a
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 3A51AE731207828AEB648F15948836977A0F357BD5F284226DBC987BD5CBBCE6D2C701
                                                                          Function 0000023942AEA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 1b9365f03d34b6dc57578e1260d2c93e236accd498f7b23265355e699e576540
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 2651AB361A0381CAFB648BA5944835877A1F756B84F188216DFC98BBD6CBBCD6D3C700
                                                                          Function 0000023942AE8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: e74e1e224bcf41bf01ea9c6f267f0fba6dfb801d83f69a23fabd60320087302b
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 3551DC326616008EFB14CB55E448B183796F352B98F118024DF964B7E8EBBCCAC3CB16
                                                                          Function 0000023942AE83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 2a2de6c6fcec5a077e1bc623eac62f6d895a39a713b52a8d39e04b89562d1b8c
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 7C316B322616409AF714DF51E84C71977A5F742B98F158414EF9A0BBE8DBBCCA83C705
                                                                          Function 0000023942B22058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 2cd817ec5555f0650c412721b830e7a8e354b6aad94e5975e721488ea3da1665
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: EAD1EF32B24B8189E711CF69E4482EC3BB1F356798F048616CF9997B99DE78C687C350
                                                                          Function 0000023942B22980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: 72f4c9d48a1e0cda175b17f239b11b1585c5ffa99c8b842dc6ca323fbddd0fc7
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: F991B23272075285F7609F75A48C3AD2BA0B747B88F144509DF8AA7A94DEBCC6C3C720
                                                                          Function 0000023942B17960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: 4f400a5b69aa5bf2688d588b867f5f55590513b85eff8db344cae02cb2629fa9
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: 4A112126720F0189EB00CF60E8593A833A4F71A758F441D21DBAD47794DBBCD2D98380
                                                                          Function 0000023942B1253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: 901b46a8688f0d9e7c740215a400069a21b07742ddb5f3b56e76d8d3c0e13bff
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: D571B53622079286E765DF25A84C3BA6794F7877C4F540016DF8953B89DEBDCB86C700
                                                                          Function 0000023942AE9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 21c8198df3b1e5cd375fae852c744e26035c11536e0a1da27959340dead36c94
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: EF617B33610B848AFB24DFA5D48439D77A0F749B88F044216EF891BB99DBB8D696C704
                                                                          Function 0000023942B12330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 1dc68bb2d1d3ef29900816e6d85fd1d51d972f6bb2c80bb66fc3cdf77c7ea21f
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: DB51E83222479381E674DA29A5AC3BAAB51F3877C0F490125DFD903B5ADEBDC786C740
                                                                          Function 0000023942B226F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 958032e7bb851407a2659dff6c69b9df7d1aca6d337ad4864dae1845bd63d866
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 14419332725B8186DB209F25F4483AA77A0F79A794F504521EF8D87794DFBCC682C750
                                                                          Function 0000023942B194A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: 65bdccc0272201d2a73ffbd8f351ef5306a2c3c9d075da414e0aa8d95f34276c
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 4B112B32224B8182EB618B15F448359B7E5F78AB94F584220EFCC47759DF7CC692CB04
                                                                          Function 0000023942AE7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 28efb64d62c58961beedb1f191654261833f2e1c2e864d206abf1bae801bab21
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 32E08661651B44D0EF058F61E88429833A0EB59B64F4991229E9C07351FA7CD2EAC300
                                                                          Function 0000023942AE73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631167338.0000023942AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942AE0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942ae0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 03aa8619a34496d11caf5e8da6618501c6f01f2862542e5aa263bed658a6699f
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 11E0CD61651B44C4EF058F61D8801987360F759B54F89D122CF8C07391FB7CD2E6C300
                                                                          Function 0000023942B11BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: b70eb6b1f7f97ab75b431eab33cb6ef54f9e59f666c37de9c7e639b2dc8268d7
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: E0118C25A21B8681EA04DB66A80C22973A1FB8BFC1F185028DF8D47766DEBCD583D300
                                                                          Function 0000023942B11268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002E.00000002.2631674506.0000023942B10000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023942B10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_46_2_23942b10000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: ed07e78da87d333663c65548bce91fcffebdfa90fda8703a7a98be8604c97a31
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 7CE06D35A2171586EB048F62E80C34A36E1FB9FF06F04D024CA8907351DFBD95DACB60

                                                                          Execution Graph

                                                                          Execution Coverage:0.8%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:480
                                                                          Total number of Limit Nodes:9
                                                                          execution_graph 15321 1ef056d1abc 15326 1ef056d1628 GetProcessHeap HeapAlloc 15321->15326 15323 1ef056d1ad2 Sleep SleepEx 15324 1ef056d1acb 15323->15324 15324->15323 15325 1ef056d1598 StrCmpIW StrCmpW 15324->15325 15325->15324 15370 1ef056d1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15326->15370 15328 1ef056d1650 15371 1ef056d1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15328->15371 15330 1ef056d1661 15372 1ef056d1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15330->15372 15332 1ef056d166a 15373 1ef056d1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 15332->15373 15334 1ef056d1673 15335 1ef056d168e RegOpenKeyExW 15334->15335 15336 1ef056d18a6 15335->15336 15337 1ef056d16c0 RegOpenKeyExW 15335->15337 15336->15324 15338 1ef056d16e9 15337->15338 15339 1ef056d16ff RegOpenKeyExW 15337->15339 15374 1ef056d12bc RegQueryInfoKeyW 15338->15374 15341 1ef056d173a RegOpenKeyExW 15339->15341 15342 1ef056d1723 15339->15342 15345 1ef056d175e 15341->15345 15346 1ef056d1775 RegOpenKeyExW 15341->15346 15383 1ef056d104c RegQueryInfoKeyW 15342->15383 15350 1ef056d12bc 16 API calls 15345->15350 15347 1ef056d1799 15346->15347 15348 1ef056d17b0 RegOpenKeyExW 15346->15348 15351 1ef056d12bc 16 API calls 15347->15351 15352 1ef056d17eb RegOpenKeyExW 15348->15352 15353 1ef056d17d4 15348->15353 15354 1ef056d176b RegCloseKey 15350->15354 15355 1ef056d17a6 RegCloseKey 15351->15355 15357 1ef056d1826 RegOpenKeyExW 15352->15357 15358 1ef056d180f 15352->15358 15356 1ef056d12bc 16 API calls 15353->15356 15354->15346 15355->15348 15359 1ef056d17e1 RegCloseKey 15356->15359 15361 1ef056d184a 15357->15361 15362 1ef056d1861 RegOpenKeyExW 15357->15362 15360 1ef056d104c 6 API calls 15358->15360 15359->15352 15365 1ef056d181c RegCloseKey 15360->15365 15366 1ef056d104c 6 API calls 15361->15366 15363 1ef056d189c RegCloseKey 15362->15363 15364 1ef056d1885 15362->15364 15363->15336 15367 1ef056d104c 6 API calls 15364->15367 15365->15357 15368 1ef056d1857 RegCloseKey 15366->15368 15369 1ef056d1892 RegCloseKey 15367->15369 15368->15362 15369->15363 15370->15328 15371->15330 15372->15332 15373->15334 15375 1ef056d1327 GetProcessHeap HeapAlloc 15374->15375 15376 1ef056d148a RegCloseKey 15374->15376 15377 1ef056d1476 GetProcessHeap HeapFree 15375->15377 15378 1ef056d1352 RegEnumValueW 15375->15378 15376->15339 15377->15376 15379 1ef056d13a5 15378->15379 15379->15377 15379->15378 15381 1ef056d141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 15379->15381 15382 1ef056d13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 15379->15382 15388 1ef056d152c 15379->15388 15381->15379 15382->15381 15384 1ef056d11b5 RegCloseKey 15383->15384 15386 1ef056d10bf 15383->15386 15384->15341 15385 1ef056d10cf RegEnumValueW 15385->15386 15386->15384 15386->15385 15387 1ef056d114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 15386->15387 15387->15386 15389 1ef056d1546 15388->15389 15392 1ef056d157c 15388->15392 15390 1ef056d155d StrCmpIW 15389->15390 15391 1ef056d1565 StrCmpW 15389->15391 15389->15392 15390->15389 15391->15389 15392->15379 15393 1ef056dd6cc 15399 1ef056dd6dd _invalid_parameter_noinfo 15393->15399 15394 1ef056dd72e 15403 1ef056dd6ac 15394->15403 15395 1ef056dd712 HeapAlloc 15397 1ef056dd72c 15395->15397 15395->15399 15399->15394 15399->15395 15400 1ef056db85c 15399->15400 15406 1ef056db89c 15400->15406 15411 1ef056dcfa0 15403->15411 15405 1ef056dd6b5 15405->15397 15409 1ef056dc99c EnterCriticalSection 15406->15409 15410 1ef056e6240 15409->15410 15412 1ef056dcfb5 __free_lconv_num 15411->15412 15413 1ef056dcfe1 FlsSetValue 15412->15413 15415 1ef056dcfd1 __CxxCallCatchBlock 15412->15415 15414 1ef056dcff3 15413->15414 15413->15415 15427 1ef056dd6cc 15414->15427 15415->15405 15418 1ef056dd020 FlsSetValue 15421 1ef056dd03e 15418->15421 15422 1ef056dd02c FlsSetValue 15418->15422 15419 1ef056dd010 FlsSetValue 15420 1ef056dd019 15419->15420 15434 1ef056dd744 15420->15434 15439 1ef056dcb94 15421->15439 15422->15420 15426 1ef056dd744 __free_lconv_num 3 API calls 15426->15415 15433 1ef056dd6dd _invalid_parameter_noinfo 15427->15433 15428 1ef056dd72e 15430 1ef056dd6ac __free_lconv_num 6 API calls 15428->15430 15429 1ef056dd712 HeapAlloc 15431 1ef056dd002 15429->15431 15429->15433 15430->15431 15431->15418 15431->15419 15432 1ef056db85c _invalid_parameter_noinfo EnterCriticalSection 15432->15433 15433->15428 15433->15429 15433->15432 15435 1ef056dd749 HeapFree 15434->15435 15436 1ef056dd77a 15434->15436 15435->15436 15437 1ef056dd764 __free_lconv_num 15435->15437 15436->15415 15438 1ef056dd6ac __free_lconv_num 6 API calls 15437->15438 15438->15436 15444 1ef056dca6c 15439->15444 15441 1ef056dcc46 15447 1ef056dcaec 15441->15447 15443 1ef056dcc5b 15443->15426 15445 1ef056dc99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15444->15445 15446 1ef056dca88 15445->15446 15446->15441 15448 1ef056dc99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15447->15448 15449 1ef056dcb08 15448->15449 15452 1ef056dcd7c 15449->15452 15451 1ef056dcb1e 15451->15443 15453 1ef056dcdc4 Concurrency::details::SchedulerProxy::DeleteThis 15452->15453 15454 1ef056dcd98 Concurrency::details::SchedulerProxy::DeleteThis 15452->15454 15453->15451 15454->15453 15456 1ef056e07b4 15454->15456 15457 1ef056e0850 15456->15457 15461 1ef056e07d7 15456->15461 15458 1ef056e08a3 15457->15458 15462 1ef056dd744 __free_lconv_num 7 API calls 15457->15462 15522 1ef056e0954 15458->15522 15460 1ef056e08af 15474 1ef056e090e 15460->15474 15481 1ef056dd744 7 API calls __free_lconv_num 15460->15481 15461->15457 15463 1ef056e0816 15461->15463 15468 1ef056dd744 __free_lconv_num 7 API calls 15461->15468 15464 1ef056e0874 15462->15464 15466 1ef056e0838 15463->15466 15473 1ef056dd744 __free_lconv_num 7 API calls 15463->15473 15465 1ef056dd744 __free_lconv_num 7 API calls 15464->15465 15469 1ef056e0888 15465->15469 15467 1ef056dd744 __free_lconv_num 7 API calls 15466->15467 15470 1ef056e0844 15467->15470 15471 1ef056e080a 15468->15471 15472 1ef056dd744 __free_lconv_num 7 API calls 15469->15472 15475 1ef056dd744 __free_lconv_num 7 API calls 15470->15475 15482 1ef056e2fc8 15471->15482 15477 1ef056e0897 15472->15477 15478 1ef056e082c 15473->15478 15475->15457 15480 1ef056dd744 __free_lconv_num 7 API calls 15477->15480 15510 1ef056e30d4 15478->15510 15480->15458 15481->15460 15483 1ef056e30cc 15482->15483 15484 1ef056e2fd1 15482->15484 15483->15463 15485 1ef056e2feb 15484->15485 15486 1ef056dd744 __free_lconv_num 7 API calls 15484->15486 15487 1ef056e2ffd 15485->15487 15488 1ef056dd744 __free_lconv_num 7 API calls 15485->15488 15486->15485 15489 1ef056e300f 15487->15489 15491 1ef056dd744 __free_lconv_num 7 API calls 15487->15491 15488->15487 15490 1ef056e3021 15489->15490 15492 1ef056dd744 __free_lconv_num 7 API calls 15489->15492 15493 1ef056e3033 15490->15493 15494 1ef056dd744 __free_lconv_num 7 API calls 15490->15494 15491->15489 15492->15490 15495 1ef056e3045 15493->15495 15496 1ef056dd744 __free_lconv_num 7 API calls 15493->15496 15494->15493 15497 1ef056e3057 15495->15497 15498 1ef056dd744 __free_lconv_num 7 API calls 15495->15498 15496->15495 15499 1ef056e3069 15497->15499 15501 1ef056dd744 __free_lconv_num 7 API calls 15497->15501 15498->15497 15500 1ef056e307b 15499->15500 15502 1ef056dd744 __free_lconv_num 7 API calls 15499->15502 15503 1ef056e308d 15500->15503 15504 1ef056dd744 __free_lconv_num 7 API calls 15500->15504 15501->15499 15502->15500 15505 1ef056e30a2 15503->15505 15506 1ef056dd744 __free_lconv_num 7 API calls 15503->15506 15504->15503 15507 1ef056e30b7 15505->15507 15508 1ef056dd744 __free_lconv_num 7 API calls 15505->15508 15506->15505 15507->15483 15509 1ef056dd744 __free_lconv_num 7 API calls 15507->15509 15508->15507 15509->15483 15511 1ef056e30d9 15510->15511 15520 1ef056e313a 15510->15520 15512 1ef056e30f2 15511->15512 15513 1ef056dd744 __free_lconv_num 7 API calls 15511->15513 15514 1ef056e3104 15512->15514 15515 1ef056dd744 __free_lconv_num 7 API calls 15512->15515 15513->15512 15516 1ef056e3116 15514->15516 15517 1ef056dd744 __free_lconv_num 7 API calls 15514->15517 15515->15514 15518 1ef056e3128 15516->15518 15519 1ef056dd744 __free_lconv_num 7 API calls 15516->15519 15517->15516 15518->15520 15521 1ef056dd744 __free_lconv_num 7 API calls 15518->15521 15519->15518 15520->15466 15521->15520 15523 1ef056e0959 15522->15523 15524 1ef056e0985 15522->15524 15523->15524 15528 1ef056e3174 15523->15528 15524->15460 15527 1ef056dd744 __free_lconv_num 7 API calls 15527->15524 15529 1ef056e317d 15528->15529 15563 1ef056e097d 15528->15563 15564 1ef056e3140 15529->15564 15532 1ef056e3140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15533 1ef056e31a6 15532->15533 15534 1ef056e3140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15533->15534 15535 1ef056e31b4 15534->15535 15536 1ef056e3140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15535->15536 15537 1ef056e31c2 15536->15537 15538 1ef056e3140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15537->15538 15539 1ef056e31d1 15538->15539 15540 1ef056dd744 __free_lconv_num 7 API calls 15539->15540 15541 1ef056e31dd 15540->15541 15542 1ef056dd744 __free_lconv_num 7 API calls 15541->15542 15543 1ef056e31e9 15542->15543 15544 1ef056dd744 __free_lconv_num 7 API calls 15543->15544 15545 1ef056e31f5 15544->15545 15546 1ef056e3140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15545->15546 15547 1ef056e3203 15546->15547 15548 1ef056e3140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15547->15548 15549 1ef056e3211 15548->15549 15550 1ef056e3140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15549->15550 15551 1ef056e321f 15550->15551 15552 1ef056e3140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15551->15552 15553 1ef056e322d 15552->15553 15554 1ef056e3140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15553->15554 15555 1ef056e323c 15554->15555 15556 1ef056dd744 __free_lconv_num 7 API calls 15555->15556 15557 1ef056e3248 15556->15557 15558 1ef056dd744 __free_lconv_num 7 API calls 15557->15558 15559 1ef056e3254 15558->15559 15560 1ef056dd744 __free_lconv_num 7 API calls 15559->15560 15561 1ef056e3260 15560->15561 15562 1ef056dd744 __free_lconv_num 7 API calls 15561->15562 15562->15563 15563->15527 15565 1ef056e3167 15564->15565 15566 1ef056e3156 15564->15566 15565->15532 15566->15565 15567 1ef056dd744 __free_lconv_num 7 API calls 15566->15567 15567->15566 15568 1ef056a273c 15571 1ef056a276a 15568->15571 15569 1ef056a28d4 15570 1ef056a2858 LoadLibraryA 15570->15571 15571->15569 15571->15570 15572 1ef056dc0e4 15573 1ef056dc0fd 15572->15573 15586 1ef056dc0f9 15572->15586 15587 1ef056dec90 15573->15587 15578 1ef056dc11b 15614 1ef056dc158 15578->15614 15579 1ef056dc10f 15580 1ef056dd744 __free_lconv_num 7 API calls 15579->15580 15580->15586 15583 1ef056dd744 __free_lconv_num 7 API calls 15584 1ef056dc142 15583->15584 15585 1ef056dd744 __free_lconv_num 7 API calls 15584->15585 15585->15586 15588 1ef056dec9d 15587->15588 15589 1ef056dc102 15587->15589 15633 1ef056dcefc 15588->15633 15593 1ef056df1ec GetEnvironmentStringsW 15589->15593 15591 1ef056deccc 15650 1ef056de968 15591->15650 15594 1ef056df21c 15593->15594 15595 1ef056dc107 15593->15595 15596 1ef056df10c WideCharToMultiByte 15594->15596 15595->15578 15595->15579 15597 1ef056df26d 15596->15597 15598 1ef056df274 FreeEnvironmentStringsW 15597->15598 15599 1ef056df27f 15597->15599 15598->15595 15600 1ef056dca0c 8 API calls 15599->15600 15601 1ef056df287 15600->15601 15602 1ef056df298 15601->15602 15603 1ef056df28f 15601->15603 15604 1ef056df10c WideCharToMultiByte 15602->15604 15605 1ef056dd744 __free_lconv_num 7 API calls 15603->15605 15607 1ef056df2bb 15604->15607 15606 1ef056df296 15605->15606 15606->15598 15608 1ef056df2c9 15607->15608 15609 1ef056df2bf 15607->15609 15611 1ef056dd744 __free_lconv_num 7 API calls 15608->15611 15610 1ef056dd744 __free_lconv_num 7 API calls 15609->15610 15612 1ef056df2c7 FreeEnvironmentStringsW 15610->15612 15611->15612 15612->15595 15615 1ef056dc17d 15614->15615 15616 1ef056dd6cc _invalid_parameter_noinfo 7 API calls 15615->15616 15627 1ef056dc1b3 15616->15627 15617 1ef056dc1bb 15618 1ef056dd744 __free_lconv_num 7 API calls 15617->15618 15619 1ef056dc123 15618->15619 15619->15583 15620 1ef056dc22e 15621 1ef056dd744 __free_lconv_num 7 API calls 15620->15621 15621->15619 15622 1ef056dd6cc _invalid_parameter_noinfo 7 API calls 15622->15627 15623 1ef056dc21d 15951 1ef056dc268 15623->15951 15627->15617 15627->15620 15627->15622 15627->15623 15628 1ef056dc253 15627->15628 15630 1ef056dd744 __free_lconv_num 7 API calls 15627->15630 15942 1ef056dc6e8 15627->15942 15631 1ef056dd590 _invalid_parameter_noinfo 3 API calls 15628->15631 15629 1ef056dd744 __free_lconv_num 7 API calls 15629->15617 15630->15627 15632 1ef056dc266 15631->15632 15634 1ef056dcf0d FlsGetValue 15633->15634 15635 1ef056dcf28 FlsSetValue 15633->15635 15636 1ef056dcf22 15634->15636 15638 1ef056dcf1a 15634->15638 15637 1ef056dcf35 15635->15637 15635->15638 15636->15635 15639 1ef056dd6cc _invalid_parameter_noinfo 7 API calls 15637->15639 15638->15591 15640 1ef056dcf44 15639->15640 15641 1ef056dcf62 FlsSetValue 15640->15641 15642 1ef056dcf52 FlsSetValue 15640->15642 15644 1ef056dcf6e FlsSetValue 15641->15644 15645 1ef056dcf80 15641->15645 15643 1ef056dcf5b 15642->15643 15646 1ef056dd744 __free_lconv_num 7 API calls 15643->15646 15644->15643 15647 1ef056dcb94 _invalid_parameter_noinfo 7 API calls 15645->15647 15646->15638 15648 1ef056dcf88 15647->15648 15649 1ef056dd744 __free_lconv_num 7 API calls 15648->15649 15649->15638 15673 1ef056debd8 15650->15673 15657 1ef056de9d3 15658 1ef056dd744 __free_lconv_num 7 API calls 15657->15658 15672 1ef056de9ba 15658->15672 15659 1ef056de9e2 15659->15659 15697 1ef056ded0c 15659->15697 15662 1ef056deade 15663 1ef056dd6ac __free_lconv_num 7 API calls 15662->15663 15666 1ef056deae3 15663->15666 15664 1ef056deb39 15667 1ef056deba0 15664->15667 15708 1ef056de498 15664->15708 15665 1ef056deaf8 15665->15664 15669 1ef056dd744 __free_lconv_num 7 API calls 15665->15669 15668 1ef056dd744 __free_lconv_num 7 API calls 15666->15668 15671 1ef056dd744 __free_lconv_num 7 API calls 15667->15671 15668->15672 15669->15664 15671->15672 15672->15589 15674 1ef056debfb 15673->15674 15675 1ef056dc99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15674->15675 15677 1ef056dec05 15674->15677 15676 1ef056dec18 15675->15676 15676->15677 15678 1ef056dd744 __free_lconv_num 7 API calls 15676->15678 15679 1ef056dcefc 12 API calls 15677->15679 15682 1ef056de99d 15677->15682 15678->15677 15680 1ef056deccc 15679->15680 15681 1ef056de968 42 API calls 15680->15681 15681->15682 15683 1ef056de668 15682->15683 15721 1ef056de1b4 15683->15721 15686 1ef056de69a 15688 1ef056de69f GetACP 15686->15688 15689 1ef056de6af 15686->15689 15687 1ef056de688 GetOEMCP 15687->15689 15688->15689 15689->15672 15690 1ef056dca0c 15689->15690 15691 1ef056dca1b _invalid_parameter_noinfo 15690->15691 15692 1ef056dca57 15690->15692 15691->15692 15693 1ef056dca3e HeapAlloc 15691->15693 15696 1ef056db85c _invalid_parameter_noinfo EnterCriticalSection 15691->15696 15694 1ef056dd6ac __free_lconv_num 7 API calls 15692->15694 15693->15691 15695 1ef056dca55 15693->15695 15694->15695 15695->15657 15695->15659 15696->15691 15698 1ef056de668 19 API calls 15697->15698 15700 1ef056ded39 15698->15700 15699 1ef056dee8f 15797 1ef056d7940 15699->15797 15700->15699 15701 1ef056ded90 _invalid_parameter_noinfo 15700->15701 15703 1ef056ded76 IsValidCodePage 15700->15703 15786 1ef056de780 15701->15786 15703->15699 15705 1ef056ded87 15703->15705 15704 1ef056dead5 15704->15662 15704->15665 15705->15701 15706 1ef056dedb6 GetCPInfo 15705->15706 15706->15699 15706->15701 15709 1ef056dc99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15708->15709 15711 1ef056de4b4 _invalid_parameter_noinfo 15709->15711 15710 1ef056dd6ac __free_lconv_num 7 API calls 15712 1ef056de550 15710->15712 15711->15710 15714 1ef056de4e1 _invalid_parameter_noinfo 15711->15714 15877 1ef056dd570 15712->15877 15715 1ef056dd6ac __free_lconv_num 7 API calls 15714->15715 15719 1ef056de593 15714->15719 15716 1ef056de5f1 15715->15716 15717 1ef056dd570 _invalid_parameter_noinfo 23 API calls 15716->15717 15717->15719 15718 1ef056de62d 15718->15667 15719->15718 15720 1ef056dd744 __free_lconv_num 7 API calls 15719->15720 15720->15718 15722 1ef056de1d8 15721->15722 15723 1ef056de1d3 15721->15723 15722->15723 15729 1ef056dce28 15722->15729 15723->15686 15723->15687 15725 1ef056de1f3 15764 1ef056e03fc 15725->15764 15730 1ef056dce3d __free_lconv_num 15729->15730 15731 1ef056dce4c FlsGetValue 15730->15731 15732 1ef056dce69 FlsSetValue 15730->15732 15734 1ef056dce63 15731->15734 15745 1ef056dce59 __CxxCallCatchBlock 15731->15745 15733 1ef056dce7b 15732->15733 15732->15745 15735 1ef056dd6cc _invalid_parameter_noinfo 7 API calls 15733->15735 15734->15732 15736 1ef056dce8a 15735->15736 15737 1ef056dcea8 FlsSetValue 15736->15737 15738 1ef056dce98 FlsSetValue 15736->15738 15741 1ef056dcec6 15737->15741 15742 1ef056dceb4 FlsSetValue 15737->15742 15740 1ef056dcea1 15738->15740 15739 1ef056dcee2 15739->15725 15743 1ef056dd744 __free_lconv_num 7 API calls 15740->15743 15744 1ef056dcb94 _invalid_parameter_noinfo 7 API calls 15741->15744 15742->15740 15743->15745 15746 1ef056dcece 15744->15746 15745->15739 15748 1ef056dcf0d FlsGetValue 15745->15748 15749 1ef056dcf28 FlsSetValue 15745->15749 15747 1ef056dd744 __free_lconv_num 7 API calls 15746->15747 15747->15745 15750 1ef056dcf22 15748->15750 15752 1ef056dcf1a 15748->15752 15751 1ef056dcf35 15749->15751 15749->15752 15750->15749 15753 1ef056dd6cc _invalid_parameter_noinfo 7 API calls 15751->15753 15752->15725 15754 1ef056dcf44 15753->15754 15755 1ef056dcf62 FlsSetValue 15754->15755 15756 1ef056dcf52 FlsSetValue 15754->15756 15758 1ef056dcf6e FlsSetValue 15755->15758 15759 1ef056dcf80 15755->15759 15757 1ef056dcf5b 15756->15757 15760 1ef056dd744 __free_lconv_num 7 API calls 15757->15760 15758->15757 15761 1ef056dcb94 _invalid_parameter_noinfo 7 API calls 15759->15761 15760->15752 15762 1ef056dcf88 15761->15762 15763 1ef056dd744 __free_lconv_num 7 API calls 15762->15763 15763->15752 15765 1ef056de216 15764->15765 15766 1ef056e0411 15764->15766 15768 1ef056e0468 15765->15768 15766->15765 15772 1ef056e0a5c 15766->15772 15769 1ef056e047d 15768->15769 15770 1ef056e0490 15768->15770 15769->15770 15783 1ef056decf0 15769->15783 15770->15723 15773 1ef056dce28 _invalid_parameter_noinfo 17 API calls 15772->15773 15774 1ef056e0a6b 15773->15774 15775 1ef056dc99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15774->15775 15778 1ef056e0aa4 15774->15778 15776 1ef056e0a94 15775->15776 15779 1ef056e0acc 15776->15779 15778->15765 15780 1ef056e0aeb 15779->15780 15781 1ef056e0ade Concurrency::details::SchedulerProxy::DeleteThis 15779->15781 15780->15778 15781->15780 15782 1ef056e07b4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 15781->15782 15782->15780 15784 1ef056dce28 _invalid_parameter_noinfo 17 API calls 15783->15784 15785 1ef056decf9 15784->15785 15787 1ef056de7bd GetCPInfo 15786->15787 15788 1ef056de8b3 15786->15788 15787->15788 15789 1ef056de7d0 15787->15789 15790 1ef056d7940 _log10_special IsProcessorFeaturePresent 15788->15790 15802 1ef056e1544 15789->15802 15792 1ef056de952 15790->15792 15792->15699 15798 1ef056d7949 15797->15798 15799 1ef056d812c IsProcessorFeaturePresent 15798->15799 15800 1ef056d7954 15798->15800 15801 1ef056d8144 capture_previous_context 15799->15801 15800->15704 15801->15704 15803 1ef056de1b4 17 API calls 15802->15803 15804 1ef056e1586 15803->15804 15822 1ef056df07c 15804->15822 15823 1ef056df085 MultiByteToWideChar 15822->15823 15880 1ef056dd408 15877->15880 15881 1ef056dd433 15880->15881 15888 1ef056dd4a4 15881->15888 15883 1ef056dd45a 15884 1ef056dd47d 15883->15884 15896 1ef056dc7a0 15883->15896 15886 1ef056dd492 15884->15886 15887 1ef056dc7a0 _invalid_parameter_noinfo 20 API calls 15884->15887 15886->15714 15887->15886 15907 1ef056dd1ec 15888->15907 15890 1ef056dd4ce _invalid_parameter_noinfo 15892 1ef056dd4df _invalid_parameter_noinfo 15890->15892 15911 1ef056dd590 IsProcessorFeaturePresent 15890->15911 15892->15883 15897 1ef056dc7f8 15896->15897 15898 1ef056dc7af __free_lconv_num 15896->15898 15897->15884 15899 1ef056dd068 _invalid_parameter_noinfo 10 API calls 15898->15899 15900 1ef056dc7de __CxxCallCatchBlock 15899->15900 15900->15897 15901 1ef056dc7a0 _invalid_parameter_noinfo 20 API calls 15900->15901 15902 1ef056dc827 15901->15902 15934 1ef056e0430 15902->15934 15908 1ef056dd208 __free_lconv_num 15907->15908 15910 1ef056dd233 __CxxCallCatchBlock 15907->15910 15916 1ef056dd068 15908->15916 15910->15890 15912 1ef056dd5a3 15911->15912 15930 1ef056dd2a4 15912->15930 15914 1ef056dd5be _invalid_parameter_noinfo 15915 1ef056dd5c4 TerminateProcess 15914->15915 15917 1ef056dd087 FlsGetValue 15916->15917 15919 1ef056dd09c 15916->15919 15918 1ef056dd094 15917->15918 15917->15919 15918->15910 15919->15918 15920 1ef056dd6cc _invalid_parameter_noinfo 7 API calls 15919->15920 15921 1ef056dd0be 15920->15921 15922 1ef056dd0dc FlsSetValue 15921->15922 15925 1ef056dd0cc 15921->15925 15923 1ef056dd0fa 15922->15923 15924 1ef056dd0e8 FlsSetValue 15922->15924 15926 1ef056dcb94 _invalid_parameter_noinfo 7 API calls 15923->15926 15924->15925 15927 1ef056dd744 __free_lconv_num 7 API calls 15925->15927 15928 1ef056dd102 15926->15928 15927->15918 15929 1ef056dd744 __free_lconv_num 7 API calls 15928->15929 15929->15918 15931 1ef056dd2de capture_previous_context _invalid_parameter_noinfo 15930->15931 15932 1ef056d7940 _log10_special IsProcessorFeaturePresent 15931->15932 15933 1ef056dd3e7 15932->15933 15933->15914 15935 1ef056e0449 15934->15935 15936 1ef056dc84f 15934->15936 15935->15936 15937 1ef056e0a5c _invalid_parameter_noinfo 17 API calls 15935->15937 15938 1ef056e049c 15936->15938 15937->15936 15939 1ef056dc85f 15938->15939 15940 1ef056e04b5 15938->15940 15939->15884 15940->15939 15941 1ef056decf0 _invalid_parameter_noinfo 17 API calls 15940->15941 15941->15939 15943 1ef056dc6f5 15942->15943 15944 1ef056dc6ff 15942->15944 15943->15944 15949 1ef056dc71a 15943->15949 15945 1ef056dd6ac __free_lconv_num 7 API calls 15944->15945 15946 1ef056dc706 15945->15946 15948 1ef056dd570 _invalid_parameter_noinfo 23 API calls 15946->15948 15947 1ef056dc712 15947->15627 15948->15947 15949->15947 15950 1ef056dd6ac __free_lconv_num 7 API calls 15949->15950 15950->15946 15955 1ef056dc26d 15951->15955 15956 1ef056dc225 15951->15956 15952 1ef056dc296 15954 1ef056dd744 __free_lconv_num 7 API calls 15952->15954 15953 1ef056dd744 __free_lconv_num 7 API calls 15953->15955 15954->15956 15955->15952 15955->15953 15956->15629

                                                                          Executed Functions

                                                                          Function 000001EF056D1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: cd2a018c2ca89667107471ebb9e9103cc521687726bafa83e98e7cd0330a8c99
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 0BE0393562265486EB158B66E80838E36E2EB99B16F0480288D0907352DFBD849AC750
                                                                          Function 000001EF056DF1EC Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
                                                                          • String ID:
                                                                          • API String ID: 3331406755-0
                                                                          • Opcode ID: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
                                                                          • Instruction ID: 2051d0fb3feaa8111bbf8230b710eb358136df25e19bada8ab1caa850ffd535d
                                                                          • Opcode Fuzzy Hash: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
                                                                          • Instruction Fuzzy Hash: BC31B531A047D081EA349F62E8442DEB6A6B794BD4F08463DBD4B53BC6DFB8C5028740
                                                                          Function 000001EF056D328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 487ca6d69ca5f5b92772906fe0199dc39dbab06cf3531d28a77e50b3ab1c8008
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: A3110335F106C082FA709B25FA1D3DD2296A754344F51493CBD0681697EFF8C1868662
                                                                          Function 000001EF056D1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 000001EF056D1628: GetProcessHeap.KERNEL32 ref: 000001EF056D1633
                                                                            • Part of subcall function 000001EF056D1628: HeapAlloc.KERNEL32 ref: 000001EF056D1642
                                                                            • Part of subcall function 000001EF056D1628: RegOpenKeyExW.ADVAPI32 ref: 000001EF056D16B2
                                                                            • Part of subcall function 000001EF056D1628: RegOpenKeyExW.ADVAPI32 ref: 000001EF056D16DF
                                                                            • Part of subcall function 000001EF056D1628: RegCloseKey.ADVAPI32 ref: 000001EF056D16F9
                                                                            • Part of subcall function 000001EF056D1628: RegOpenKeyExW.ADVAPI32 ref: 000001EF056D1719
                                                                            • Part of subcall function 000001EF056D1628: RegCloseKey.ADVAPI32 ref: 000001EF056D1734
                                                                            • Part of subcall function 000001EF056D1628: RegOpenKeyExW.ADVAPI32 ref: 000001EF056D1754
                                                                            • Part of subcall function 000001EF056D1628: RegCloseKey.ADVAPI32 ref: 000001EF056D176F
                                                                            • Part of subcall function 000001EF056D1628: RegOpenKeyExW.ADVAPI32 ref: 000001EF056D178F
                                                                            • Part of subcall function 000001EF056D1628: RegCloseKey.ADVAPI32 ref: 000001EF056D17AA
                                                                            • Part of subcall function 000001EF056D1628: RegOpenKeyExW.ADVAPI32 ref: 000001EF056D17CA
                                                                          • Sleep.KERNEL32 ref: 000001EF056D1AD7
                                                                          • SleepEx.KERNELBASE ref: 000001EF056D1ADD
                                                                            • Part of subcall function 000001EF056D1628: RegCloseKey.ADVAPI32 ref: 000001EF056D17E5
                                                                            • Part of subcall function 000001EF056D1628: RegOpenKeyExW.ADVAPI32 ref: 000001EF056D1805
                                                                            • Part of subcall function 000001EF056D1628: RegCloseKey.ADVAPI32 ref: 000001EF056D1820
                                                                            • Part of subcall function 000001EF056D1628: RegOpenKeyExW.ADVAPI32 ref: 000001EF056D1840
                                                                            • Part of subcall function 000001EF056D1628: RegCloseKey.ADVAPI32 ref: 000001EF056D185B
                                                                            • Part of subcall function 000001EF056D1628: RegOpenKeyExW.ADVAPI32 ref: 000001EF056D187B
                                                                            • Part of subcall function 000001EF056D1628: RegCloseKey.ADVAPI32 ref: 000001EF056D1896
                                                                            • Part of subcall function 000001EF056D1628: RegCloseKey.ADVAPI32 ref: 000001EF056D18A0
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: 56a61ed1c22aa70809ba1ef552c9e7adef8cbb8a14280a803190e53eea46f358
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 7331F072B106C541FF709B26DA693ED13A6AB95BC4F045839BE0987697FEF4C453C220
                                                                          Function 000001EF056D3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 85 1ef056d3844-1ef056d384f 86 1ef056d3869-1ef056d3870 85->86 87 1ef056d3851-1ef056d3864 StrCmpNIW 85->87 87->86 88 1ef056d3866 87->88 88->86
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: dialer
                                                                          • API String ID: 0-3528709123
                                                                          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction ID: ede4f874cc69a4b5ca352588f7248873ba5645b9888b763ed146c10f1c22a78f
                                                                          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction Fuzzy Hash: 6CD0A77072228586FF74DFE6D8CD6E82363EB14B54F88543CED0002251DB988D8F9760
                                                                          Function 000001EF056A273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 89 1ef056a273c-1ef056a27a4 call 1ef056a29d4 * 4 98 1ef056a27aa-1ef056a27ad 89->98 99 1ef056a29b2 89->99 98->99 100 1ef056a27b3-1ef056a27b6 98->100 101 1ef056a29b4-1ef056a29d0 99->101 100->99 102 1ef056a27bc-1ef056a27bf 100->102 102->99 103 1ef056a27c5-1ef056a27e6 102->103 103->99 105 1ef056a27ec-1ef056a280c 103->105 106 1ef056a2838-1ef056a283f 105->106 107 1ef056a280e-1ef056a2836 105->107 108 1ef056a28df-1ef056a28e6 106->108 109 1ef056a2845-1ef056a2852 106->109 107->106 107->107 110 1ef056a28ec-1ef056a2901 108->110 111 1ef056a2992-1ef056a29b0 108->111 109->108 112 1ef056a2858-1ef056a286a LoadLibraryA 109->112 110->111 113 1ef056a2907 110->113 111->101 114 1ef056a28ca-1ef056a28d2 112->114 115 1ef056a286c-1ef056a2878 112->115 118 1ef056a290d-1ef056a2921 113->118 114->112 116 1ef056a28d4-1ef056a28d9 114->116 119 1ef056a28c5-1ef056a28c8 115->119 116->108 121 1ef056a2982-1ef056a298c 118->121 122 1ef056a2923-1ef056a2934 118->122 119->114 120 1ef056a287a-1ef056a287d 119->120 126 1ef056a28a7-1ef056a28b7 120->126 127 1ef056a287f-1ef056a28a5 120->127 121->111 121->118 124 1ef056a293f-1ef056a2943 122->124 125 1ef056a2936-1ef056a293d 122->125 129 1ef056a294d-1ef056a2951 124->129 130 1ef056a2945-1ef056a294b 124->130 128 1ef056a2970-1ef056a2980 125->128 131 1ef056a28ba-1ef056a28c1 126->131 127->131 128->121 128->122 133 1ef056a2963-1ef056a2967 129->133 134 1ef056a2953-1ef056a2961 129->134 130->128 131->119 133->128 135 1ef056a2969-1ef056a296c 133->135 134->128 135->128
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 0c5674226d783c956eadadbc144633e65e9082b701126f73034fc91fa37fbeee
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: EE61123AB416D087DB648F56D0287ADB393F754BA4F988139EE590378ADA78D853CB00
                                                                          Function 000001EF056DD6CC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 136 1ef056dd6cc-1ef056dd6db 137 1ef056dd6dd-1ef056dd6e9 136->137 138 1ef056dd6eb-1ef056dd6fb 136->138 137->138 139 1ef056dd72e-1ef056dd739 call 1ef056dd6ac 137->139 140 1ef056dd712-1ef056dd72a HeapAlloc 138->140 146 1ef056dd73b-1ef056dd740 139->146 141 1ef056dd6fd-1ef056dd704 call 1ef056e0720 140->141 142 1ef056dd72c 140->142 141->139 148 1ef056dd706-1ef056dd710 call 1ef056db85c 141->148 142->146 148->139 148->140
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AllocHeap
                                                                          • String ID:
                                                                          • API String ID: 4292702814-0
                                                                          • Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                                                          • Instruction ID: f2385afa0adc2066639d79047e4076e3cf136975bd7d27afbdbcc2edf776a143
                                                                          • Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
                                                                          • Instruction Fuzzy Hash: 52F06D78B012C041FEB466A5E81D3ED12A35B88B80F0C583C6D0A862C3DDECC48386B0

                                                                          Non-executed Functions

                                                                          Function 000001EF056D2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 402 1ef056d2b2c-1ef056d2ba5 call 1ef056f2ce0 405 1ef056d2bab-1ef056d2bb1 402->405 406 1ef056d2ee0-1ef056d2f03 402->406 405->406 407 1ef056d2bb7-1ef056d2bba 405->407 407->406 408 1ef056d2bc0-1ef056d2bc3 407->408 408->406 409 1ef056d2bc9-1ef056d2bd9 GetModuleHandleA 408->409 410 1ef056d2bdb-1ef056d2beb GetProcAddress 409->410 411 1ef056d2bed 409->411 412 1ef056d2bf0-1ef056d2c0e 410->412 411->412 412->406 414 1ef056d2c14-1ef056d2c33 StrCmpNIW 412->414 414->406 415 1ef056d2c39-1ef056d2c3d 414->415 415->406 416 1ef056d2c43-1ef056d2c4d 415->416 416->406 417 1ef056d2c53-1ef056d2c5a 416->417 417->406 418 1ef056d2c60-1ef056d2c73 417->418 419 1ef056d2c83 418->419 420 1ef056d2c75-1ef056d2c81 418->420 421 1ef056d2c86-1ef056d2c8a 419->421 420->421 422 1ef056d2c8c-1ef056d2c98 421->422 423 1ef056d2c9a 421->423 424 1ef056d2c9d-1ef056d2ca7 422->424 423->424 425 1ef056d2d9d-1ef056d2da1 424->425 426 1ef056d2cad-1ef056d2cb0 424->426 427 1ef056d2da7-1ef056d2daa 425->427 428 1ef056d2ed2-1ef056d2eda 425->428 429 1ef056d2cc2-1ef056d2ccc 426->429 430 1ef056d2cb2-1ef056d2cbf call 1ef056d199c 426->430 431 1ef056d2dac-1ef056d2db8 call 1ef056d199c 427->431 432 1ef056d2dbb-1ef056d2dc5 427->432 428->406 428->418 434 1ef056d2cce-1ef056d2cdb 429->434 435 1ef056d2d00-1ef056d2d0a 429->435 430->429 431->432 437 1ef056d2dc7-1ef056d2dd4 432->437 438 1ef056d2df5-1ef056d2df8 432->438 434->435 440 1ef056d2cdd-1ef056d2cea 434->440 441 1ef056d2d0c-1ef056d2d19 435->441 442 1ef056d2d3a-1ef056d2d3d 435->442 437->438 446 1ef056d2dd6-1ef056d2de3 437->446 447 1ef056d2dfa-1ef056d2e03 call 1ef056d1bbc 438->447 448 1ef056d2e05-1ef056d2e12 lstrlenW 438->448 449 1ef056d2ced-1ef056d2cf3 440->449 441->442 450 1ef056d2d1b-1ef056d2d28 441->450 444 1ef056d2d4b-1ef056d2d58 lstrlenW 442->444 445 1ef056d2d3f-1ef056d2d49 call 1ef056d1bbc 442->445 453 1ef056d2d7b-1ef056d2d8d call 1ef056d3844 444->453 454 1ef056d2d5a-1ef056d2d64 444->454 445->444 458 1ef056d2d93-1ef056d2d98 445->458 455 1ef056d2de6-1ef056d2dec 446->455 447->448 466 1ef056d2e4a-1ef056d2e55 447->466 459 1ef056d2e14-1ef056d2e1e 448->459 460 1ef056d2e35-1ef056d2e3f call 1ef056d3844 448->460 457 1ef056d2cf9-1ef056d2cfe 449->457 449->458 451 1ef056d2d2b-1ef056d2d31 450->451 451->458 461 1ef056d2d33-1ef056d2d38 451->461 453->458 469 1ef056d2e42-1ef056d2e44 453->469 454->453 464 1ef056d2d66-1ef056d2d79 call 1ef056d152c 454->464 465 1ef056d2dee-1ef056d2df3 455->465 455->466 457->435 457->449 458->469 459->460 470 1ef056d2e20-1ef056d2e33 call 1ef056d152c 459->470 460->469 461->442 461->451 464->453 464->458 465->438 465->455 473 1ef056d2ecc-1ef056d2ed0 466->473 474 1ef056d2e57-1ef056d2e5b 466->474 469->428 469->466 470->460 470->466 473->428 478 1ef056d2e5d-1ef056d2e61 474->478 479 1ef056d2e63-1ef056d2e7d call 1ef056d85c0 474->479 478->479 481 1ef056d2e80-1ef056d2e83 478->481 479->481 484 1ef056d2ea6-1ef056d2ea9 481->484 485 1ef056d2e85-1ef056d2ea3 call 1ef056d85c0 481->485 484->473 486 1ef056d2eab-1ef056d2ec9 call 1ef056d85c0 484->486 485->484 486->473
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: bc34481fe6d1cb0786dc2a19affd63ab5fc76c92cc80969be77305afbdaf40f3
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: 4CB19D7AA10AD082EBB48F25D4687ED63A6FB44B84F04583AFE0953796DFB5CC42C750
                                                                          Function 000001EF056D7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 6e1b243ca6a839fdabc52388a1b6cb249c9ecbbc774d54353a458daea446c3f3
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: 7D314A72605BC08AEB709F60E8843ED7362F794744F44443AEE4E47A9AEFB8C649C710
                                                                          Function 000001EF056DD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 4d243f8bde402fdfb98c494d0b0b6b8002be006aa2a51aad393a08c56a91869e
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: DE315B32614BC086DB709B25E8443EE73A2F789754F54053AEE9D43B96DF78C546CB00
                                                                          Function 000001EF056D1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: aadf18decef27ea70d145300f483afa7d657a1880e2cca24712fcebeacc82d83
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: DD715C36711AA086EB709F65E8486DD23B7F795B88F001539EE4E47B2AEFB4C546C340
                                                                          Function 000001EF056D12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: ec03f580a342f8ddd3090ab47cd5febb6379062bce6b34ccc72dfbc7d0792102
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 76515C32611B9486EB61CF66E9483DE77A2F389B99F044138EE4907719DFB8C046C700
                                                                          Function 000001EF056D1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: a9fdfbc933244c704832b729428d4f766ae64f69a530f2701a05f1dfb8ab6faf
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: A1319AB8A019DAA0EB34DB55EC696DC6363B744744F80583FBC0916667AEF8C24BC760
                                                                          Function 000001EF056A6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 244 1ef056a6910-1ef056a6916 245 1ef056a6918-1ef056a691b 244->245 246 1ef056a6951-1ef056a695b 244->246 247 1ef056a691d-1ef056a6920 245->247 248 1ef056a6945-1ef056a6984 call 1ef056a6fc0 245->248 249 1ef056a6a78-1ef056a6a8d 246->249 250 1ef056a6938 __scrt_dllmain_crt_thread_attach 247->250 251 1ef056a6922-1ef056a6925 247->251 264 1ef056a698a-1ef056a699f call 1ef056a6e54 248->264 265 1ef056a6a52 248->265 252 1ef056a6a9c-1ef056a6ab6 call 1ef056a6e54 249->252 253 1ef056a6a8f 249->253 259 1ef056a693d-1ef056a6944 250->259 255 1ef056a6927-1ef056a6930 251->255 256 1ef056a6931-1ef056a6936 call 1ef056a6f04 251->256 267 1ef056a6ab8-1ef056a6aed call 1ef056a6f7c call 1ef056a6e1c call 1ef056a7318 call 1ef056a7130 call 1ef056a7154 call 1ef056a6fac 252->267 268 1ef056a6aef-1ef056a6b20 call 1ef056a7190 252->268 257 1ef056a6a91-1ef056a6a9b 253->257 256->259 276 1ef056a6a6a-1ef056a6a77 call 1ef056a7190 264->276 277 1ef056a69a5-1ef056a69b6 call 1ef056a6ec4 264->277 269 1ef056a6a54-1ef056a6a69 265->269 267->257 278 1ef056a6b31-1ef056a6b37 268->278 279 1ef056a6b22-1ef056a6b28 268->279 276->249 296 1ef056a6a07-1ef056a6a11 call 1ef056a7130 277->296 297 1ef056a69b8-1ef056a69dc call 1ef056a72dc call 1ef056a6e0c call 1ef056a6e38 call 1ef056aac0c 277->297 284 1ef056a6b39-1ef056a6b43 278->284 285 1ef056a6b7e-1ef056a6b94 call 1ef056a268c 278->285 279->278 283 1ef056a6b2a-1ef056a6b2c 279->283 290 1ef056a6c1f-1ef056a6c2c 283->290 291 1ef056a6b4f-1ef056a6b5d call 1ef056b5780 284->291 292 1ef056a6b45-1ef056a6b4d 284->292 305 1ef056a6bcc-1ef056a6bce 285->305 306 1ef056a6b96-1ef056a6b98 285->306 299 1ef056a6b63-1ef056a6b78 call 1ef056a6910 291->299 309 1ef056a6c15-1ef056a6c1d 291->309 292->299 296->265 317 1ef056a6a13-1ef056a6a1f call 1ef056a7180 296->317 297->296 347 1ef056a69de-1ef056a69e5 __scrt_dllmain_after_initialize_c 297->347 299->285 299->309 307 1ef056a6bd0-1ef056a6bd3 305->307 308 1ef056a6bd5-1ef056a6bea call 1ef056a6910 305->308 306->305 314 1ef056a6b9a-1ef056a6bbc call 1ef056a268c call 1ef056a6a78 306->314 307->308 307->309 308->309 326 1ef056a6bec-1ef056a6bf6 308->326 309->290 314->305 341 1ef056a6bbe-1ef056a6bc6 call 1ef056b5780 314->341 334 1ef056a6a21-1ef056a6a2b call 1ef056a7098 317->334 335 1ef056a6a45-1ef056a6a50 317->335 331 1ef056a6bf8-1ef056a6bff 326->331 332 1ef056a6c01-1ef056a6c11 call 1ef056b5780 326->332 331->309 332->309 334->335 346 1ef056a6a2d-1ef056a6a3b 334->346 335->269 341->305 346->335 347->296 348 1ef056a69e7-1ef056a6a04 call 1ef056aabc8 347->348 348->296
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 31da79c6488f16e94e029edb70b1af133860c8b34bbac48184f4da1a1d9ecc47
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 3F817C71A002C186FA70ABA5D44D3DDB693AB95780F5C803DBE0647797EBB8C8878B00
                                                                          Function 000001EF056DCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 000001EF056DCE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001EF056E0A6B,?,?,?,000001EF056E045C,?,?,?,000001EF056DC84F), ref: 000001EF056DCE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001EF056E0A6B,?,?,?,000001EF056E045C,?,?,?,000001EF056DC84F), ref: 000001EF056DCE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001EF056E0A6B,?,?,?,000001EF056E045C,?,?,?,000001EF056DC84F), ref: 000001EF056DCE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001EF056E0A6B,?,?,?,000001EF056E045C,?,?,?,000001EF056DC84F), ref: 000001EF056DCEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001EF056E0A6B,?,?,?,000001EF056E045C,?,?,?,000001EF056DC84F), ref: 000001EF056DCEBC
                                                                          • SetLastError.KERNEL32 ref: 000001EF056DCED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001EF056E0A6B,?,?,?,000001EF056E045C,?,?,?,000001EF056DC84F), ref: 000001EF056DCF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,000001EF056DECCC,?,?,?,?,000001EF056DBF9F,?,?,?,?,?,000001EF056D7AB0), ref: 000001EF056DCF2C
                                                                            • Part of subcall function 000001EF056DD6CC: HeapAlloc.KERNEL32 ref: 000001EF056DD721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001EF056E0A6B,?,?,?,000001EF056E045C,?,?,?,000001EF056DC84F), ref: 000001EF056DCF54
                                                                            • Part of subcall function 000001EF056DD744: HeapFree.KERNEL32 ref: 000001EF056DD75A
                                                                            • Part of subcall function 000001EF056DD744: GetLastError.KERNEL32 ref: 000001EF056DD764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001EF056E0A6B,?,?,?,000001EF056E045C,?,?,?,000001EF056DC84F), ref: 000001EF056DCF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001EF056E0A6B,?,?,?,000001EF056E045C,?,?,?,000001EF056DC84F), ref: 000001EF056DCF76
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: 67c5afce92a63b65f19050179c0d62ece87effc3a4b1bca25b0f817e10d23d2d
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 8C411770B412C881FA79A725D55D3EDA2939F957B0F140F3CBD26466E7DEE98883C220
                                                                          Function 000001EF056D2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: aeb96f3d5c5a2a112554736e3f93f72679af0b49db1cb1799eebc8a021b52739
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: 3C2121366147A083FB20CB25F55839D77A2F795BA4F504229EE5903BA9DFBCC54ACB00
                                                                          Function 000001EF056A9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 500 1ef056a9944-1ef056a99ac call 1ef056aa814 503 1ef056a99b2-1ef056a99b5 500->503 504 1ef056a9e13-1ef056a9e1b call 1ef056abb48 500->504 503->504 505 1ef056a99bb-1ef056a99c1 503->505 507 1ef056a99c7-1ef056a99cb 505->507 508 1ef056a9a90-1ef056a9aa2 505->508 507->508 512 1ef056a99d1-1ef056a99dc 507->512 510 1ef056a9aa8-1ef056a9aac 508->510 511 1ef056a9d63-1ef056a9d67 508->511 510->511 515 1ef056a9ab2-1ef056a9abd 510->515 513 1ef056a9d69-1ef056a9d70 511->513 514 1ef056a9da0-1ef056a9daa call 1ef056a8a34 511->514 512->508 516 1ef056a99e2-1ef056a99e7 512->516 513->504 517 1ef056a9d76-1ef056a9d9b call 1ef056a9e1c 513->517 514->504 527 1ef056a9dac-1ef056a9dcb call 1ef056a6d40 514->527 515->511 519 1ef056a9ac3-1ef056a9aca 515->519 516->508 520 1ef056a99ed-1ef056a99f7 call 1ef056a8a34 516->520 517->514 523 1ef056a9ad0-1ef056a9b07 call 1ef056a8e10 519->523 524 1ef056a9c94-1ef056a9ca0 519->524 520->527 531 1ef056a99fd-1ef056a9a28 call 1ef056a8a34 * 2 call 1ef056a9124 520->531 523->524 536 1ef056a9b0d-1ef056a9b15 523->536 524->514 528 1ef056a9ca6-1ef056a9caa 524->528 533 1ef056a9cba-1ef056a9cc2 528->533 534 1ef056a9cac-1ef056a9cb8 call 1ef056a90e4 528->534 568 1ef056a9a2a-1ef056a9a2e 531->568 569 1ef056a9a48-1ef056a9a52 call 1ef056a8a34 531->569 533->514 535 1ef056a9cc8-1ef056a9cd5 call 1ef056a8cb4 533->535 534->533 548 1ef056a9cdb-1ef056a9ce3 534->548 535->514 535->548 541 1ef056a9b19-1ef056a9b4b 536->541 545 1ef056a9c87-1ef056a9c8e 541->545 546 1ef056a9b51-1ef056a9b5c 541->546 545->524 545->541 546->545 549 1ef056a9b62-1ef056a9b7b 546->549 550 1ef056a9ce9-1ef056a9ced 548->550 551 1ef056a9df6-1ef056a9e12 call 1ef056a8a34 * 2 call 1ef056abaa8 548->551 553 1ef056a9b81-1ef056a9bc6 call 1ef056a90f8 * 2 549->553 554 1ef056a9c74-1ef056a9c79 549->554 555 1ef056a9cef-1ef056a9cfe call 1ef056a90e4 550->555 556 1ef056a9d00 550->556 551->504 581 1ef056a9bc8-1ef056a9bee call 1ef056a90f8 call 1ef056aa038 553->581 582 1ef056a9c04-1ef056a9c0a 553->582 560 1ef056a9c84 554->560 564 1ef056a9d03-1ef056a9d0d call 1ef056aa8ac 555->564 556->564 560->545 564->514 579 1ef056a9d13-1ef056a9d61 call 1ef056a8d44 call 1ef056a8f50 564->579 568->569 573 1ef056a9a30-1ef056a9a3b 568->573 569->508 585 1ef056a9a54-1ef056a9a74 call 1ef056a8a34 * 2 call 1ef056aa8ac 569->585 573->569 578 1ef056a9a3d-1ef056a9a42 573->578 578->504 578->569 579->514 601 1ef056a9bf0-1ef056a9c02 581->601 602 1ef056a9c15-1ef056a9c72 call 1ef056a9870 581->602 586 1ef056a9c7b 582->586 587 1ef056a9c0c-1ef056a9c10 582->587 606 1ef056a9a8b 585->606 607 1ef056a9a76-1ef056a9a80 call 1ef056aa99c 585->607 592 1ef056a9c80 586->592 587->553 592->560 601->581 601->582 602->592 606->508 610 1ef056a9df0-1ef056a9df5 call 1ef056abaa8 607->610 611 1ef056a9a86-1ef056a9def call 1ef056a86ac call 1ef056aa3f4 call 1ef056a88a0 607->611 610->551 611->610
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 6982df47c188d4e366e8061e8b6ec9c4e75e4d81b76fe62e134036ad0916524f
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: 0DE15E72604BC08AEB709BA5D4483DDB7A2F755798F20412AFE4957B9BCF74C592CB00
                                                                          Function 000001EF056DA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: 265c21803fc96880afd6f203238d106f9b6b28b4e800c19147ad8799df22a2c4
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: D0E16D72A08BC08AEB709FA5D4483DD77A2F745798F140939FE8957B9ACB78C482C710
                                                                          Function 000001EF056DF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 81af30677225664974826b26ed58c4314f69550e8db5858cf03e6b92dd4f7242
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 1741C532711A9091EB36CB16E90C7ED6393B745BE0F054A3DAD0A87787EEB8C4478320
                                                                          Function 000001EF056D104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 698eced6b22baa66ddc1e6839135e4ecab214628fe1241a280653f08a97fe177
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: F7414E33614BC4C6E760CF21E84879E77A2F389B98F448129EE8907759DFB8C54ACB50
                                                                          Function 000001EF056DD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001EF056DC7DE,?,?,?,?,?,?,?,?,000001EF056DCF9D,?,?,00000001), ref: 000001EF056DD087
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001EF056DC7DE,?,?,?,?,?,?,?,?,000001EF056DCF9D,?,?,00000001), ref: 000001EF056DD0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001EF056DC7DE,?,?,?,?,?,?,?,?,000001EF056DCF9D,?,?,00000001), ref: 000001EF056DD0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001EF056DC7DE,?,?,?,?,?,?,?,?,000001EF056DCF9D,?,?,00000001), ref: 000001EF056DD0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001EF056DC7DE,?,?,?,?,?,?,?,?,000001EF056DCF9D,?,?,00000001), ref: 000001EF056DD0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 4298fa7a489992e5017646c619130d062d1300e42a39b57531581410785aa05f
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: 35114F30F046C841FA786726D9593ED62639B957F0F544B3CBC2A066DBDEE9C4438220
                                                                          Function 000001EF056D7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 2022e1a1d8ea8e3f7e27cf0857c159d34407ead0b038d4bcae873d90657ae1e9
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 95817E31E006C186FAB0AB66E4493ED6293E795780F544C3DBD0847797EBF9C9478722
                                                                          Function 000001EF056D9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: bc91c6d956ba39a4cac39bd5116ecfe2c759d3b24ddbf4aaf5ba169a19f31918
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: 5431C731712690E1EE36DB42E4087DD6296BB48BA0F590E3DBD1D47392EFB8C446C320
                                                                          Function 000001EF056E3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: f2742a7d5909eea428b741b80b7849ceba276a99b7be5a319b353e76878fc810
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: CB118E31311A9086E7608B16F84839D72A2F798FE4F040229FE5A87796CFB8C9068740
                                                                          Function 000001EF056D3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: acadbe3eb09f7d71bc35bf6b8241b61ba8bfaceadb6639e931da8a42f7133f90
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 44118E36701B9082EF649B11F40C2AD63A2F788B84F04083CEE8903756EF7DC506C714
                                                                          Function 000001EF056D5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: ae8693864295e5a35c3e9f536fdff30c866fb4c2346fda94f2a556b2cc8ed26c
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: CED18B76605B8881DB709B06E49439E77A1F3D8B84F10062AEECE47BA6DF7CC552CB50
                                                                          Function 000001EF056D2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: 92ec10b019f45fdcae44462127da5290307aff9666fb16c2acd25f204a8a6070
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: 8A31C936B01B9182EB35CF16E5587ADA792FB54B84F044838BE4847B57EFB4C462C710
                                                                          Function 000001EF056D14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 80memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID: C:\Windows\System32\svchost.exe
                                                                          • API String ID: 3168794593-3822071397
                                                                          • Opcode ID: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction ID: 02b52be66b6ff45706aec94799afad1dcb6b305fa9ec0917883751663b106472
                                                                          • Opcode Fuzzy Hash: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction Fuzzy Hash: 233197B750ABE08AFB66CB79EC592DD2F63F7A5F40F09803DEE4503257E9A484068700
                                                                          Function 000001EF056DCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: ad6bd71dbb2ffb916a646703f8db6216379822b8deb01a87a2f0dce894905efe
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: 85113B30B012C881FA74A726D54D3ED61539B997E4F144A3CBC26467D7DEE9C8438220
                                                                          Function 000001EF056D199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: f7dbd9ec9688cc2d10328496d15616cee54abef8c3c11c69e1693a7ffdc8deae
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: F1015731701A9082EA60DB52F84839D63A2F798BC4F884439EE4943756DEBCC98AC740
                                                                          Function 000001EF056D36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: fef18b8453c1c466e35b9681547360562c0e391c63b42431d9fa1743bbd9d084
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: C5013974712B9482EB759B21F81C79D23A2BB55B86F04083CED4906756EFBCC10A8710
                                                                          Function 000001EF056D8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: 8c2693f3d9bf7d5bb1aee9af743be6b30933a64ee2da31fdc9b00e7aa035c004
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: 3451BF32B016818AEB24DF15E84CB9D37A7F355B98F118938FE164778ADBB5C842C710
                                                                          Function 000001EF056D1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: 5454e596d9030c573d6d3ed28252b642caab70548bd3eefdfc23d8c158034a51
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 7AF0A43270069082EB308B20F8887DD6363F758B98F844038EE4947956DFBCC64ECB00
                                                                          Function 000001EF056D3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 94df4960d741f2a3c5eeb7f78af4665eabfef1e918f8397a6dddf511ae0bfb9d
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: 41F08230705BD082EA208F13F90C19D6263AB58FD0F085538FE4607B1ADFBCC8468700
                                                                          Function 000001EF056DBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: 2098809f51e181b349ee9a53ce976b49affc76bc21c28d1038c1a31a2751e5de
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: A5F0627121269481EB348B24F44C39D6323FB99765F54063DEE6A451FACFACC5468710
                                                                          Function 000001EF056D50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: 02bffea5d5a63f876107c2e123ff812cb1cd26ccd15b216ae589367254470c07
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: EF02C732619BC486EB60CB55E49439EB7A1F3C5780F100529FE8E87BA9DFB8C485CB10
                                                                          Function 000001EF056D5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: d4233fab29152cf36919dbe7845e61aa8570b793a33cbd469737cd7ce18de2af
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: 27619A36A19B84C6E7B08B15E44835E77A2F398784F100539FE8E47BA9DBB8C551CF10
                                                                          Function 000001EF056B3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 014165b0d9afff56cfa31d5c085a9c1e6d1e9842e63309e2058e453b71de3237
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 3511A073B20AD1D1FAB41568E45E3ED11836B58375F588E3CBE66063E7CAE8CAC74210
                                                                          Function 000001EF056E4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: e5757c668b37d16235c730b9b7cceac289a5c93896c0571bdaa5a9130e4c3bbd
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 1D114F32A16BF111FE741578DC5D3FE11436BA83AAE19063CBD76466D79EA8C8434200
                                                                          Function 000001EF056D9650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1452528299-0
                                                                          • Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                          • Instruction ID: c113b4958e5f20a70ea71a357c1ce8e9e46d250940ae5b5f0b4fd1c9716d9fe7
                                                                          • Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                          • Instruction Fuzzy Hash: E3111A30B012D482FA749B25E8487ED6293AB547E0F144A3CBD26477D7DAA9C883C720
                                                                          Function 000001EF056AF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 2afd3f955c3733ff75654bc777ddb71a6366763002e127ebd15de92134bf44ab
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 3E61717A6006C082FA759BE5D55C3EEFAA3A785780F50453DFD06137A6EAB4C843CB02
                                                                          Function 000001EF056DAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: d64edb6d373f34353f81fe1b268f4877e95f6ea497e85000576f9e30a9c03425
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: C2618133A05B848AEB20DFA5D4443DD77B2F344B98F084629EF4917B9ADBB8C596C710
                                                                          Function 000001EF056AA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 24c411ae24807c4599a27bf230a48bfe1504b3fc32e6d0480625a10cdebbac59
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: F3515F321002C0CAEB748BD5D54839DB7A2F755B94F18412FEE5987B96CBB9D4A2CF00
                                                                          Function 000001EF056DAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 9ecfab4edfd1fd56d045ee83b6b2270469e698a7a7b751939a45457873505ac7
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 59518F729082C08AEB748BA6D48839DB7A2F394B84F144939FE4947B96CBB8D452C710
                                                                          Function 000001EF056A8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: dd166a5c7f25b1a577e0d12c289f1c62938f0d774839d14c28ea42d60efb64e5
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 8F51A1327116808AEBA4DF55E45CB9DB796F354B98F508138EE164378AEBB4DC428F04
                                                                          Function 000001EF056A83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: f4816deb9ea21b8525842fc009ad17c6db12633bead108611eb7a77a8f9cda5b
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 59318D32201680DAE764DF61E84C79DB7A6F340B98F158138FE5B47786DBB8C942CB44
                                                                          Function 000001EF056E2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 35fa8b51676c63c2aa4f12b7d3506a7db590a6713866780e1e7050beff1da529
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 98D10076B05AD089E721CFA9D4583DC3BB7F354798F00422AEE5A97B9AEA74C507C340
                                                                          Function 000001EF056E2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: 56b34034fb45b03d444ce6d30033f178a03d155f14d4e2316c83aafdffe4279c
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: 4D91D476B116E485F7709F29D4A83ED3BABB704B88F14412DEE0A67696DBB4C487C700
                                                                          Function 000001EF056D7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: f569dad9ef132b2a29f801372b2d5feb3b57ddbdb9280db14cacda7fbe510697
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: A9114C32B11B4489EF10CB60E8583EC33A5F719768F440E39EE6D467A5DFB8C1998380
                                                                          Function 000001EF056D253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: 23d0e5b2af487a24cdae1e249f101a26cb68bcc93e168c9f1c74df57096f67df
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: D971B33AA007C186EBB59F25D8683EE6796F389B84F44043EFD0953B8ADEB5C546C710
                                                                          Function 000001EF056A9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: ce1aa31338a9c0a6f29c55333db4f2e6b74a1849ac8fcb95c043c384e2f0275f
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: FD616037600B848AEB20DFA5D4443DDB7A2F744B8CF144229EF4917B9ADBB8D596CB00
                                                                          Function 000001EF056D2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 840cd630a9b204a4dcf434410a26aa12b829491f1cf504a6646e3c8aef41c21f
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: 9251E33AA043C181E6759F29E4AC3FE6753F385780F44093DED4903B5BCAB9C54687A0
                                                                          Function 000001EF056E26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 1ad4ea21f82d8cd1cdfa34d65a9764b4613e72ab5f15ef25734cba0a9a8e891e
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 2641C272715A9082DB608F25E8583EEB7A7F398794F404039EE4D87795EBBCC446CB40
                                                                          Function 000001EF056D94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: e58183df9718549d57438d426fd561fdfbf145723386fed7df5a9e86cadfa811
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 25112B32615B8082EB618B15F44839D77E6F788B98F584634EE8D07B6ADF7CC552CB00
                                                                          Function 000001EF056A7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 7b4f4cbdac5b013444302c874f5a74344fbc239b742e3c13087d61d08bfbcab7
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 56E08671640BC4D0EF129F61E8442DC73A1DB68B64B489132EE5C07312FA78D1FAC700
                                                                          Function 000001EF056A73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2629591192.000001EF056A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 42b3c8cad6d169595bb9e830532a938ef58254861cbba5ededc86e54876b1acd
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 62E08671600B84C0EF129F61D4401DC7361E768B54B889132DD4C07312FA78D1E6C700
                                                                          Function 000001EF056D1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.2630089398.000001EF056D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001EF056D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_1ef056d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 9143bb0182314890c745dcae0ff08f898dae5a54ba465a7b310e66d38477ce92
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: C5118235B11B8881EA65DB6AE8082AD73A2F789FC0F18403DEE4D43766DEB8C443C300

                                                                          Execution Graph

                                                                          Execution Coverage:1.1%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:1680
                                                                          Total number of Limit Nodes:7
                                                                          execution_graph 8153 2287ad427fc 8155 2287ad42842 8153->8155 8154 2287ad428a8 8155->8154 8157 2287ad43844 8155->8157 8158 2287ad43866 8157->8158 8159 2287ad43851 StrCmpNIW 8157->8159 8158->8155 8159->8158 8160 2287ad54dfd 8169 2287ad49c90 8160->8169 8162 2287ad54e4f __CxxCallCatchBlock 8180 2287ad49634 8162->8180 8165 2287ad54e63 8166 2287ad49634 _CallSETranslator 4 API calls 8165->8166 8167 2287ad54e73 8166->8167 8170 2287ad49634 _CallSETranslator 4 API calls 8169->8170 8171 2287ad49ca2 8170->8171 8172 2287ad49cdd 8171->8172 8173 2287ad49634 _CallSETranslator 4 API calls 8171->8173 8174 2287ad49cad 8173->8174 8174->8172 8175 2287ad49634 _CallSETranslator 4 API calls 8174->8175 8176 2287ad49cce 8175->8176 8176->8162 8177 2287ad49320 8176->8177 8178 2287ad49634 _CallSETranslator 4 API calls 8177->8178 8179 2287ad4932e 8178->8179 8179->8162 8183 2287ad49650 8180->8183 8182 2287ad4963d 8182->8165 8184 2287ad4966f __vcrt_InitializeCriticalSectionEx 8183->8184 8190 2287ad49668 __std_exception_destroy _CallSETranslator 8183->8190 8184->8190 8191 2287ad49fec 8184->8191 8186 2287ad496a2 _CallSETranslator 8187 2287ad496c9 8186->8187 8188 2287ad49fec _CallSETranslator 4 API calls 8186->8188 8186->8190 8189 2287ad49fec _CallSETranslator 4 API calls 8187->8189 8187->8190 8188->8187 8189->8190 8190->8182 8196 2287ad49dc4 8191->8196 8193 2287ad4a01a 8194 2287ad4a02c TlsSetValue 8193->8194 8195 2287ad4a024 8193->8195 8194->8195 8195->8186 8198 2287ad49ecd __vcrt_InitializeCriticalSectionEx 8196->8198 8201 2287ad49e08 __vcrt_InitializeCriticalSectionEx 8196->8201 8197 2287ad49e36 LoadLibraryExW 8199 2287ad49ead 8197->8199 8197->8201 8198->8193 8199->8198 8200 2287ad49ec4 FreeLibrary 8199->8200 8200->8198 8201->8197 8201->8198 8202 2287ad49e79 LoadLibraryExW 8201->8202 8202->8199 8202->8201 9180 2287ad4f2fc 9181 2287ad4f31e 9180->9181 9184 2287ad4f33b 9180->9184 9182 2287ad4f32c 9181->9182 9181->9184 9183 2287ad4d6ac __std_exception_copy 7 API calls 9182->9183 9186 2287ad4f331 9183->9186 9187 2287ad51af4 9184->9187 9188 2287ad51b09 9187->9188 9189 2287ad51b13 9187->9189 9199 2287ad4ca0c 9188->9199 9191 2287ad51b18 9189->9191 9197 2287ad51b1f __std_exception_copy 9189->9197 9192 2287ad4d744 __free_lconv_num 7 API calls 9191->9192 9195 2287ad51b11 9192->9195 9193 2287ad51b25 9196 2287ad4d6ac __std_exception_copy 7 API calls 9193->9196 9194 2287ad51b52 HeapReAlloc 9194->9195 9194->9197 9195->9186 9196->9195 9197->9193 9197->9194 9198 2287ad4b85c __std_exception_copy 2 API calls 9197->9198 9198->9197 9200 2287ad4ca1b __std_exception_copy 9199->9200 9201 2287ad4ca57 9199->9201 9200->9201 9203 2287ad4ca55 9200->9203 9204 2287ad4b85c __std_exception_copy 2 API calls 9200->9204 9202 2287ad4d6ac __std_exception_copy 7 API calls 9201->9202 9202->9203 9203->9195 9204->9200 8642 2287ad4ad78 8643 2287ad4ada5 __except_validate_context_record 8642->8643 8644 2287ad49634 _CallSETranslator 4 API calls 8643->8644 8645 2287ad4adaa 8644->8645 8648 2287ad4ae04 8645->8648 8650 2287ad4ae92 8645->8650 8657 2287ad4ae58 8645->8657 8646 2287ad4af00 8646->8657 8683 2287ad4a544 8646->8683 8647 2287ad4ae7f 8671 2287ad498e0 8647->8671 8648->8647 8656 2287ad4ae26 __GetCurrentState 8648->8656 8648->8657 8653 2287ad4aeb1 8650->8653 8677 2287ad49ce4 8650->8677 8653->8646 8653->8657 8680 2287ad49cf8 8653->8680 8654 2287ad4afa9 8656->8654 8659 2287ad4b288 8656->8659 8660 2287ad49ce4 Is_bad_exception_allowed 4 API calls 8659->8660 8661 2287ad4b2b7 __GetCurrentState 8660->8661 8662 2287ad49634 _CallSETranslator 4 API calls 8661->8662 8668 2287ad4b2d4 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8662->8668 8663 2287ad4b3cb 8664 2287ad49634 _CallSETranslator 4 API calls 8663->8664 8665 2287ad4b3d0 8664->8665 8666 2287ad49634 _CallSETranslator 4 API calls 8665->8666 8667 2287ad4b3db __FrameHandler3::GetHandlerSearchState 8665->8667 8666->8667 8667->8657 8668->8663 8668->8667 8669 2287ad49ce4 LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue Is_bad_exception_allowed 8668->8669 8737 2287ad49d0c 8668->8737 8669->8668 8672 2287ad498ff __SetUnwindTryBlock __FrameHandler3::GetHandlerSearchState 8671->8672 8740 2287ad49850 8672->8740 8675 2287ad4b288 __FrameHandler3::FrameUnwindToEmptyState 4 API calls 8676 2287ad49934 8675->8676 8676->8657 8678 2287ad49634 _CallSETranslator 4 API calls 8677->8678 8679 2287ad49ced 8678->8679 8679->8653 8681 2287ad49634 _CallSETranslator 4 API calls 8680->8681 8682 2287ad49d01 8681->8682 8682->8646 8689 2287ad4a5a6 __FrameHandler3::GetHandlerSearchState 8683->8689 8684 2287ad4aa12 8685 2287ad4a963 8685->8684 8686 2287ad4a961 8685->8686 8785 2287ad4aa1c 8685->8785 8688 2287ad49634 _CallSETranslator 4 API calls 8686->8688 8687 2287ad4a68b 8687->8685 8719 2287ad4a6c3 8687->8719 8691 2287ad4a9a5 8688->8691 8689->8684 8689->8687 8693 2287ad49634 _CallSETranslator 4 API calls 8689->8693 8691->8684 8695 2287ad47940 _log10_special 3 API calls 8691->8695 8692 2287ad4a894 8692->8686 8696 2287ad4a8b1 8692->8696 8699 2287ad49ce4 Is_bad_exception_allowed 4 API calls 8692->8699 8694 2287ad4a5f2 8693->8694 8694->8691 8697 2287ad49634 _CallSETranslator 4 API calls 8694->8697 8698 2287ad4a9b8 8695->8698 8696->8686 8702 2287ad4a8d3 8696->8702 8778 2287ad498b4 8696->8778 8701 2287ad4a602 8697->8701 8698->8657 8699->8696 8703 2287ad49634 _CallSETranslator 4 API calls 8701->8703 8702->8686 8704 2287ad4a8e9 8702->8704 8734 2287ad4a9f5 8702->8734 8705 2287ad4a60b 8703->8705 8706 2287ad4a8f4 8704->8706 8709 2287ad49ce4 Is_bad_exception_allowed 4 API calls 8704->8709 8744 2287ad49d24 8705->8744 8713 2287ad4b4ac 4 API calls 8706->8713 8707 2287ad49634 _CallSETranslator 4 API calls 8710 2287ad4a9fb 8707->8710 8709->8706 8712 2287ad49634 _CallSETranslator 4 API calls 8710->8712 8715 2287ad4aa04 8712->8715 8720 2287ad4a90b __SetUnwindTryBlock 8713->8720 8714 2287ad49cf8 LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue 8714->8719 8717 2287ad4c6a8 17 API calls 8715->8717 8716 2287ad49634 _CallSETranslator 4 API calls 8718 2287ad4a64d 8716->8718 8717->8684 8718->8687 8721 2287ad49634 _CallSETranslator 4 API calls 8718->8721 8719->8692 8719->8714 8758 2287ad4ac38 8719->8758 8772 2287ad4a470 8719->8772 8720->8686 8782 2287ad49b50 RtlUnwindEx 8720->8782 8722 2287ad4a659 8721->8722 8724 2287ad49634 _CallSETranslator 4 API calls 8722->8724 8726 2287ad4a662 8724->8726 8747 2287ad4b4ac 8726->8747 8730 2287ad4a676 8754 2287ad4b59c 8730->8754 8732 2287ad4a9ef 8802 2287ad4c6a8 8732->8802 8734->8707 8735 2287ad4a67e __CxxCallCatchBlock std::bad_alloc::bad_alloc 8735->8732 8797 2287ad494a0 8735->8797 8738 2287ad49634 _CallSETranslator 4 API calls 8737->8738 8739 2287ad49d1a 8738->8739 8739->8668 8741 2287ad4986e 8740->8741 8742 2287ad4989b 8741->8742 8743 2287ad49634 _CallSETranslator 4 API calls 8741->8743 8742->8675 8743->8741 8745 2287ad49634 _CallSETranslator 4 API calls 8744->8745 8746 2287ad49d32 8745->8746 8746->8684 8746->8716 8748 2287ad4b593 8747->8748 8753 2287ad4b4d7 8747->8753 8749 2287ad4a672 8749->8687 8749->8730 8750 2287ad49cf8 LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue 8750->8753 8751 2287ad49ce4 Is_bad_exception_allowed 4 API calls 8751->8753 8752 2287ad4ac38 4 API calls 8752->8753 8753->8749 8753->8750 8753->8751 8753->8752 8755 2287ad4b609 8754->8755 8757 2287ad4b5b9 Is_bad_exception_allowed 8754->8757 8755->8735 8756 2287ad49ce4 LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue Is_bad_exception_allowed 8756->8757 8757->8755 8757->8756 8759 2287ad4acf4 8758->8759 8760 2287ad4ac65 8758->8760 8759->8719 8761 2287ad49ce4 Is_bad_exception_allowed 4 API calls 8760->8761 8762 2287ad4ac6e 8761->8762 8762->8759 8763 2287ad49ce4 Is_bad_exception_allowed 4 API calls 8762->8763 8764 2287ad4ac87 8762->8764 8763->8764 8764->8759 8765 2287ad4acb3 8764->8765 8766 2287ad49ce4 Is_bad_exception_allowed 4 API calls 8764->8766 8767 2287ad49cf8 4 API calls 8765->8767 8766->8765 8768 2287ad4acc7 8767->8768 8768->8759 8769 2287ad4ace0 8768->8769 8770 2287ad49ce4 Is_bad_exception_allowed 4 API calls 8768->8770 8771 2287ad49cf8 4 API calls 8769->8771 8770->8769 8771->8759 8773 2287ad4a4ad __SetUnwindTryBlock 8772->8773 8774 2287ad49ce4 Is_bad_exception_allowed 4 API calls 8773->8774 8775 2287ad4a4e5 8774->8775 8776 2287ad49b50 4 API calls 8775->8776 8777 2287ad4a529 8776->8777 8777->8719 8779 2287ad498c8 __FrameHandler3::GetHandlerSearchState 8778->8779 8780 2287ad49850 __FrameHandler3::FrameUnwindToEmptyState 4 API calls 8779->8780 8781 2287ad498d2 8780->8781 8781->8702 8783 2287ad47940 _log10_special 3 API calls 8782->8783 8784 2287ad49c4a 8783->8784 8784->8686 8786 2287ad4aa52 8785->8786 8791 2287ad4aac0 8785->8791 8787 2287ad49634 _CallSETranslator 4 API calls 8786->8787 8788 2287ad4aa57 8787->8788 8789 2287ad4aa66 EncodePointer 8788->8789 8796 2287ad4aabc 8788->8796 8790 2287ad49634 _CallSETranslator 4 API calls 8789->8790 8792 2287ad4aa76 8790->8792 8791->8686 8792->8796 8805 2287ad497fc 8792->8805 8794 2287ad49ce4 LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue Is_bad_exception_allowed 8794->8796 8795 2287ad4a470 8 API calls 8795->8796 8796->8791 8796->8794 8796->8795 8798 2287ad494bf 8797->8798 8799 2287ad494e8 RtlPcToFileHeader 8798->8799 8800 2287ad4950a RaiseException 8798->8800 8801 2287ad49500 8799->8801 8800->8732 8801->8800 8803 2287ad4ce28 _invalid_parameter_noinfo 17 API calls 8802->8803 8804 2287ad4c6b1 _invalid_parameter_noinfo 8803->8804 8806 2287ad49634 _CallSETranslator 4 API calls 8805->8806 8807 2287ad49828 8806->8807 8807->8796 8203 2287ad49005 8204 2287ad49018 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8203->8204 8205 2287ad49109 8204->8205 8206 2287ad490d4 RtlUnwindEx 8204->8206 8206->8204 9521 2287ad54e83 9524 2287ad49374 9521->9524 9525 2287ad4938c 9524->9525 9526 2287ad4939e 9524->9526 9525->9526 9527 2287ad49394 9525->9527 9528 2287ad49634 _CallSETranslator 4 API calls 9526->9528 9530 2287ad49634 _CallSETranslator 4 API calls 9527->9530 9534 2287ad4939c 9527->9534 9529 2287ad493a3 9528->9529 9532 2287ad49634 _CallSETranslator 4 API calls 9529->9532 9529->9534 9531 2287ad493c3 9530->9531 9533 2287ad49634 _CallSETranslator 4 API calls 9531->9533 9532->9534 9535 2287ad493d0 9533->9535 9536 2287ad4c6a8 17 API calls 9535->9536 9537 2287ad493d9 9536->9537 9538 2287ad4c6a8 17 API calls 9537->9538 9539 2287ad493e5 9538->9539 8207 2287ad4f7ec 8208 2287ad4f825 8207->8208 8210 2287ad4f7f6 8207->8210 8209 2287ad4f80b FreeLibrary 8209->8210 8210->8208 8210->8209 9540 2287ad50268 9541 2287ad50292 9540->9541 9542 2287ad4d6cc __std_exception_copy 7 API calls 9541->9542 9543 2287ad502b1 9542->9543 9544 2287ad4d744 __free_lconv_num 7 API calls 9543->9544 9545 2287ad502bf 9544->9545 9546 2287ad4d6cc __std_exception_copy 7 API calls 9545->9546 9549 2287ad502e9 9545->9549 9548 2287ad502db 9546->9548 9547 2287ad4f60c 4 API calls 9547->9549 9550 2287ad4d744 __free_lconv_num 7 API calls 9548->9550 9549->9547 9551 2287ad502f2 9549->9551 9550->9549 8808 2287ad43774 8811 2287ad436c8 8808->8811 8812 2287ad4376d FreeLibraryAndExitThread 8811->8812 8813 2287ad436db GetModuleHandleW 8811->8813 8814 2287ad43759 TerminateThread 8813->8814 8815 2287ad436f2 GetCurrentProcess VirtualProtectEx 8813->8815 8818 2287ad41e6c 8814->8818 8815->8814 8816 2287ad4371e GetCurrentProcess VirtualProtectEx 8815->8816 8816->8814 8845 2287ad45ab0 8818->8845 8822 2287ad41e88 8823 2287ad41ea8 8822->8823 8855 2287ad45710 GetCurrentThreadId 8822->8855 8824 2287ad41ec8 8823->8824 8826 2287ad45710 7 API calls 8823->8826 8827 2287ad41ee8 8824->8827 8828 2287ad45710 7 API calls 8824->8828 8826->8824 8829 2287ad41f08 8827->8829 8830 2287ad45710 7 API calls 8827->8830 8828->8827 8831 2287ad41f28 8829->8831 8832 2287ad45710 7 API calls 8829->8832 8830->8829 8833 2287ad41f48 8831->8833 8834 2287ad45710 7 API calls 8831->8834 8832->8831 8835 2287ad45710 7 API calls 8833->8835 8837 2287ad41f68 8833->8837 8834->8833 8835->8837 8836 2287ad41f88 8839 2287ad41fa8 8836->8839 8840 2287ad45710 7 API calls 8836->8840 8837->8836 8838 2287ad45710 7 API calls 8837->8838 8838->8836 8841 2287ad41fc8 8839->8841 8842 2287ad45710 7 API calls 8839->8842 8840->8839 8862 2287ad45b30 8841->8862 8842->8841 8844 2287ad45b2b 8844->8812 8846 2287ad41e7a GetCurrentThread 8845->8846 8847 2287ad45ac4 8845->8847 8849 2287ad45fd0 8846->8849 8847->8846 8885 2287ad45030 8847->8885 8850 2287ad45fed 8849->8850 8853 2287ad45fe2 8849->8853 8850->8853 8890 2287ad47870 8850->8890 8852 2287ad4600a 8852->8853 8854 2287ad4607d GetLastError 8852->8854 8853->8822 8854->8853 8856 2287ad4573d 8855->8856 8858 2287ad45733 8855->8858 8857 2287ad47870 4 API calls 8856->8857 8856->8858 8861 2287ad457b1 type_info::_name_internal_method 8857->8861 8858->8823 8859 2287ad458c0 VirtualProtect 8859->8858 8860 2287ad458e9 GetLastError 8859->8860 8860->8858 8861->8858 8861->8859 8863 2287ad45b59 8862->8863 8864 2287ad45b6b GetCurrentThreadId 8862->8864 8863->8864 8865 2287ad45b82 8864->8865 8882 2287ad45b78 8864->8882 8866 2287ad45b8b 8865->8866 8871 2287ad45b9b 8865->8871 8907 2287ad45960 GetCurrentThreadId 8866->8907 8868 2287ad47940 _log10_special 3 API calls 8869 2287ad45fbf 8868->8869 8869->8844 8870 2287ad45cbc GetThreadContext 8872 2287ad45ce2 8870->8872 8878 2287ad45e1a 8870->8878 8871->8870 8871->8878 8877 2287ad45d09 8872->8877 8872->8878 8873 2287ad45efe 8875 2287ad45f1e 8873->8875 8915 2287ad443e0 8873->8915 8874 2287ad45e41 VirtualProtect FlushInstructionCache 8874->8878 8919 2287ad44df0 GetCurrentProcess 8875->8919 8879 2287ad45d8d 8877->8879 8881 2287ad45d66 SetThreadContext 8877->8881 8878->8873 8878->8874 8879->8844 8881->8879 8882->8868 8883 2287ad45f37 ResumeThread 8884 2287ad45f23 8883->8884 8884->8882 8884->8883 8886 2287ad45042 8885->8886 8887 2287ad4507f 8886->8887 8888 2287ad45058 VirtualProtect 8886->8888 8887->8846 8888->8886 8889 2287ad45076 GetLastError 8888->8889 8889->8887 8891 2287ad4787b 8890->8891 8892 2287ad47894 8891->8892 8893 2287ad4b85c __std_exception_copy 2 API calls 8891->8893 8894 2287ad4789a 8891->8894 8892->8852 8893->8891 8897 2287ad478a5 8894->8897 8899 2287ad4809c 8894->8899 8903 2287ad480bc 8897->8903 8900 2287ad480aa std::bad_alloc::bad_alloc 8899->8900 8901 2287ad494a0 Concurrency::cancel_current_task 2 API calls 8900->8901 8902 2287ad480bb 8901->8902 8904 2287ad480ca std::bad_alloc::bad_alloc 8903->8904 8905 2287ad494a0 Concurrency::cancel_current_task 2 API calls 8904->8905 8906 2287ad478ab 8905->8906 8908 2287ad45971 8907->8908 8912 2287ad4597b 8907->8912 8908->8882 8909 2287ad45a25 8911 2287ad44df0 3 API calls 8909->8911 8910 2287ad45993 VirtualProtect 8910->8912 8914 2287ad45a35 8911->8914 8912->8909 8912->8910 8913 2287ad45a49 ResumeThread 8913->8914 8914->8908 8914->8913 8917 2287ad443fc 8915->8917 8916 2287ad4445f 8916->8875 8917->8916 8918 2287ad44412 VirtualFree 8917->8918 8918->8917 8922 2287ad44e0c 8919->8922 8920 2287ad44e22 VirtualProtect FlushInstructionCache 8920->8922 8921 2287ad44e53 8921->8884 8922->8920 8922->8921 9205 2287ad45cf0 9206 2287ad45cfd 9205->9206 9207 2287ad45d09 9206->9207 9208 2287ad45e1a 9206->9208 9209 2287ad45d8d 9207->9209 9210 2287ad45d66 SetThreadContext 9207->9210 9211 2287ad45e41 VirtualProtect FlushInstructionCache 9208->9211 9214 2287ad45efe 9208->9214 9210->9209 9211->9208 9212 2287ad45f1e 9213 2287ad44df0 3 API calls 9212->9213 9218 2287ad45f23 9213->9218 9214->9212 9215 2287ad443e0 VirtualFree 9214->9215 9215->9212 9216 2287ad45f77 9219 2287ad47940 _log10_special 3 API calls 9216->9219 9217 2287ad45f37 ResumeThread 9217->9218 9218->9216 9218->9217 9220 2287ad45fbf 9219->9220 8211 2287ad4fbf0 8214 2287ad4fba8 8211->8214 8219 2287ad4c99c EnterCriticalSection 8214->8219 8220 2287ad56240 8219->8220 8923 2287ad4bb71 8924 2287ad4c6a8 17 API calls 8923->8924 8925 2287ad4bb76 8924->8925 8926 2287ad4bb9d GetModuleHandleW 8925->8926 8927 2287ad4bbe7 8925->8927 8926->8927 8928 2287ad4bbaa 8926->8928 8939 2287ad4ba74 8927->8939 8928->8927 8935 2287ad4bc98 GetModuleHandleExW 8928->8935 8931 2287ad4bc2a 8938 2287ad4bccc _invalid_parameter_noinfo __vcrt_InitializeCriticalSectionEx 8935->8938 8936 2287ad4bcfa FreeLibrary 8937 2287ad4bd01 8936->8937 8937->8927 8938->8936 8938->8937 8940 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8939->8940 8941 2287ad4ba90 8940->8941 8953 2287ad4baac 8941->8953 8943 2287ad4ba99 8944 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8943->8944 8945 2287ad4baa1 8944->8945 8945->8931 8946 2287ad4bc40 8945->8946 8971 2287ad4bc74 8946->8971 8948 2287ad4bc4d 8949 2287ad4bc51 GetCurrentProcess TerminateProcess 8948->8949 8950 2287ad4bc62 8948->8950 8949->8950 8951 2287ad4bc98 2 API calls 8950->8951 8952 2287ad4bc69 ExitProcess 8951->8952 8954 2287ad4bac2 _invalid_parameter_noinfo 8953->8954 8956 2287ad4bb25 8953->8956 8954->8956 8957 2287ad4c48c 8954->8957 8956->8943 8960 2287ad4c330 8957->8960 8961 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8960->8961 8962 2287ad4c34c 8961->8962 8967 2287ad4c36c 8962->8967 8965 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8966 2287ad4c35e 8965->8966 8966->8956 8968 2287ad4c355 8967->8968 8969 2287ad4c39a _invalid_parameter_noinfo 8967->8969 8968->8965 8969->8968 8970 2287ad4d744 __free_lconv_num 7 API calls 8969->8970 8970->8968 8974 2287ad4d1bc 8971->8974 8973 2287ad4bc7d 8973->8948 8975 2287ad4d1cd 8974->8975 8976 2287ad4d1db 8975->8976 8978 2287ad4f550 8975->8978 8976->8973 8981 2287ad4f394 8978->8981 8980 2287ad4f578 8980->8976 8984 2287ad4f3f1 __vcrt_InitializeCriticalSectionEx 8981->8984 8986 2287ad4f3ec __vcrt_InitializeCriticalSectionEx 8981->8986 8982 2287ad4f421 LoadLibraryExW 8983 2287ad4f4f6 8982->8983 8982->8986 8983->8984 8985 2287ad4f50d FreeLibrary 8983->8985 8984->8980 8985->8984 8986->8982 8986->8984 8987 2287ad4f480 LoadLibraryExW 8986->8987 8987->8983 8987->8986 9221 2287ad506f0 9224 2287ad50674 9221->9224 9225 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9224->9225 9226 2287ad50692 9225->9226 9227 2287ad506cb 9226->9227 9230 2287ad50acc _invalid_parameter_noinfo 7 API calls 9226->9230 9228 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9227->9228 9229 2287ad506d2 9228->9229 9230->9226 9231 2287ad47b1c 9232 2287ad47b40 __scrt_acquire_startup_lock 9231->9232 9233 2287ad4b8e5 9232->9233 9234 2287ad4cfa0 __std_exception_copy 7 API calls 9232->9234 9235 2287ad4b90e _invalid_parameter_noinfo 9234->9235 9552 2287ad4da9c 9553 2287ad4dac1 9552->9553 9562 2287ad4dad8 9552->9562 9554 2287ad4d6ac __std_exception_copy 7 API calls 9553->9554 9556 2287ad4dac6 9554->9556 9555 2287ad4db90 9602 2287ad4befc 9555->9602 9557 2287ad4d570 _invalid_parameter_noinfo 20 API calls 9556->9557 9558 2287ad4dad1 9557->9558 9562->9555 9566 2287ad4db68 9562->9566 9569 2287ad4db25 9562->9569 9582 2287ad4dce0 9562->9582 9563 2287ad4dbf0 9564 2287ad4d744 __free_lconv_num 7 API calls 9563->9564 9567 2287ad4dbf7 9564->9567 9565 2287ad4dc81 9568 2287ad4d744 __free_lconv_num 7 API calls 9565->9568 9570 2287ad4db48 9566->9570 9574 2287ad4d744 __free_lconv_num 7 API calls 9566->9574 9567->9570 9573 2287ad4d744 __free_lconv_num 7 API calls 9567->9573 9571 2287ad4dc8c 9568->9571 9569->9570 9577 2287ad4d744 __free_lconv_num 7 API calls 9569->9577 9576 2287ad4d744 __free_lconv_num 7 API calls 9570->9576 9575 2287ad4dca5 9571->9575 9578 2287ad4d744 __free_lconv_num 7 API calls 9571->9578 9572 2287ad4dc22 9572->9565 9572->9572 9581 2287ad4dcc7 9572->9581 9608 2287ad50f50 9572->9608 9573->9567 9574->9566 9579 2287ad4d744 __free_lconv_num 7 API calls 9575->9579 9576->9558 9577->9569 9578->9571 9579->9558 9583 2287ad4dd0e 9582->9583 9583->9583 9584 2287ad4d6cc __std_exception_copy 7 API calls 9583->9584 9585 2287ad4dd59 9584->9585 9586 2287ad50f50 20 API calls 9585->9586 9587 2287ad4dd8f 9586->9587 9588 2287ad4e1b4 17 API calls 9587->9588 9589 2287ad4df46 9588->9589 9617 2287ad4f5a8 9589->9617 9594 2287ad4e00d 9595 2287ad4e1b4 17 API calls 9594->9595 9596 2287ad4e03d 9595->9596 9597 2287ad4f5a8 3 API calls 9596->9597 9598 2287ad4e066 9597->9598 9641 2287ad4d910 9598->9641 9601 2287ad4dce0 24 API calls 9603 2287ad4bf4c 9602->9603 9604 2287ad4bf14 9602->9604 9603->9563 9603->9572 9604->9603 9605 2287ad4d6cc __std_exception_copy 7 API calls 9604->9605 9606 2287ad4bf42 9605->9606 9607 2287ad4d744 __free_lconv_num 7 API calls 9606->9607 9607->9603 9613 2287ad50f6d 9608->9613 9609 2287ad50f72 9610 2287ad50f88 9609->9610 9611 2287ad4d6ac __std_exception_copy 7 API calls 9609->9611 9610->9572 9612 2287ad50f7c 9611->9612 9614 2287ad4d570 _invalid_parameter_noinfo 20 API calls 9612->9614 9613->9609 9613->9610 9615 2287ad50fbc 9613->9615 9614->9610 9615->9610 9616 2287ad4d6ac __std_exception_copy 7 API calls 9615->9616 9616->9612 9618 2287ad4f394 3 API calls 9617->9618 9619 2287ad4df71 9618->9619 9620 2287ad4d794 9619->9620 9621 2287ad4d7be 9620->9621 9622 2287ad4d7e2 9620->9622 9625 2287ad4d744 __free_lconv_num 7 API calls 9621->9625 9640 2287ad4d7cd FindFirstFileExW 9621->9640 9623 2287ad4d83c 9622->9623 9626 2287ad4d7e7 9622->9626 9624 2287ad4f07c MultiByteToWideChar 9623->9624 9632 2287ad4d858 9624->9632 9625->9640 9627 2287ad4d7fc 9626->9627 9628 2287ad4d744 __free_lconv_num 7 API calls 9626->9628 9626->9640 9629 2287ad4ca0c 7 API calls 9627->9629 9628->9627 9629->9640 9630 2287ad4d85f __vcrt_InitializeCriticalSectionEx 9630->9640 9658 2287ad4d620 9630->9658 9631 2287ad4d89a 9634 2287ad4f07c MultiByteToWideChar 9631->9634 9631->9640 9632->9630 9632->9631 9633 2287ad4d88d 9632->9633 9635 2287ad4d744 __free_lconv_num 7 API calls 9632->9635 9636 2287ad4ca0c 7 API calls 9633->9636 9634->9630 9635->9633 9636->9631 9639 2287ad4d6ac __std_exception_copy 7 API calls 9639->9640 9640->9594 9642 2287ad4d95e 9641->9642 9643 2287ad4d93a 9641->9643 9644 2287ad4d964 9642->9644 9647 2287ad4d9b8 9642->9647 9645 2287ad4d744 __free_lconv_num 7 API calls 9643->9645 9648 2287ad4d949 9643->9648 9646 2287ad4d979 9644->9646 9644->9648 9649 2287ad4d744 __free_lconv_num 7 API calls 9644->9649 9645->9648 9650 2287ad4ca0c 7 API calls 9646->9650 9651 2287ad4da14 9647->9651 9654 2287ad4d744 __free_lconv_num 7 API calls 9647->9654 9655 2287ad4d9e3 __vcrt_InitializeCriticalSectionEx 9647->9655 9648->9601 9649->9646 9650->9648 9652 2287ad4ca0c 7 API calls 9651->9652 9652->9655 9653 2287ad4d620 7 API calls 9656 2287ad4d9f0 9653->9656 9654->9651 9655->9648 9655->9653 9657 2287ad4d6ac __std_exception_copy 7 API calls 9656->9657 9657->9648 9659 2287ad4cfa0 __std_exception_copy 7 API calls 9658->9659 9660 2287ad4d62d __free_lconv_num 9659->9660 9661 2287ad4cfa0 __std_exception_copy 7 API calls 9660->9661 9662 2287ad4d64f 9661->9662 9662->9639 9663 2287ad54c9f 9664 2287ad54d22 9663->9664 9665 2287ad54cb7 9663->9665 9665->9664 9666 2287ad49634 _CallSETranslator 4 API calls 9665->9666 9667 2287ad54d04 9666->9667 9668 2287ad49634 _CallSETranslator 4 API calls 9667->9668 9669 2287ad54d19 9668->9669 9670 2287ad4c6a8 17 API calls 9669->9670 9670->9664 9671 2287ad54e99 9672 2287ad49634 _CallSETranslator 4 API calls 9671->9672 9673 2287ad54ea7 9672->9673 9674 2287ad54eb2 9673->9674 9675 2287ad49634 _CallSETranslator 4 API calls 9673->9675 9675->9674 8988 2287ad53d98 8989 2287ad53daf 8988->8989 8990 2287ad53da9 CloseHandle 8988->8990 8990->8989 8991 2287ad4b3a4 8998 2287ad4b2d7 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8991->8998 8992 2287ad4b3cb 8993 2287ad49634 _CallSETranslator 4 API calls 8992->8993 8994 2287ad4b3d0 8993->8994 8995 2287ad49634 _CallSETranslator 4 API calls 8994->8995 8996 2287ad4b3db __FrameHandler3::GetHandlerSearchState 8994->8996 8995->8996 8997 2287ad49ce4 LoadLibraryExW LoadLibraryExW FreeLibrary TlsSetValue Is_bad_exception_allowed 8997->8998 8998->8992 8998->8996 8998->8997 8999 2287ad49d0c __FrameHandler3::FrameUnwindToEmptyState 4 API calls 8998->8999 8999->8998 9676 2287ad414a4 9677 2287ad414e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 9676->9677 9678 2287ad414c1 GetProcessHeap HeapFree 9676->9678 9679 2287ad56180 9677->9679 9678->9677 9678->9678 9680 2287ad4d2a4 9681 2287ad4d2de 9680->9681 9682 2287ad4d306 RtlCaptureContext 9681->9682 9683 2287ad4d33b capture_current_context 9682->9683 9684 2287ad4d376 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9683->9684 9685 2287ad4d340 RtlVirtualUnwind 9683->9685 9686 2287ad4d3c8 9684->9686 9685->9684 9687 2287ad47940 _log10_special 3 API calls 9686->9687 9688 2287ad4d3e7 9687->9688 9689 2287ad42aa0 9690 2287ad42afd 9689->9690 9691 2287ad42b18 9690->9691 9692 2287ad431e4 3 API calls 9690->9692 9692->9691 9693 2287ad51aa0 9694 2287ad4ec90 39 API calls 9693->9694 9695 2287ad51aa9 9694->9695 9696 2287ad45ca3 9697 2287ad45cb0 9696->9697 9698 2287ad45cbc GetThreadContext 9697->9698 9705 2287ad45e1a 9697->9705 9699 2287ad45ce2 9698->9699 9698->9705 9700 2287ad45d09 9699->9700 9699->9705 9707 2287ad45d66 SetThreadContext 9700->9707 9710 2287ad45d8d 9700->9710 9701 2287ad45e41 VirtualProtect FlushInstructionCache 9701->9705 9702 2287ad45f1e 9704 2287ad44df0 3 API calls 9702->9704 9703 2287ad45efe 9703->9702 9706 2287ad443e0 VirtualFree 9703->9706 9711 2287ad45f23 9704->9711 9705->9701 9705->9703 9706->9702 9707->9710 9708 2287ad45f77 9712 2287ad47940 _log10_special 3 API calls 9708->9712 9709 2287ad45f37 ResumeThread 9709->9711 9711->9708 9711->9709 9713 2287ad45fbf 9712->9713 9714 2287ad4588c 9716 2287ad45893 9714->9716 9715 2287ad458c0 VirtualProtect 9717 2287ad458e9 GetLastError 9715->9717 9718 2287ad457d0 9715->9718 9716->9715 9716->9718 9717->9718 9000 2287ad4c58c 9001 2287ad4c5a5 9000->9001 9002 2287ad4c5bd 9000->9002 9001->9002 9003 2287ad4d744 __free_lconv_num 7 API calls 9001->9003 9003->9002 9719 2287ad5148c 9720 2287ad5149e 9719->9720 9721 2287ad514c5 9720->9721 9723 2287ad514de 9720->9723 9722 2287ad4d6ac __std_exception_copy 7 API calls 9721->9722 9724 2287ad514ca 9722->9724 9725 2287ad514d5 9723->9725 9727 2287ad4e1b4 17 API calls 9723->9727 9726 2287ad4d570 _invalid_parameter_noinfo 20 API calls 9724->9726 9726->9725 9727->9725 9728 2287ad4fa8c 9729 2287ad4fa98 9728->9729 9730 2287ad4fabf 9729->9730 9732 2287ad51cbc 9729->9732 9733 2287ad51cfc 9732->9733 9734 2287ad51cc1 9732->9734 9733->9729 9735 2287ad51cf4 9734->9735 9736 2287ad51ce2 DeleteCriticalSection 9734->9736 9737 2287ad4d744 __free_lconv_num 7 API calls 9735->9737 9736->9735 9736->9736 9737->9733 9236 2287ad4b10e 9237 2287ad49634 _CallSETranslator 4 API calls 9236->9237 9239 2287ad4b11b __CxxCallCatchBlock 9237->9239 9238 2287ad4b15f RaiseException 9240 2287ad4b186 9238->9240 9239->9238 9241 2287ad49c90 __CxxCallCatchBlock 4 API calls 9240->9241 9246 2287ad4b18e 9241->9246 9242 2287ad4b1b7 __CxxCallCatchBlock 9243 2287ad49634 _CallSETranslator 4 API calls 9242->9243 9244 2287ad4b1ca 9243->9244 9245 2287ad49634 _CallSETranslator 4 API calls 9244->9245 9247 2287ad4b1d3 9245->9247 9246->9242 9248 2287ad49320 __CxxCallCatchBlock 4 API calls 9246->9248 9248->9242 9004 2287ad50388 9005 2287ad50393 9004->9005 9013 2287ad52c88 9005->9013 9007 2287ad50398 9022 2287ad52d3c 9007->9022 9010 2287ad503c9 9011 2287ad4d744 __free_lconv_num 7 API calls 9010->9011 9012 2287ad503d5 9011->9012 9014 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9013->9014 9015 2287ad52ca1 9014->9015 9016 2287ad52d21 9015->9016 9018 2287ad52cec DeleteCriticalSection 9015->9018 9026 2287ad534fc 9015->9026 9017 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9016->9017 9019 2287ad52d2b 9017->9019 9021 2287ad4d744 __free_lconv_num 7 API calls 9018->9021 9019->9007 9021->9015 9023 2287ad52d50 9022->9023 9025 2287ad503aa DeleteCriticalSection 9022->9025 9024 2287ad4d744 __free_lconv_num 7 API calls 9023->9024 9023->9025 9024->9025 9025->9007 9025->9010 9027 2287ad5352c 9026->9027 9034 2287ad533d8 9027->9034 9029 2287ad53545 9030 2287ad5356a 9029->9030 9031 2287ad4c7a0 _invalid_parameter_noinfo 20 API calls 9029->9031 9032 2287ad5357f 9030->9032 9033 2287ad4c7a0 _invalid_parameter_noinfo 20 API calls 9030->9033 9031->9030 9032->9015 9033->9032 9035 2287ad53421 9034->9035 9036 2287ad533f3 9034->9036 9037 2287ad53413 9035->9037 9044 2287ad503e4 EnterCriticalSection 9035->9044 9038 2287ad4d4a4 _invalid_parameter_noinfo 20 API calls 9036->9038 9037->9029 9038->9037 9045 2287ad56240 9044->9045 8221 2287ad4b014 8222 2287ad49634 _CallSETranslator 4 API calls 8221->8222 8223 2287ad4b049 8222->8223 8224 2287ad49634 _CallSETranslator 4 API calls 8223->8224 8225 2287ad4b057 __except_validate_context_record 8224->8225 8226 2287ad49634 _CallSETranslator 4 API calls 8225->8226 8227 2287ad4b09b 8226->8227 8228 2287ad49634 _CallSETranslator 4 API calls 8227->8228 8229 2287ad4b0a4 8228->8229 8230 2287ad49634 _CallSETranslator 4 API calls 8229->8230 8231 2287ad4b0ad 8230->8231 8244 2287ad49c54 8231->8244 8234 2287ad49634 _CallSETranslator 4 API calls 8235 2287ad4b0dd __CxxCallCatchBlock 8234->8235 8236 2287ad49c90 __CxxCallCatchBlock 4 API calls 8235->8236 8241 2287ad4b18e 8236->8241 8237 2287ad4b1b7 __CxxCallCatchBlock 8238 2287ad49634 _CallSETranslator 4 API calls 8237->8238 8239 2287ad4b1ca 8238->8239 8240 2287ad49634 _CallSETranslator 4 API calls 8239->8240 8242 2287ad4b1d3 8240->8242 8241->8237 8243 2287ad49320 __CxxCallCatchBlock 4 API calls 8241->8243 8243->8237 8245 2287ad49634 _CallSETranslator 4 API calls 8244->8245 8246 2287ad49c65 8245->8246 8247 2287ad49c70 8246->8247 8248 2287ad49634 _CallSETranslator 4 API calls 8246->8248 8249 2287ad49634 _CallSETranslator 4 API calls 8247->8249 8248->8247 8250 2287ad49c81 8249->8250 8250->8234 8250->8235 8260 2287ad48010 8263 2287ad493e8 8260->8263 8262 2287ad48039 8264 2287ad49409 8263->8264 8265 2287ad4943e __std_exception_destroy 8263->8265 8264->8265 8267 2287ad4c6e8 8264->8267 8265->8262 8268 2287ad4c6f5 8267->8268 8269 2287ad4c6ff 8267->8269 8268->8269 8273 2287ad4c71a 8268->8273 8276 2287ad4d6ac 8269->8276 8272 2287ad4c712 8272->8265 8273->8272 8274 2287ad4d6ac __std_exception_copy 7 API calls 8273->8274 8275 2287ad4c706 8274->8275 8279 2287ad4d570 8275->8279 8282 2287ad4cfa0 8276->8282 8278 2287ad4d6b5 8278->8275 8448 2287ad4d408 8279->8448 8284 2287ad4cfb5 __vcrt_InitializeCriticalSectionEx 8282->8284 8283 2287ad4cfe1 FlsSetValue 8285 2287ad4cff3 8283->8285 8288 2287ad4cfd1 _CallSETranslator 8283->8288 8284->8283 8284->8288 8298 2287ad4d6cc 8285->8298 8288->8278 8289 2287ad4d020 FlsSetValue 8291 2287ad4d02c FlsSetValue 8289->8291 8292 2287ad4d03e 8289->8292 8290 2287ad4d010 FlsSetValue 8293 2287ad4d019 8290->8293 8291->8293 8309 2287ad4cb94 8292->8309 8304 2287ad4d744 8293->8304 8297 2287ad4d744 __free_lconv_num 3 API calls 8297->8288 8302 2287ad4d6dd __std_exception_copy 8298->8302 8299 2287ad4d72e 8300 2287ad4d6ac __std_exception_copy 7 API calls 8299->8300 8301 2287ad4d002 8300->8301 8301->8289 8301->8290 8302->8299 8302->8301 8314 2287ad4b85c 8302->8314 8305 2287ad4d77a 8304->8305 8306 2287ad4d749 HeapFree 8304->8306 8305->8288 8306->8305 8307 2287ad4d764 __vcrt_InitializeCriticalSectionEx __free_lconv_num 8306->8307 8308 2287ad4d6ac __std_exception_copy 6 API calls 8307->8308 8308->8305 8324 2287ad4ca6c 8309->8324 8317 2287ad4b89c 8314->8317 8318 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8317->8318 8319 2287ad4b8a9 8318->8319 8322 2287ad4c9f0 LeaveCriticalSection 8319->8322 8323 2287ad56248 8322->8323 8325 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8324->8325 8326 2287ad4ca88 8325->8326 8327 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8326->8327 8328 2287ad4caa0 8327->8328 8329 2287ad4caec 8328->8329 8330 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8329->8330 8331 2287ad4cb08 8330->8331 8336 2287ad4cd7c 8331->8336 8333 2287ad4cb1e 8334 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8333->8334 8335 2287ad4cb26 8334->8335 8335->8297 8337 2287ad4cd98 Concurrency::details::SchedulerProxy::DeleteThis 8336->8337 8338 2287ad4cdc4 Concurrency::details::SchedulerProxy::DeleteThis 8336->8338 8337->8338 8340 2287ad507b4 8337->8340 8338->8333 8341 2287ad507d7 8340->8341 8342 2287ad50850 8340->8342 8341->8342 8347 2287ad50816 8341->8347 8350 2287ad4d744 __free_lconv_num 7 API calls 8341->8350 8343 2287ad508a3 8342->8343 8345 2287ad4d744 __free_lconv_num 7 API calls 8342->8345 8406 2287ad50954 8343->8406 8346 2287ad50874 8345->8346 8348 2287ad4d744 __free_lconv_num 7 API calls 8346->8348 8349 2287ad50838 8347->8349 8355 2287ad4d744 __free_lconv_num 7 API calls 8347->8355 8351 2287ad50888 8348->8351 8352 2287ad4d744 __free_lconv_num 7 API calls 8349->8352 8353 2287ad5080a 8350->8353 8354 2287ad4d744 __free_lconv_num 7 API calls 8351->8354 8357 2287ad50844 8352->8357 8366 2287ad52fc8 8353->8366 8360 2287ad50897 8354->8360 8361 2287ad5082c 8355->8361 8356 2287ad5090e 8362 2287ad4d744 __free_lconv_num 7 API calls 8357->8362 8358 2287ad508af 8358->8356 8363 2287ad4d744 7 API calls __free_lconv_num 8358->8363 8364 2287ad4d744 __free_lconv_num 7 API calls 8360->8364 8394 2287ad530d4 8361->8394 8362->8342 8363->8358 8364->8343 8367 2287ad530cc 8366->8367 8368 2287ad52fd1 8366->8368 8367->8347 8369 2287ad52feb 8368->8369 8370 2287ad4d744 __free_lconv_num 7 API calls 8368->8370 8371 2287ad52ffd 8369->8371 8372 2287ad4d744 __free_lconv_num 7 API calls 8369->8372 8370->8369 8373 2287ad5300f 8371->8373 8374 2287ad4d744 __free_lconv_num 7 API calls 8371->8374 8372->8371 8375 2287ad53021 8373->8375 8377 2287ad4d744 __free_lconv_num 7 API calls 8373->8377 8374->8373 8376 2287ad53033 8375->8376 8378 2287ad4d744 __free_lconv_num 7 API calls 8375->8378 8379 2287ad53045 8376->8379 8380 2287ad4d744 __free_lconv_num 7 API calls 8376->8380 8377->8375 8378->8376 8381 2287ad53057 8379->8381 8382 2287ad4d744 __free_lconv_num 7 API calls 8379->8382 8380->8379 8383 2287ad53069 8381->8383 8384 2287ad4d744 __free_lconv_num 7 API calls 8381->8384 8382->8381 8385 2287ad5307b 8383->8385 8387 2287ad4d744 __free_lconv_num 7 API calls 8383->8387 8384->8383 8386 2287ad5308d 8385->8386 8388 2287ad4d744 __free_lconv_num 7 API calls 8385->8388 8389 2287ad530a2 8386->8389 8390 2287ad4d744 __free_lconv_num 7 API calls 8386->8390 8387->8385 8388->8386 8391 2287ad530b7 8389->8391 8392 2287ad4d744 __free_lconv_num 7 API calls 8389->8392 8390->8389 8391->8367 8393 2287ad4d744 __free_lconv_num 7 API calls 8391->8393 8392->8391 8393->8367 8395 2287ad530d9 8394->8395 8404 2287ad5313a 8394->8404 8396 2287ad530f2 8395->8396 8398 2287ad4d744 __free_lconv_num 7 API calls 8395->8398 8397 2287ad53104 8396->8397 8399 2287ad4d744 __free_lconv_num 7 API calls 8396->8399 8400 2287ad53116 8397->8400 8401 2287ad4d744 __free_lconv_num 7 API calls 8397->8401 8398->8396 8399->8397 8402 2287ad53128 8400->8402 8403 2287ad4d744 __free_lconv_num 7 API calls 8400->8403 8401->8400 8402->8404 8405 2287ad4d744 __free_lconv_num 7 API calls 8402->8405 8403->8402 8404->8349 8405->8404 8407 2287ad50985 8406->8407 8408 2287ad50959 8406->8408 8407->8358 8408->8407 8412 2287ad53174 8408->8412 8411 2287ad4d744 __free_lconv_num 7 API calls 8411->8407 8413 2287ad5317d 8412->8413 8414 2287ad5097d 8412->8414 8415 2287ad53140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8413->8415 8414->8411 8416 2287ad5319b 8415->8416 8417 2287ad53140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8416->8417 8418 2287ad531a6 8417->8418 8419 2287ad53140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8418->8419 8420 2287ad531b4 8419->8420 8421 2287ad53140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8420->8421 8422 2287ad531c2 8421->8422 8423 2287ad53140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8422->8423 8424 2287ad531d1 8423->8424 8425 2287ad4d744 __free_lconv_num 7 API calls 8424->8425 8426 2287ad531dd 8425->8426 8427 2287ad4d744 __free_lconv_num 7 API calls 8426->8427 8428 2287ad531e9 8427->8428 8429 2287ad4d744 __free_lconv_num 7 API calls 8428->8429 8430 2287ad531f5 8429->8430 8431 2287ad53140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8430->8431 8432 2287ad53203 8431->8432 8433 2287ad53140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8432->8433 8434 2287ad53211 8433->8434 8435 2287ad53140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8434->8435 8436 2287ad5321f 8435->8436 8437 2287ad53140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8436->8437 8438 2287ad5322d 8437->8438 8439 2287ad53140 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8438->8439 8440 2287ad5323c 8439->8440 8441 2287ad4d744 __free_lconv_num 7 API calls 8440->8441 8442 2287ad53248 8441->8442 8443 2287ad4d744 __free_lconv_num 7 API calls 8442->8443 8444 2287ad53254 8443->8444 8445 2287ad4d744 __free_lconv_num 7 API calls 8444->8445 8446 2287ad53260 8445->8446 8447 2287ad4d744 __free_lconv_num 7 API calls 8446->8447 8447->8414 8449 2287ad4d433 8448->8449 8456 2287ad4d4a4 8449->8456 8451 2287ad4d45a 8452 2287ad4d47d 8451->8452 8462 2287ad4c7a0 8451->8462 8454 2287ad4d492 8452->8454 8455 2287ad4c7a0 _invalid_parameter_noinfo 20 API calls 8452->8455 8454->8272 8455->8454 8473 2287ad4d1ec 8456->8473 8458 2287ad4d4df _invalid_parameter_noinfo 8458->8451 8459 2287ad4d4ce _invalid_parameter_noinfo 8459->8458 8460 2287ad4d408 _invalid_parameter_noinfo 20 API calls 8459->8460 8461 2287ad4d589 8460->8461 8461->8451 8463 2287ad4c7f8 8462->8463 8464 2287ad4c7af __vcrt_InitializeCriticalSectionEx 8462->8464 8463->8452 8465 2287ad4d068 _invalid_parameter_noinfo 10 API calls 8464->8465 8466 2287ad4c7de _CallSETranslator 8465->8466 8466->8463 8467 2287ad4c7a0 _invalid_parameter_noinfo 20 API calls 8466->8467 8468 2287ad4c827 8467->8468 8491 2287ad50430 8468->8491 8474 2287ad4d208 __vcrt_InitializeCriticalSectionEx 8473->8474 8476 2287ad4d233 _CallSETranslator 8473->8476 8477 2287ad4d068 8474->8477 8476->8459 8478 2287ad4d087 FlsGetValue 8477->8478 8480 2287ad4d09c 8477->8480 8479 2287ad4d094 8478->8479 8478->8480 8479->8476 8480->8479 8481 2287ad4d6cc __std_exception_copy 7 API calls 8480->8481 8482 2287ad4d0be 8481->8482 8483 2287ad4d0dc FlsSetValue 8482->8483 8486 2287ad4d0cc 8482->8486 8484 2287ad4d0e8 FlsSetValue 8483->8484 8485 2287ad4d0fa 8483->8485 8484->8486 8487 2287ad4cb94 __std_exception_copy 7 API calls 8485->8487 8488 2287ad4d744 __free_lconv_num 7 API calls 8486->8488 8489 2287ad4d102 8487->8489 8488->8479 8490 2287ad4d744 __free_lconv_num 7 API calls 8489->8490 8490->8479 8492 2287ad50449 8491->8492 8494 2287ad4c84f 8491->8494 8492->8494 8499 2287ad50a5c 8492->8499 8495 2287ad5049c 8494->8495 8496 2287ad504b5 8495->8496 8498 2287ad4c85f 8495->8498 8496->8498 8547 2287ad4ecf0 8496->8547 8498->8452 8508 2287ad4ce28 8499->8508 8501 2287ad50a6b 8502 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 8501->8502 8507 2287ad50ab1 8501->8507 8503 2287ad50a94 8502->8503 8543 2287ad50acc 8503->8543 8506 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 8506->8507 8507->8494 8509 2287ad4ce3d __vcrt_InitializeCriticalSectionEx 8508->8509 8510 2287ad4ce4c FlsGetValue 8509->8510 8511 2287ad4ce69 FlsSetValue 8509->8511 8512 2287ad4ce63 8510->8512 8525 2287ad4ce59 _CallSETranslator 8510->8525 8513 2287ad4ce7b 8511->8513 8511->8525 8512->8511 8514 2287ad4d6cc __std_exception_copy 7 API calls 8513->8514 8515 2287ad4ce8a 8514->8515 8516 2287ad4cea8 FlsSetValue 8515->8516 8517 2287ad4ce98 FlsSetValue 8515->8517 8518 2287ad4ceb4 FlsSetValue 8516->8518 8519 2287ad4cec6 8516->8519 8521 2287ad4cea1 8517->8521 8518->8521 8522 2287ad4cb94 __std_exception_copy 7 API calls 8519->8522 8520 2287ad4cee2 8520->8501 8523 2287ad4d744 __free_lconv_num 7 API calls 8521->8523 8524 2287ad4cece 8522->8524 8523->8525 8526 2287ad4d744 __free_lconv_num 7 API calls 8524->8526 8525->8520 8527 2287ad4cf0d FlsGetValue 8525->8527 8528 2287ad4cf28 FlsSetValue 8525->8528 8526->8525 8529 2287ad4cf22 8527->8529 8532 2287ad4cf1a 8527->8532 8530 2287ad4cf35 8528->8530 8528->8532 8529->8528 8531 2287ad4d6cc __std_exception_copy 7 API calls 8530->8531 8533 2287ad4cf44 8531->8533 8532->8501 8534 2287ad4cf62 FlsSetValue 8533->8534 8535 2287ad4cf52 FlsSetValue 8533->8535 8536 2287ad4cf6e FlsSetValue 8534->8536 8537 2287ad4cf80 8534->8537 8538 2287ad4cf5b 8535->8538 8536->8538 8539 2287ad4cb94 __std_exception_copy 7 API calls 8537->8539 8540 2287ad4d744 __free_lconv_num 7 API calls 8538->8540 8541 2287ad4cf88 8539->8541 8540->8532 8541->8532 8542 2287ad4d744 __free_lconv_num 7 API calls 8541->8542 8542->8532 8544 2287ad50ade Concurrency::details::SchedulerProxy::DeleteThis 8543->8544 8546 2287ad50aa4 8543->8546 8545 2287ad507b4 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 8544->8545 8544->8546 8545->8546 8546->8506 8548 2287ad4ce28 _invalid_parameter_noinfo 17 API calls 8547->8548 8549 2287ad4ecf9 8548->8549 9046 2287ad42990 9048 2287ad429e4 9046->9048 9047 2287ad429ff 9048->9047 9050 2287ad43130 9048->9050 9051 2287ad431c6 9050->9051 9053 2287ad43155 9050->9053 9051->9047 9052 2287ad43844 StrCmpNIW 9052->9053 9053->9051 9053->9052 9054 2287ad41ce0 StrCmpIW StrCmpW 9053->9054 9054->9053 9738 2287ad47a90 9739 2287ad47a99 __scrt_acquire_startup_lock 9738->9739 9741 2287ad47a9d 9739->9741 9742 2287ad4bf5c 9739->9742 9743 2287ad4bf7c 9742->9743 9764 2287ad4bf93 9742->9764 9744 2287ad4bf9a 9743->9744 9745 2287ad4bf84 9743->9745 9747 2287ad4ec90 39 API calls 9744->9747 9746 2287ad4d6ac __std_exception_copy 7 API calls 9745->9746 9748 2287ad4bf89 9746->9748 9749 2287ad4bf9f 9747->9749 9751 2287ad4d570 _invalid_parameter_noinfo 20 API calls 9748->9751 9773 2287ad4e374 GetModuleFileNameW 9749->9773 9751->9764 9755 2287ad4befc 7 API calls 9756 2287ad4c009 9755->9756 9757 2287ad4c029 9756->9757 9758 2287ad4c011 9756->9758 9760 2287ad4bd34 17 API calls 9757->9760 9759 2287ad4d6ac __std_exception_copy 7 API calls 9758->9759 9762 2287ad4c016 9759->9762 9761 2287ad4c045 9760->9761 9766 2287ad4c077 9761->9766 9767 2287ad4c090 9761->9767 9772 2287ad4c04b 9761->9772 9763 2287ad4d744 __free_lconv_num 7 API calls 9762->9763 9763->9764 9764->9741 9765 2287ad4d744 __free_lconv_num 7 API calls 9765->9764 9768 2287ad4d744 __free_lconv_num 7 API calls 9766->9768 9770 2287ad4d744 __free_lconv_num 7 API calls 9767->9770 9769 2287ad4c080 9768->9769 9771 2287ad4d744 __free_lconv_num 7 API calls 9769->9771 9770->9772 9771->9764 9772->9765 9774 2287ad4e3cd 9773->9774 9775 2287ad4e3b9 __vcrt_InitializeCriticalSectionEx 9773->9775 9776 2287ad4e1b4 17 API calls 9774->9776 9778 2287ad4d620 7 API calls 9775->9778 9777 2287ad4e3fb 9776->9777 9779 2287ad4f5a8 3 API calls 9777->9779 9784 2287ad4e40c 9777->9784 9780 2287ad4e3c6 9778->9780 9779->9784 9782 2287ad47940 _log10_special 3 API calls 9780->9782 9783 2287ad4bfb6 9782->9783 9785 2287ad4bd34 9783->9785 9791 2287ad4e258 9784->9791 9787 2287ad4bd72 9785->9787 9789 2287ad4bdde 9787->9789 9800 2287ad4f040 9787->9800 9788 2287ad4becf 9788->9755 9789->9788 9790 2287ad4f040 17 API calls 9789->9790 9790->9789 9792 2287ad4e297 9791->9792 9794 2287ad4e27c 9791->9794 9795 2287ad4e2fa __vcrt_InitializeCriticalSectionEx 9792->9795 9796 2287ad4e29c 9792->9796 9793 2287ad4d6ac __std_exception_copy 7 API calls 9793->9794 9794->9780 9795->9794 9797 2287ad4d620 7 API calls 9795->9797 9796->9793 9796->9794 9798 2287ad4e307 9797->9798 9799 2287ad4d6ac __std_exception_copy 7 API calls 9798->9799 9799->9794 9801 2287ad4efcc 9800->9801 9802 2287ad4e1b4 17 API calls 9801->9802 9803 2287ad4eff0 9802->9803 9803->9787 8050 2287ad41abc 8055 2287ad41628 GetProcessHeap 8050->8055 8052 2287ad41ad2 Sleep SleepEx 8053 2287ad41acb 8052->8053 8053->8052 8054 2287ad41598 StrCmpIW StrCmpW 8053->8054 8054->8053 8056 2287ad41648 __std_exception_copy 8055->8056 8100 2287ad41268 GetProcessHeap 8056->8100 8058 2287ad41650 8059 2287ad41268 2 API calls 8058->8059 8060 2287ad41661 8059->8060 8061 2287ad41268 2 API calls 8060->8061 8062 2287ad4166a 8061->8062 8063 2287ad41268 2 API calls 8062->8063 8064 2287ad41673 8063->8064 8065 2287ad4168e RegOpenKeyExW 8064->8065 8066 2287ad418a6 8065->8066 8067 2287ad416c0 RegOpenKeyExW 8065->8067 8066->8053 8068 2287ad416ff RegOpenKeyExW 8067->8068 8069 2287ad416e9 8067->8069 8071 2287ad4173a RegOpenKeyExW 8068->8071 8072 2287ad41723 8068->8072 8111 2287ad412bc RegQueryInfoKeyW 8069->8111 8074 2287ad4175e 8071->8074 8075 2287ad41775 RegOpenKeyExW 8071->8075 8104 2287ad4104c RegQueryInfoKeyW 8072->8104 8078 2287ad412bc 13 API calls 8074->8078 8079 2287ad41799 8075->8079 8080 2287ad417b0 RegOpenKeyExW 8075->8080 8081 2287ad4176b RegCloseKey 8078->8081 8082 2287ad412bc 13 API calls 8079->8082 8083 2287ad417eb RegOpenKeyExW 8080->8083 8084 2287ad417d4 8080->8084 8081->8075 8085 2287ad417a6 RegCloseKey 8082->8085 8087 2287ad4180f 8083->8087 8088 2287ad41826 RegOpenKeyExW 8083->8088 8086 2287ad412bc 13 API calls 8084->8086 8085->8080 8092 2287ad417e1 RegCloseKey 8086->8092 8089 2287ad4104c 5 API calls 8087->8089 8090 2287ad4184a 8088->8090 8091 2287ad41861 RegOpenKeyExW 8088->8091 8093 2287ad4181c RegCloseKey 8089->8093 8094 2287ad4104c 5 API calls 8090->8094 8095 2287ad4189c RegCloseKey 8091->8095 8096 2287ad41885 8091->8096 8092->8083 8093->8088 8097 2287ad41857 RegCloseKey 8094->8097 8095->8066 8098 2287ad4104c 5 API calls 8096->8098 8097->8091 8099 2287ad41892 RegCloseKey 8098->8099 8099->8095 8122 2287ad56168 8100->8122 8102 2287ad41283 GetProcessHeap 8103 2287ad412ae __std_exception_copy 8102->8103 8103->8058 8105 2287ad410bf 8104->8105 8106 2287ad411b5 RegCloseKey 8104->8106 8105->8106 8107 2287ad410cf RegEnumValueW 8105->8107 8106->8071 8109 2287ad41125 __std_exception_copy 8107->8109 8108 2287ad4114e GetProcessHeap 8108->8109 8109->8106 8109->8107 8109->8108 8110 2287ad4116e GetProcessHeap HeapFree 8109->8110 8110->8109 8112 2287ad4148a RegCloseKey 8111->8112 8113 2287ad41327 GetProcessHeap 8111->8113 8112->8068 8114 2287ad4133e __std_exception_copy 8113->8114 8115 2287ad41476 GetProcessHeap HeapFree 8114->8115 8116 2287ad41352 RegEnumValueW 8114->8116 8118 2287ad4141e lstrlenW GetProcessHeap 8114->8118 8119 2287ad413d3 GetProcessHeap 8114->8119 8120 2287ad413f3 GetProcessHeap HeapFree 8114->8120 8121 2287ad41443 StrCpyW 8114->8121 8124 2287ad4152c 8114->8124 8115->8112 8116->8114 8118->8114 8119->8114 8120->8118 8121->8114 8123 2287ad56177 8122->8123 8127 2287ad4157c 8124->8127 8128 2287ad41546 8124->8128 8125 2287ad4155d StrCmpIW 8125->8128 8126 2287ad41565 StrCmpW 8126->8128 8127->8114 8128->8125 8128->8126 8128->8127 9055 2287ad4253c 9057 2287ad425bb 9055->9057 9056 2287ad427aa 9057->9056 9058 2287ad4261d GetFileType 9057->9058 9059 2287ad4262b StrCpyW 9058->9059 9060 2287ad42641 9058->9060 9061 2287ad42650 9059->9061 9071 2287ad41a40 GetFinalPathNameByHandleW 9060->9071 9065 2287ad4265a 9061->9065 9069 2287ad426ff 9061->9069 9063 2287ad43844 StrCmpNIW 9063->9065 9064 2287ad43844 StrCmpNIW 9064->9069 9065->9056 9065->9063 9076 2287ad43044 StrCmpIW 9065->9076 9080 2287ad41cac 9065->9080 9068 2287ad43044 4 API calls 9068->9069 9069->9056 9069->9064 9069->9068 9070 2287ad41cac 2 API calls 9069->9070 9070->9069 9072 2287ad41aa9 9071->9072 9073 2287ad41a6a StrCmpNIW 9071->9073 9072->9061 9073->9072 9074 2287ad41a84 lstrlenW 9073->9074 9074->9072 9075 2287ad41a96 StrCpyW 9074->9075 9075->9072 9077 2287ad4308d PathCombineW 9076->9077 9078 2287ad43076 StrCpyW StrCatW 9076->9078 9079 2287ad43096 9077->9079 9078->9079 9079->9065 9081 2287ad41cc3 9080->9081 9083 2287ad41ccc 9080->9083 9082 2287ad4152c 2 API calls 9081->9082 9082->9083 9083->9065 9249 2287ad458b9 9250 2287ad458c0 VirtualProtect 9249->9250 9251 2287ad458e9 GetLastError 9250->9251 9252 2287ad457d0 9250->9252 9251->9252 9253 2287ad43ab9 9256 2287ad43a06 9253->9256 9254 2287ad43a70 9255 2287ad43a56 VirtualQuery 9255->9254 9255->9256 9256->9254 9256->9255 9257 2287ad43a8a VirtualAlloc 9256->9257 9257->9254 9258 2287ad43abb GetLastError 9257->9258 9258->9254 9258->9256 9804 2287ad42244 GetProcessIdOfThread GetCurrentProcessId 9805 2287ad42275 9804->9805 9806 2287ad42312 9804->9806 9811 2287ad41934 OpenProcess 9805->9811 9809 2287ad42287 CreateFileW 9809->9806 9810 2287ad422cb WriteFile ReadFile CloseHandle 9809->9810 9810->9806 9812 2287ad41989 9811->9812 9813 2287ad41960 IsWow64Process 9811->9813 9812->9806 9812->9809 9814 2287ad41980 CloseHandle 9813->9814 9815 2287ad41972 9813->9815 9814->9812 9815->9814 9259 2287ad51ac1 9260 2287ad4d6ac __std_exception_copy 7 API calls 9259->9260 9261 2287ad51ac6 9260->9261 9262 2287ad4d570 _invalid_parameter_noinfo 20 API calls 9261->9262 9263 2287ad51ad1 9262->9263 9084 2287ad50b40 9085 2287ad50b6d 9084->9085 9086 2287ad4d6ac __std_exception_copy 7 API calls 9085->9086 9091 2287ad50b82 _invalid_parameter_noinfo 9085->9091 9087 2287ad50b77 9086->9087 9089 2287ad4d570 _invalid_parameter_noinfo 20 API calls 9087->9089 9088 2287ad47940 _log10_special 3 API calls 9090 2287ad50f40 9088->9090 9089->9091 9091->9088 9816 2287ad4fc40 9817 2287ad4fc70 9816->9817 9820 2287ad4fc97 9816->9820 9818 2287ad4cfa0 __std_exception_copy 7 API calls 9817->9818 9817->9820 9822 2287ad4fc84 9817->9822 9818->9822 9819 2287ad4fd6c 9823 2287ad4fd9a 9819->9823 9824 2287ad4fea0 9819->9824 9836 2287ad4fdd3 9819->9836 9820->9819 9821 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9820->9821 9821->9819 9822->9820 9825 2287ad4fd19 9822->9825 9833 2287ad4fcd4 9822->9833 9832 2287ad4ce28 _invalid_parameter_noinfo 17 API calls 9823->9832 9823->9836 9826 2287ad4fead 9824->9826 9829 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9824->9829 9827 2287ad4d6ac __std_exception_copy 7 API calls 9825->9827 9830 2287ad4fd1e 9827->9830 9828 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9837 2287ad4fe31 9828->9837 9829->9826 9831 2287ad4d570 _invalid_parameter_noinfo 20 API calls 9830->9831 9831->9833 9834 2287ad4fdc3 9832->9834 9835 2287ad4ce28 _invalid_parameter_noinfo 17 API calls 9834->9835 9835->9836 9836->9828 9836->9837 9838 2287ad4ce28 17 API calls _invalid_parameter_noinfo 9837->9838 9838->9837 9839 2287ad51040 9840 2287ad5105f 9839->9840 9841 2287ad510d8 9840->9841 9844 2287ad5106f 9840->9844 9847 2287ad48200 9841->9847 9845 2287ad47940 _log10_special 3 API calls 9844->9845 9846 2287ad510ce 9845->9846 9850 2287ad48214 IsProcessorFeaturePresent 9847->9850 9849 2287ad4820e 9851 2287ad4822b 9850->9851 9854 2287ad482b0 RtlCaptureContext 9851->9854 9853 2287ad4823f 9853->9849 9855 2287ad482db capture_current_context 9854->9855 9856 2287ad482e0 RtlVirtualUnwind 9855->9856 9857 2287ad48312 9855->9857 9856->9857 9857->9853 8129 2287ad4202c 8130 2287ad4205d 8129->8130 8131 2287ad42173 8130->8131 8137 2287ad42081 8130->8137 8138 2287ad4213e 8130->8138 8132 2287ad42178 8131->8132 8134 2287ad421e7 8131->8134 8147 2287ad42f04 GetProcessHeap 8132->8147 8136 2287ad42f04 9 API calls 8134->8136 8134->8138 8135 2287ad420b9 StrCmpNIW 8135->8137 8136->8138 8137->8135 8137->8138 8140 2287ad41bf4 8137->8140 8138->8138 8141 2287ad41c8f 8140->8141 8142 2287ad41c1b GetProcessHeap 8140->8142 8141->8137 8144 2287ad41c41 __std_exception_copy 8142->8144 8143 2287ad41c77 GetProcessHeap HeapFree 8143->8141 8144->8141 8144->8143 8145 2287ad4152c 2 API calls 8144->8145 8146 2287ad41c6e 8145->8146 8146->8143 8152 2287ad42f40 __std_exception_copy 8147->8152 8148 2287ad43015 GetProcessHeap HeapFree 8148->8138 8149 2287ad43010 8149->8148 8150 2287ad42fa2 StrCmpNIW 8150->8152 8151 2287ad41bf4 5 API calls 8151->8152 8152->8148 8152->8149 8152->8150 8152->8151 9092 2287ad42b2c 9094 2287ad42b9d 9092->9094 9093 2287ad42ee0 9094->9093 9095 2287ad42bc9 GetModuleHandleA 9094->9095 9096 2287ad42bdb __vcrt_InitializeCriticalSectionEx 9095->9096 9096->9093 9097 2287ad42c14 StrCmpNIW 9096->9097 9097->9093 9101 2287ad42c39 9097->9101 9098 2287ad4199c 6 API calls 9098->9101 9099 2287ad42e05 lstrlenW 9099->9101 9100 2287ad42d4b lstrlenW 9100->9101 9101->9093 9101->9098 9101->9099 9101->9100 9102 2287ad43844 StrCmpNIW 9101->9102 9103 2287ad4152c StrCmpIW StrCmpW 9101->9103 9102->9101 9103->9101 9104 2287ad4d128 9105 2287ad4d138 9104->9105 9106 2287ad4d143 __vcrt_uninitialize_ptd 9105->9106 9107 2287ad4cfa0 __std_exception_copy 7 API calls 9105->9107 9107->9106 9264 2287ad514a8 9265 2287ad514b0 9264->9265 9266 2287ad514c5 9265->9266 9268 2287ad514de 9265->9268 9267 2287ad4d6ac __std_exception_copy 7 API calls 9266->9267 9269 2287ad514ca 9267->9269 9270 2287ad514d5 9268->9270 9273 2287ad4e1b4 9268->9273 9271 2287ad4d570 _invalid_parameter_noinfo 20 API calls 9269->9271 9271->9270 9274 2287ad4e1d8 9273->9274 9280 2287ad4e1d3 9273->9280 9275 2287ad4ce28 _invalid_parameter_noinfo 17 API calls 9274->9275 9274->9280 9276 2287ad4e1f3 9275->9276 9281 2287ad503fc 9276->9281 9280->9270 9282 2287ad4e216 9281->9282 9283 2287ad50411 9281->9283 9285 2287ad50468 9282->9285 9283->9282 9284 2287ad50a5c _invalid_parameter_noinfo 17 API calls 9283->9284 9284->9282 9286 2287ad5047d 9285->9286 9287 2287ad50490 9285->9287 9286->9287 9288 2287ad4ecf0 _invalid_parameter_noinfo 17 API calls 9286->9288 9287->9280 9288->9287 8553 2287ad535ab 8554 2287ad53850 8553->8554 8557 2287ad535eb 8553->8557 8555 2287ad53846 8554->8555 8560 2287ad54360 _log10_special 11 API calls 8554->8560 8556 2287ad5361f 8557->8554 8557->8556 8558 2287ad53832 8557->8558 8561 2287ad54360 8558->8561 8560->8555 8564 2287ad54380 8561->8564 8566 2287ad5439a 8564->8566 8565 2287ad5437b 8565->8555 8566->8565 8568 2287ad541c0 8566->8568 8569 2287ad54200 _log10_special 8568->8569 8572 2287ad5426c _log10_special 8569->8572 8579 2287ad54480 8569->8579 8571 2287ad542a9 8586 2287ad547b0 8571->8586 8572->8571 8574 2287ad54279 8572->8574 8582 2287ad5409c 8574->8582 8576 2287ad542a7 _log10_special 8592 2287ad47940 8576->8592 8578 2287ad542d1 8578->8565 8599 2287ad544a8 8579->8599 8583 2287ad540e0 _log10_special 8582->8583 8584 2287ad540f5 8583->8584 8585 2287ad547b0 _log10_special 7 API calls 8583->8585 8584->8576 8585->8584 8587 2287ad547b9 8586->8587 8588 2287ad547d0 8586->8588 8590 2287ad547c8 8587->8590 8591 2287ad4d6ac __std_exception_copy 7 API calls 8587->8591 8589 2287ad4d6ac __std_exception_copy 7 API calls 8588->8589 8589->8590 8590->8576 8591->8590 8594 2287ad47949 8592->8594 8593 2287ad47954 8593->8578 8594->8593 8595 2287ad4812c IsProcessorFeaturePresent 8594->8595 8596 2287ad48144 8595->8596 8603 2287ad48320 RtlCaptureContext 8596->8603 8598 2287ad48157 8598->8578 8600 2287ad544e7 _raise_exc _clrfp 8599->8600 8601 2287ad546fc RaiseException 8600->8601 8602 2287ad544a2 8601->8602 8602->8572 8604 2287ad4833a capture_current_context 8603->8604 8605 2287ad48389 8604->8605 8606 2287ad48350 RtlVirtualUnwind 8604->8606 8605->8598 8606->8604 8606->8605 9108 2287ad54d35 9109 2287ad49634 _CallSETranslator 4 API calls 9108->9109 9110 2287ad54d4d 9109->9110 9111 2287ad49634 _CallSETranslator 4 API calls 9110->9111 9112 2287ad54d68 9111->9112 9113 2287ad49634 _CallSETranslator 4 API calls 9112->9113 9114 2287ad54d7c 9113->9114 9115 2287ad49634 _CallSETranslator 4 API calls 9114->9115 9116 2287ad54dbe 9115->9116 9858 2287ad45234 9859 2287ad4523a 9858->9859 9860 2287ad47870 4 API calls 9859->9860 9861 2287ad4527d 9860->9861 9863 2287ad4529e 9861->9863 9870 2287ad43cc0 9861->9870 9865 2287ad45337 9865->9863 9867 2287ad454bd 9865->9867 9874 2287ad47440 9865->9874 9866 2287ad455bb 9867->9866 9868 2287ad45637 VirtualProtect 9867->9868 9868->9863 9869 2287ad45663 GetLastError 9868->9869 9869->9863 9871 2287ad43cdd 9870->9871 9873 2287ad43d4c 9871->9873 9880 2287ad43f30 9871->9880 9873->9865 9875 2287ad47487 9874->9875 9905 2287ad47210 9875->9905 9878 2287ad47940 _log10_special 3 API calls 9879 2287ad474b1 9878->9879 9879->9865 9881 2287ad43f54 9880->9881 9882 2287ad43f77 9880->9882 9881->9882 9894 2287ad439e0 9881->9894 9888 2287ad43fad 9882->9888 9900 2287ad43b10 9882->9900 9885 2287ad44013 9887 2287ad4402f 9885->9887 9890 2287ad439e0 3 API calls 9885->9890 9886 2287ad43fdd 9886->9885 9892 2287ad439e0 3 API calls 9886->9892 9891 2287ad4404b 9887->9891 9893 2287ad43b10 2 API calls 9887->9893 9888->9886 9889 2287ad43b10 2 API calls 9888->9889 9889->9886 9890->9887 9891->9873 9892->9885 9893->9891 9899 2287ad43a01 9894->9899 9895 2287ad43a70 9895->9882 9896 2287ad43a56 VirtualQuery 9896->9895 9896->9899 9897 2287ad43a8a VirtualAlloc 9897->9895 9898 2287ad43abb GetLastError 9897->9898 9898->9895 9898->9899 9899->9895 9899->9896 9899->9897 9903 2287ad43b28 9900->9903 9901 2287ad43b97 9901->9888 9902 2287ad43b7d VirtualQuery 9902->9901 9902->9903 9903->9901 9903->9902 9904 2287ad43be2 GetLastError 9903->9904 9904->9903 9906 2287ad4722b 9905->9906 9907 2287ad4724f 9906->9907 9908 2287ad47241 SetLastError 9906->9908 9907->9878 9908->9907 9909 2287ad49234 9916 2287ad4977c 9909->9916 9913 2287ad4924a 9915 2287ad49241 9913->9915 9926 2287ad497c4 9913->9926 9917 2287ad49784 9916->9917 9919 2287ad497b5 9917->9919 9920 2287ad4923d 9917->9920 9930 2287ad4a040 9917->9930 9921 2287ad497c4 __vcrt_uninitialize_locks DeleteCriticalSection 9919->9921 9920->9915 9922 2287ad49710 9920->9922 9921->9920 9923 2287ad49720 9922->9923 9924 2287ad49fec _CallSETranslator 4 API calls 9923->9924 9925 2287ad49739 __vcrt_uninitialize_ptd 9923->9925 9924->9925 9925->9913 9927 2287ad497ef 9926->9927 9928 2287ad497d2 DeleteCriticalSection 9927->9928 9929 2287ad497f3 9927->9929 9928->9927 9929->9915 9931 2287ad49dc4 __vcrt_InitializeCriticalSectionEx 3 API calls 9930->9931 9932 2287ad4a076 9931->9932 9933 2287ad4a08b InitializeCriticalSectionAndSpinCount 9932->9933 9934 2287ad4a080 9932->9934 9933->9934 9934->9917 9117 2287ad4c534 9120 2287ad4c2e4 9117->9120 9127 2287ad4c2ac 9120->9127 9128 2287ad4c2bc 9127->9128 9129 2287ad4c2c1 9127->9129 9130 2287ad4c268 7 API calls 9128->9130 9131 2287ad4c2c8 9129->9131 9130->9129 9132 2287ad4c2dd 9131->9132 9133 2287ad4c2d8 9131->9133 9135 2287ad4c268 9132->9135 9134 2287ad4c268 7 API calls 9133->9134 9134->9132 9136 2287ad4c26d 9135->9136 9137 2287ad4c29e 9135->9137 9138 2287ad4c296 9136->9138 9139 2287ad4d744 __free_lconv_num 7 API calls 9136->9139 9140 2287ad4d744 __free_lconv_num 7 API calls 9138->9140 9139->9136 9140->9137 9141 2287ad42330 9143 2287ad423ae 9141->9143 9142 2287ad424ea 9143->9142 9144 2287ad42413 GetFileType 9143->9144 9145 2287ad42435 9144->9145 9146 2287ad42421 StrCpyW 9144->9146 9147 2287ad41a40 4 API calls 9145->9147 9150 2287ad42442 9146->9150 9147->9150 9148 2287ad43844 StrCmpNIW 9148->9150 9149 2287ad43044 4 API calls 9149->9150 9150->9142 9150->9148 9150->9149 9151 2287ad41cac 2 API calls 9150->9151 9151->9150 9935 2287ad47830 9936 2287ad4784c 9935->9936 9937 2287ad47851 9935->9937 9939 2287ad47960 9936->9939 9940 2287ad479f7 9939->9940 9941 2287ad47983 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9939->9941 9940->9937 9941->9940 9942 2287ad4f830 GetProcessHeap 9289 2287ad47adc 9296 2287ad4925c 9289->9296 9293 2287ad47ae9 9297 2287ad49650 _CallSETranslator 4 API calls 9296->9297 9298 2287ad47ae5 9297->9298 9298->9293 9299 2287ad4c63c 9298->9299 9300 2287ad4cfa0 __std_exception_copy 7 API calls 9299->9300 9301 2287ad47af2 9300->9301 9301->9293 9302 2287ad49270 9301->9302 9305 2287ad495ec 9302->9305 9304 2287ad49279 9304->9293 9306 2287ad495fd 9305->9306 9308 2287ad49612 __std_exception_destroy 9305->9308 9307 2287ad49fec _CallSETranslator 4 API calls 9306->9307 9307->9308 9308->9304 8610 2287ad54dd8 8613 2287ad4b200 8610->8613 8614 2287ad4b270 8613->8614 8615 2287ad4b21f 8613->8615 8615->8614 8616 2287ad49634 _CallSETranslator 4 API calls 8615->8616 8616->8614 9152 2287ad54f65 9153 2287ad54f7e 9152->9153 9154 2287ad54f74 9152->9154 9155 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9154->9155 9155->9153 9309 2287ad4c0e4 9310 2287ad4c0fd 9309->9310 9323 2287ad4c0f9 9309->9323 9324 2287ad4ec90 9310->9324 9315 2287ad4c10f 9317 2287ad4d744 __free_lconv_num 7 API calls 9315->9317 9316 2287ad4c11b 9346 2287ad4c158 9316->9346 9317->9323 9320 2287ad4d744 __free_lconv_num 7 API calls 9321 2287ad4c142 9320->9321 9322 2287ad4d744 __free_lconv_num 7 API calls 9321->9322 9322->9323 9325 2287ad4ec9d 9324->9325 9329 2287ad4c102 9324->9329 9363 2287ad4cefc 9325->9363 9327 2287ad4eccc 9380 2287ad4e968 9327->9380 9330 2287ad4f1ec GetEnvironmentStringsW 9329->9330 9331 2287ad4c107 9330->9331 9332 2287ad4f21c 9330->9332 9331->9315 9331->9316 9333 2287ad4f274 FreeEnvironmentStringsW 9332->9333 9334 2287ad4ca0c 7 API calls 9332->9334 9333->9331 9335 2287ad4f287 9334->9335 9336 2287ad4f28f 9335->9336 9337 2287ad4f298 9335->9337 9338 2287ad4d744 __free_lconv_num 7 API calls 9336->9338 9340 2287ad4f2bf 9337->9340 9341 2287ad4f2c9 9337->9341 9339 2287ad4f296 9338->9339 9339->9333 9342 2287ad4d744 __free_lconv_num 7 API calls 9340->9342 9343 2287ad4d744 __free_lconv_num 7 API calls 9341->9343 9344 2287ad4f2c7 FreeEnvironmentStringsW 9342->9344 9343->9344 9344->9331 9347 2287ad4c17d 9346->9347 9348 2287ad4d6cc __std_exception_copy 7 API calls 9347->9348 9353 2287ad4c1b3 9348->9353 9349 2287ad4d744 __free_lconv_num 7 API calls 9350 2287ad4c123 9349->9350 9350->9320 9351 2287ad4c22e 9352 2287ad4d744 __free_lconv_num 7 API calls 9351->9352 9352->9350 9353->9351 9354 2287ad4d6cc __std_exception_copy 7 API calls 9353->9354 9355 2287ad4c21d 9353->9355 9356 2287ad4c6e8 __std_exception_copy 20 API calls 9353->9356 9359 2287ad4c253 9353->9359 9361 2287ad4d744 __free_lconv_num 7 API calls 9353->9361 9362 2287ad4c1bb 9353->9362 9354->9353 9357 2287ad4c268 7 API calls 9355->9357 9356->9353 9358 2287ad4c225 9357->9358 9360 2287ad4d744 __free_lconv_num 7 API calls 9358->9360 9360->9362 9361->9353 9362->9349 9364 2287ad4cf0d FlsGetValue 9363->9364 9365 2287ad4cf28 FlsSetValue 9363->9365 9366 2287ad4cf22 9364->9366 9369 2287ad4cf1a 9364->9369 9367 2287ad4cf35 9365->9367 9365->9369 9366->9365 9368 2287ad4d6cc __std_exception_copy 7 API calls 9367->9368 9370 2287ad4cf44 9368->9370 9369->9327 9371 2287ad4cf62 FlsSetValue 9370->9371 9372 2287ad4cf52 FlsSetValue 9370->9372 9373 2287ad4cf6e FlsSetValue 9371->9373 9374 2287ad4cf80 9371->9374 9375 2287ad4cf5b 9372->9375 9373->9375 9376 2287ad4cb94 __std_exception_copy 7 API calls 9374->9376 9377 2287ad4d744 __free_lconv_num 7 API calls 9375->9377 9378 2287ad4cf88 9376->9378 9377->9369 9378->9369 9379 2287ad4d744 __free_lconv_num 7 API calls 9378->9379 9379->9369 9403 2287ad4ebd8 9380->9403 9385 2287ad4e9ba 9385->9329 9386 2287ad4ca0c 7 API calls 9387 2287ad4e9cb 9386->9387 9388 2287ad4e9d3 9387->9388 9390 2287ad4e9e2 9387->9390 9389 2287ad4d744 __free_lconv_num 7 API calls 9388->9389 9389->9385 9390->9390 9422 2287ad4ed0c 9390->9422 9393 2287ad4eade 9394 2287ad4d6ac __std_exception_copy 7 API calls 9393->9394 9395 2287ad4eae3 9394->9395 9397 2287ad4d744 __free_lconv_num 7 API calls 9395->9397 9396 2287ad4eb39 9399 2287ad4eba0 9396->9399 9433 2287ad4e498 9396->9433 9397->9385 9398 2287ad4eaf8 9398->9396 9401 2287ad4d744 __free_lconv_num 7 API calls 9398->9401 9400 2287ad4d744 __free_lconv_num 7 API calls 9399->9400 9400->9385 9401->9396 9404 2287ad4ebfb 9403->9404 9405 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9404->9405 9410 2287ad4ec05 9404->9410 9408 2287ad4ec18 9405->9408 9406 2287ad4ec51 9407 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9406->9407 9407->9410 9408->9406 9409 2287ad4d744 __free_lconv_num 7 API calls 9408->9409 9409->9406 9411 2287ad4e99d 9410->9411 9412 2287ad4cefc 12 API calls 9410->9412 9415 2287ad4e668 9411->9415 9413 2287ad4eccc 9412->9413 9414 2287ad4e968 39 API calls 9413->9414 9414->9411 9416 2287ad4e1b4 17 API calls 9415->9416 9417 2287ad4e67c 9416->9417 9418 2287ad4e688 GetOEMCP 9417->9418 9419 2287ad4e69a 9417->9419 9421 2287ad4e6af 9418->9421 9420 2287ad4e69f GetACP 9419->9420 9419->9421 9420->9421 9421->9385 9421->9386 9423 2287ad4e668 19 API calls 9422->9423 9424 2287ad4ed39 9423->9424 9425 2287ad4ee8f 9424->9425 9427 2287ad4ed76 IsValidCodePage 9424->9427 9432 2287ad4ed90 9424->9432 9426 2287ad47940 _log10_special 3 API calls 9425->9426 9428 2287ad4ead5 9426->9428 9427->9425 9429 2287ad4ed87 9427->9429 9428->9393 9428->9398 9430 2287ad4edb6 GetCPInfo 9429->9430 9429->9432 9430->9425 9430->9432 9448 2287ad4e780 9432->9448 9434 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9433->9434 9435 2287ad4e4b4 9434->9435 9436 2287ad4d6ac __std_exception_copy 7 API calls 9435->9436 9439 2287ad4e4e1 9435->9439 9437 2287ad4e550 9436->9437 9438 2287ad4d570 _invalid_parameter_noinfo 20 API calls 9437->9438 9438->9439 9440 2287ad4e593 9439->9440 9441 2287ad4d6ac __std_exception_copy 7 API calls 9439->9441 9440->9440 9444 2287ad4e62d 9440->9444 9446 2287ad4d744 __free_lconv_num 7 API calls 9440->9446 9442 2287ad4e5f1 9441->9442 9443 2287ad4d570 _invalid_parameter_noinfo 20 API calls 9442->9443 9443->9440 9445 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9444->9445 9447 2287ad4e65b 9445->9447 9446->9444 9447->9399 9449 2287ad4e7bd GetCPInfo 9448->9449 9458 2287ad4e8b3 9448->9458 9455 2287ad4e7d0 9449->9455 9449->9458 9450 2287ad47940 _log10_special 3 API calls 9452 2287ad4e952 9450->9452 9452->9425 9459 2287ad51544 9455->9459 9458->9450 9460 2287ad4e1b4 17 API calls 9459->9460 9461 2287ad51586 9460->9461 9479 2287ad4f07c 9461->9479 9480 2287ad4f085 MultiByteToWideChar 9479->9480 9943 2287ad4cc64 9944 2287ad4cc69 9943->9944 9945 2287ad4cc7e 9943->9945 9949 2287ad4cc84 9944->9949 9948 2287ad4d744 __free_lconv_num 7 API calls 9948->9945 9950 2287ad4ccc6 9949->9950 9951 2287ad4ccce 9949->9951 9952 2287ad4d744 __free_lconv_num 7 API calls 9950->9952 9953 2287ad4d744 __free_lconv_num 7 API calls 9951->9953 9952->9951 9954 2287ad4ccdb 9953->9954 9955 2287ad4d744 __free_lconv_num 7 API calls 9954->9955 9956 2287ad4cce8 9955->9956 9957 2287ad4d744 __free_lconv_num 7 API calls 9956->9957 9958 2287ad4ccf5 9957->9958 9959 2287ad4d744 __free_lconv_num 7 API calls 9958->9959 9960 2287ad4cd02 9959->9960 9961 2287ad4d744 __free_lconv_num 7 API calls 9960->9961 9962 2287ad4cd0f 9961->9962 9963 2287ad4d744 __free_lconv_num 7 API calls 9962->9963 9964 2287ad4cd1c 9963->9964 9965 2287ad4d744 __free_lconv_num 7 API calls 9964->9965 9966 2287ad4cd29 9965->9966 9967 2287ad4d744 __free_lconv_num 7 API calls 9966->9967 9968 2287ad4cd39 9967->9968 9969 2287ad4d744 __free_lconv_num 7 API calls 9968->9969 9970 2287ad4cd49 9969->9970 9975 2287ad4cb34 9970->9975 9976 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9975->9976 9980 2287ad4cb50 9976->9980 9977 2287ad4cb80 9978 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9977->9978 9979 2287ad4cb88 9978->9979 9982 2287ad4caac 9979->9982 9980->9977 9981 2287ad4d744 __free_lconv_num 7 API calls 9980->9981 9981->9977 9983 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9982->9983 9984 2287ad4cac8 9983->9984 9985 2287ad4cd7c Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 9984->9985 9986 2287ad4cad6 9985->9986 9987 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9986->9987 9988 2287ad4cade 9987->9988 9988->9948 8617 2287ad43be0 8620 2287ad43b2d 8617->8620 8618 2287ad43b97 8619 2287ad43b7d VirtualQuery 8619->8618 8619->8620 8620->8618 8620->8619 8621 2287ad43be2 GetLastError 8620->8621 8621->8620 8622 2287ad549e0 8624 2287ad54a18 __GSHandlerCheckCommon 8622->8624 8623 2287ad54a44 8624->8623 8626 2287ad49d3c 8624->8626 8627 2287ad49634 _CallSETranslator 4 API calls 8626->8627 8628 2287ad49d66 8627->8628 8629 2287ad49634 _CallSETranslator 4 API calls 8628->8629 8630 2287ad49d73 8629->8630 8631 2287ad49634 _CallSETranslator 4 API calls 8630->8631 8632 2287ad49d7c 8631->8632 8632->8623 9989 2287ad54a60 9999 2287ad48fe8 9989->9999 9991 2287ad54a88 9993 2287ad49634 _CallSETranslator 4 API calls 9994 2287ad54a98 9993->9994 9995 2287ad49634 _CallSETranslator 4 API calls 9994->9995 9996 2287ad54aa1 9995->9996 9997 2287ad4c6a8 17 API calls 9996->9997 9998 2287ad54aaa 9997->9998 10002 2287ad49018 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 9999->10002 10000 2287ad49109 10000->9991 10000->9993 10001 2287ad490d4 RtlUnwindEx 10001->10002 10002->10000 10002->10001 8633 2287ad4c5cc 8634 2287ad4d744 __free_lconv_num 7 API calls 8633->8634 8635 2287ad4c5dc 8634->8635 8636 2287ad4d744 __free_lconv_num 7 API calls 8635->8636 8637 2287ad4c5f0 8636->8637 8638 2287ad4d744 __free_lconv_num 7 API calls 8637->8638 8639 2287ad4c604 8638->8639 8640 2287ad4d744 __free_lconv_num 7 API calls 8639->8640 8641 2287ad4c618 8640->8641 9156 2287ad4554d 9157 2287ad45554 9156->9157 9158 2287ad455bb 9157->9158 9159 2287ad45637 VirtualProtect 9157->9159 9160 2287ad45671 9159->9160 9161 2287ad45663 GetLastError 9159->9161 9161->9160 9517 2287ad428c8 9519 2287ad4290e 9517->9519 9518 2287ad42970 9519->9518 9520 2287ad43844 StrCmpNIW 9519->9520 9520->9519 9162 2287ad4c954 9163 2287ad4c95c 9162->9163 9165 2287ad4c98d 9163->9165 9167 2287ad4c989 9163->9167 9168 2287ad4f60c 9163->9168 9173 2287ad4c9b8 9165->9173 9169 2287ad4f394 3 API calls 9168->9169 9170 2287ad4f642 9169->9170 9171 2287ad4f661 InitializeCriticalSectionAndSpinCount 9170->9171 9172 2287ad4f647 _invalid_parameter_noinfo 9170->9172 9171->9172 9172->9163 9174 2287ad4c9e3 9173->9174 9175 2287ad4c9e7 9174->9175 9176 2287ad4c9c6 DeleteCriticalSection 9174->9176 9175->9167 9176->9174 10003 2287ad4f054 GetCommandLineA GetCommandLineW 9177 2287ad47f56 9178 2287ad493e8 __std_exception_copy 20 API calls 9177->9178 9179 2287ad47f81 9178->9179 10004 2287ad54c51 __scrt_dllmain_exception_filter 10005 2287ad4fa50 10006 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 10005->10006 10007 2287ad4fa60 10006->10007 10016 2287ad51d0c 10007->10016 10011 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 10013 2287ad4fa83 10011->10013 10015 2287ad4fa77 10015->10011 10017 2287ad51d2b 10016->10017 10018 2287ad51d54 10016->10018 10020 2287ad4d6ac __std_exception_copy 7 API calls 10017->10020 10019 2287ad4c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 10018->10019 10023 2287ad51d5e 10019->10023 10021 2287ad51d30 10020->10021 10022 2287ad4d570 _invalid_parameter_noinfo 20 API calls 10021->10022 10025 2287ad4fa69 10022->10025 10027 2287ad51d8d 10023->10027 10039 2287ad51c14 10023->10039 10024 2287ad4c9f0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 10024->10025 10025->10015 10028 2287ad4f858 GetStartupInfoW 10025->10028 10027->10024 10029 2287ad4f88d 10028->10029 10030 2287ad4f927 10028->10030 10029->10030 10031 2287ad51d0c 24 API calls 10029->10031 10034 2287ad4f948 10030->10034 10032 2287ad4f8b6 10031->10032 10032->10030 10033 2287ad4f8e0 GetFileType 10032->10033 10033->10032 10038 2287ad4f966 10034->10038 10035 2287ad4fa35 10035->10015 10036 2287ad4f9c1 GetStdHandle 10037 2287ad4f9d4 GetFileType 10036->10037 10036->10038 10037->10038 10038->10035 10038->10036 10040 2287ad4d6cc __std_exception_copy 7 API calls 10039->10040 10041 2287ad51c35 10040->10041 10042 2287ad51c97 10041->10042 10045 2287ad4f60c 4 API calls 10041->10045 10043 2287ad4d744 __free_lconv_num 7 API calls 10042->10043 10044 2287ad51ca1 10043->10044 10044->10023 10045->10041

                                                                          Executed Functions

                                                                          Function 000002287AD4202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 53 2287ad4202c-2287ad42057 call 2287ad62d00 55 2287ad4205d-2287ad42066 53->55 56 2287ad4206f-2287ad42072 55->56 57 2287ad42068-2287ad4206c 55->57 58 2287ad42078-2287ad4207b 56->58 59 2287ad42223-2287ad42243 56->59 57->56 60 2287ad42081-2287ad42093 58->60 61 2287ad42173-2287ad42176 58->61 60->59 64 2287ad42099-2287ad420a5 60->64 62 2287ad42178-2287ad42192 call 2287ad42f04 61->62 63 2287ad421e7-2287ad421ea 61->63 62->59 73 2287ad42198-2287ad421ae 62->73 63->59 68 2287ad421ec-2287ad421ff call 2287ad42f04 63->68 66 2287ad420a7-2287ad420b7 64->66 67 2287ad420d3-2287ad420de call 2287ad41bbc 64->67 66->67 70 2287ad420b9-2287ad420d1 StrCmpNIW 66->70 74 2287ad420ff-2287ad42111 67->74 81 2287ad420e0-2287ad420f8 call 2287ad41bf4 67->81 68->59 80 2287ad42201-2287ad42209 68->80 70->67 70->74 73->59 79 2287ad421b0-2287ad421cc 73->79 77 2287ad42121-2287ad42123 74->77 78 2287ad42113-2287ad42115 74->78 84 2287ad4212a 77->84 85 2287ad42125-2287ad42128 77->85 82 2287ad4211c-2287ad4211f 78->82 83 2287ad42117-2287ad4211a 78->83 86 2287ad421d0-2287ad421e3 79->86 80->59 87 2287ad4220b-2287ad42213 80->87 81->74 93 2287ad420fa-2287ad420fd 81->93 89 2287ad4212d-2287ad42130 82->89 83->89 84->89 85->89 86->86 90 2287ad421e5 86->90 91 2287ad42216-2287ad42221 87->91 94 2287ad4213e-2287ad42141 89->94 95 2287ad42132-2287ad42138 89->95 90->59 91->59 91->91 93->89 94->59 96 2287ad42147-2287ad4214b 94->96 95->64 95->94 97 2287ad4214d-2287ad42150 96->97 98 2287ad42162-2287ad4216e 96->98 97->59 99 2287ad42156-2287ad4215b 97->99 98->59 99->96 100 2287ad4215d 99->100 100->59
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: S$dialer
                                                                          • API String ID: 756756679-3873981283
                                                                          • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                          • Instruction ID: 15662bb074b80e72114cfb3423b8f995855cf4940197a5156a9bca70ee0bf009
                                                                          • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                          • Instruction Fuzzy Hash: 3B51B23AB12620A6E7A1CFA5EC4866EEBF5F704B84F658011DF0562B85EF39E841C300
                                                                          Function 000002287AD41628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: a596706817863b87f838aa179f978421c9f4ae86b227c0539ecd4e4a78882b94
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: F3713C3A313A10A6EB50DFA5EC98699BBA4F784F99F641111EE4E43B28EF3DD444C340
                                                                          Function 000002287AD4328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 4549171a1f5c531afcf0fe7ab49f21d0d99b579a59effde18e62c3ae510d035f
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: FB11C03CA13740B2FBA8ABE8FC0D359EA94AB55FC5F745124ED0681590EFBCE0448601
                                                                          Function 000002287AD41ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 000002287AD41628: GetProcessHeap.KERNEL32 ref: 000002287AD41633
                                                                            • Part of subcall function 000002287AD41628: HeapAlloc.KERNEL32 ref: 000002287AD41642
                                                                            • Part of subcall function 000002287AD41628: RegOpenKeyExW.ADVAPI32 ref: 000002287AD416B2
                                                                            • Part of subcall function 000002287AD41628: RegOpenKeyExW.ADVAPI32 ref: 000002287AD416DF
                                                                            • Part of subcall function 000002287AD41628: RegCloseKey.ADVAPI32 ref: 000002287AD416F9
                                                                            • Part of subcall function 000002287AD41628: RegOpenKeyExW.ADVAPI32 ref: 000002287AD41719
                                                                            • Part of subcall function 000002287AD41628: RegCloseKey.ADVAPI32 ref: 000002287AD41734
                                                                            • Part of subcall function 000002287AD41628: RegOpenKeyExW.ADVAPI32 ref: 000002287AD41754
                                                                            • Part of subcall function 000002287AD41628: RegCloseKey.ADVAPI32 ref: 000002287AD4176F
                                                                            • Part of subcall function 000002287AD41628: RegOpenKeyExW.ADVAPI32 ref: 000002287AD4178F
                                                                            • Part of subcall function 000002287AD41628: RegCloseKey.ADVAPI32 ref: 000002287AD417AA
                                                                            • Part of subcall function 000002287AD41628: RegOpenKeyExW.ADVAPI32 ref: 000002287AD417CA
                                                                          • Sleep.KERNEL32 ref: 000002287AD41AD7
                                                                          • SleepEx.KERNELBASE ref: 000002287AD41ADD
                                                                            • Part of subcall function 000002287AD41628: RegCloseKey.ADVAPI32 ref: 000002287AD417E5
                                                                            • Part of subcall function 000002287AD41628: RegOpenKeyExW.ADVAPI32 ref: 000002287AD41805
                                                                            • Part of subcall function 000002287AD41628: RegCloseKey.ADVAPI32 ref: 000002287AD41820
                                                                            • Part of subcall function 000002287AD41628: RegOpenKeyExW.ADVAPI32 ref: 000002287AD41840
                                                                            • Part of subcall function 000002287AD41628: RegCloseKey.ADVAPI32 ref: 000002287AD4185B
                                                                            • Part of subcall function 000002287AD41628: RegOpenKeyExW.ADVAPI32 ref: 000002287AD4187B
                                                                            • Part of subcall function 000002287AD41628: RegCloseKey.ADVAPI32 ref: 000002287AD41896
                                                                            • Part of subcall function 000002287AD41628: RegCloseKey.ADVAPI32 ref: 000002287AD418A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: e9ba6546107a02f3a590862e2e3c679fc4efb8482df81dc3ce6c9a5a738cc9a0
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 76312F6921264172FFD09BA6DE4D3A9ABA4AB45FC0F345421BE0D87395FF3CE851C210

                                                                          Non-executed Functions

                                                                          Function 000002287AD42B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 257 2287ad42b2c-2287ad42ba5 call 2287ad62ce0 260 2287ad42bab-2287ad42bb1 257->260 261 2287ad42ee0-2287ad42f03 257->261 260->261 262 2287ad42bb7-2287ad42bba 260->262 262->261 263 2287ad42bc0-2287ad42bc3 262->263 263->261 264 2287ad42bc9-2287ad42bd9 GetModuleHandleA 263->264 265 2287ad42bed 264->265 266 2287ad42bdb-2287ad42beb call 2287ad56090 264->266 268 2287ad42bf0-2287ad42c0e 265->268 266->268 268->261 271 2287ad42c14-2287ad42c33 StrCmpNIW 268->271 271->261 272 2287ad42c39-2287ad42c3d 271->272 272->261 273 2287ad42c43-2287ad42c4d 272->273 273->261 274 2287ad42c53-2287ad42c5a 273->274 274->261 275 2287ad42c60-2287ad42c73 274->275 276 2287ad42c75-2287ad42c81 275->276 277 2287ad42c83 275->277 278 2287ad42c86-2287ad42c8a 276->278 277->278 279 2287ad42c8c-2287ad42c98 278->279 280 2287ad42c9a 278->280 281 2287ad42c9d-2287ad42ca7 279->281 280->281 282 2287ad42d9d-2287ad42da1 281->282 283 2287ad42cad-2287ad42cb0 281->283 284 2287ad42da7-2287ad42daa 282->284 285 2287ad42ed2-2287ad42eda 282->285 286 2287ad42cc2-2287ad42ccc 283->286 287 2287ad42cb2-2287ad42cbf call 2287ad4199c 283->287 290 2287ad42dac-2287ad42db8 call 2287ad4199c 284->290 291 2287ad42dbb-2287ad42dc5 284->291 285->261 285->275 288 2287ad42cce-2287ad42cdb 286->288 289 2287ad42d00-2287ad42d0a 286->289 287->286 288->289 293 2287ad42cdd-2287ad42cea 288->293 294 2287ad42d0c-2287ad42d19 289->294 295 2287ad42d3a-2287ad42d3d 289->295 290->291 297 2287ad42df5-2287ad42df8 291->297 298 2287ad42dc7-2287ad42dd4 291->298 302 2287ad42ced-2287ad42cf3 293->302 294->295 303 2287ad42d1b-2287ad42d28 294->303 304 2287ad42d3f-2287ad42d49 call 2287ad41bbc 295->304 305 2287ad42d4b-2287ad42d58 lstrlenW 295->305 300 2287ad42dfa-2287ad42e03 call 2287ad41bbc 297->300 301 2287ad42e05-2287ad42e12 lstrlenW 297->301 298->297 307 2287ad42dd6-2287ad42de3 298->307 300->301 327 2287ad42e4a-2287ad42e55 300->327 311 2287ad42e14-2287ad42e1e 301->311 312 2287ad42e35-2287ad42e3f call 2287ad43844 301->312 309 2287ad42cf9-2287ad42cfe 302->309 310 2287ad42d93-2287ad42d98 302->310 313 2287ad42d2b-2287ad42d31 303->313 304->305 304->310 315 2287ad42d5a-2287ad42d64 305->315 316 2287ad42d7b-2287ad42d8d call 2287ad43844 305->316 317 2287ad42de6-2287ad42dec 307->317 309->289 309->302 320 2287ad42e42-2287ad42e44 310->320 311->312 321 2287ad42e20-2287ad42e33 call 2287ad4152c 311->321 312->320 313->310 322 2287ad42d33-2287ad42d38 313->322 315->316 325 2287ad42d66-2287ad42d79 call 2287ad4152c 315->325 316->310 316->320 326 2287ad42dee-2287ad42df3 317->326 317->327 320->285 320->327 321->312 321->327 322->295 322->313 325->310 325->316 326->297 326->317 332 2287ad42ecc-2287ad42ed0 327->332 333 2287ad42e57-2287ad42e5b 327->333 332->285 336 2287ad42e5d-2287ad42e61 333->336 337 2287ad42e63-2287ad42e7d call 2287ad485c0 333->337 336->337 338 2287ad42e80-2287ad42e83 336->338 337->338 341 2287ad42e85-2287ad42ea3 call 2287ad485c0 338->341 342 2287ad42ea6-2287ad42ea9 338->342 341->342 342->332 344 2287ad42eab-2287ad42ec9 call 2287ad485c0 342->344 344->332
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: f1f287d8c6bd32bb43e22e86b497f71c806742b9dd0cf4e6da2d652e8d3b8f54
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: E9B1B56E212B50A2EB94CFA5CC487A9EBA9F744F94F245026EE4953794EF3DEC40C740
                                                                          Function 000002287AD47D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 8d2513ba9eaed1391154caeca1eddf54d8d4b2d85d5b07c40d5d908adf50f10f
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: E631617A206B8099EBA0DFA0E8443EDB760F784B44F584029DB4E57B94EF3CD548CB10
                                                                          Function 000002287AD4D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 692eaa25d5cf8136ecb5abbd59807d3f4d9a241190cbb6b218dcb9e765191134
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: F2316F3A216B8096EBA0CFA5EC4839EB7A4F789B94F640125EE9D43B54DF3CD145CB00
                                                                          Function 000002287AD412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: cd7504fe5d4a49f2a9dd15fd037e1db9fc2661ed73265c538814aa76c4a94205
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: F451933A602B8496EB50CFA2E84C76ABBA1F788FC9F284124DE4907B58DF3DD045C700
                                                                          Function 000002287AD41D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 2f4f859470ee0d0b61f0151da4ad4c532a0151ac24b806971137e82f7f756ca3
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: C131B76C50394AB0FA40DFE5EC6D6E4EB31B705B84FB00013A85902565AF3CE64AC361
                                                                          Function 000002287AD4CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 000002287AD4CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,000002287AD50A6B,?,?,?,000002287AD5045C,?,?,?,000002287AD4C84F), ref: 000002287AD4CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,000002287AD50A6B,?,?,?,000002287AD5045C,?,?,?,000002287AD4C84F), ref: 000002287AD4CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,000002287AD50A6B,?,?,?,000002287AD5045C,?,?,?,000002287AD4C84F), ref: 000002287AD4CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,000002287AD50A6B,?,?,?,000002287AD5045C,?,?,?,000002287AD4C84F), ref: 000002287AD4CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,000002287AD50A6B,?,?,?,000002287AD5045C,?,?,?,000002287AD4C84F), ref: 000002287AD4CEBC
                                                                          • SetLastError.KERNEL32 ref: 000002287AD4CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002287AD50A6B,?,?,?,000002287AD5045C,?,?,?,000002287AD4C84F), ref: 000002287AD4CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,000002287AD4ECCC,?,?,?,?,000002287AD4BF9F,?,?,?,?,?,000002287AD47AB0), ref: 000002287AD4CF2C
                                                                            • Part of subcall function 000002287AD4D6CC: HeapAlloc.KERNEL32 ref: 000002287AD4D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002287AD50A6B,?,?,?,000002287AD5045C,?,?,?,000002287AD4C84F), ref: 000002287AD4CF54
                                                                            • Part of subcall function 000002287AD4D744: HeapFree.KERNEL32 ref: 000002287AD4D75A
                                                                            • Part of subcall function 000002287AD4D744: GetLastError.KERNEL32 ref: 000002287AD4D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002287AD50A6B,?,?,?,000002287AD5045C,?,?,?,000002287AD4C84F), ref: 000002287AD4CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002287AD50A6B,?,?,?,000002287AD5045C,?,?,?,000002287AD4C84F), ref: 000002287AD4CF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: caf7a428e3707d06cf654b7f69e18d1049c85e9ed4488eb946d0102582408019
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 35414F2C38324466FEE8A7F55D5E369EA419B45FB4F340724AD36476E6DE3CF4014600
                                                                          Function 000002287AD42244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: e1a4234d330813a9ef371ee32b6803a7a7fe3c66ce6235c53af086949f8fae27
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: C021653A61674093F750CBA5F84C36ABBA0F789BE5F640215EA5903BA8DF3DD149CB01
                                                                          Function 000002287AD4A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 357 2287ad4a544-2287ad4a5ac call 2287ad4b414 360 2287ad4a5b2-2287ad4a5b5 357->360 361 2287ad4aa13-2287ad4aa1b call 2287ad4c748 357->361 360->361 362 2287ad4a5bb-2287ad4a5c1 360->362 364 2287ad4a5c7-2287ad4a5cb 362->364 365 2287ad4a690-2287ad4a6a2 362->365 364->365 369 2287ad4a5d1-2287ad4a5dc 364->369 367 2287ad4a6a8-2287ad4a6ac 365->367 368 2287ad4a963-2287ad4a967 365->368 367->368 372 2287ad4a6b2-2287ad4a6bd 367->372 370 2287ad4a969-2287ad4a970 368->370 371 2287ad4a9a0-2287ad4a9aa call 2287ad49634 368->371 369->365 373 2287ad4a5e2-2287ad4a5e7 369->373 370->361 374 2287ad4a976-2287ad4a99b call 2287ad4aa1c 370->374 371->361 384 2287ad4a9ac-2287ad4a9cb call 2287ad47940 371->384 372->368 376 2287ad4a6c3-2287ad4a6ca 372->376 373->365 377 2287ad4a5ed-2287ad4a5f7 call 2287ad49634 373->377 374->371 380 2287ad4a894-2287ad4a8a0 376->380 381 2287ad4a6d0-2287ad4a707 call 2287ad49a10 376->381 377->384 388 2287ad4a5fd-2287ad4a628 call 2287ad49634 * 2 call 2287ad49d24 377->388 380->371 385 2287ad4a8a6-2287ad4a8aa 380->385 381->380 393 2287ad4a70d-2287ad4a715 381->393 390 2287ad4a8ac-2287ad4a8b8 call 2287ad49ce4 385->390 391 2287ad4a8ba-2287ad4a8c2 385->391 425 2287ad4a648-2287ad4a652 call 2287ad49634 388->425 426 2287ad4a62a-2287ad4a62e 388->426 390->391 405 2287ad4a8db-2287ad4a8e3 390->405 391->371 392 2287ad4a8c8-2287ad4a8d5 call 2287ad498b4 391->392 392->371 392->405 398 2287ad4a719-2287ad4a74b 393->398 402 2287ad4a887-2287ad4a88e 398->402 403 2287ad4a751-2287ad4a75c 398->403 402->380 402->398 403->402 406 2287ad4a762-2287ad4a77b 403->406 407 2287ad4a8e9-2287ad4a8ed 405->407 408 2287ad4a9f6-2287ad4aa12 call 2287ad49634 * 2 call 2287ad4c6a8 405->408 410 2287ad4a874-2287ad4a879 406->410 411 2287ad4a781-2287ad4a7c6 call 2287ad49cf8 * 2 406->411 412 2287ad4a8ef-2287ad4a8fe call 2287ad49ce4 407->412 413 2287ad4a900 407->413 408->361 416 2287ad4a884 410->416 438 2287ad4a7c8-2287ad4a7ee call 2287ad49cf8 call 2287ad4ac38 411->438 439 2287ad4a804-2287ad4a80a 411->439 421 2287ad4a903-2287ad4a90d call 2287ad4b4ac 412->421 413->421 416->402 421->371 436 2287ad4a913-2287ad4a961 call 2287ad49944 call 2287ad49b50 421->436 425->365 442 2287ad4a654-2287ad4a674 call 2287ad49634 * 2 call 2287ad4b4ac 425->442 426->425 430 2287ad4a630-2287ad4a63b 426->430 430->425 435 2287ad4a63d-2287ad4a642 430->435 435->361 435->425 436->371 458 2287ad4a815-2287ad4a872 call 2287ad4a470 438->458 459 2287ad4a7f0-2287ad4a802 438->459 443 2287ad4a80c-2287ad4a810 439->443 444 2287ad4a87b 439->444 463 2287ad4a68b 442->463 464 2287ad4a676-2287ad4a680 call 2287ad4b59c 442->464 443->411 449 2287ad4a880 444->449 449->416 458->449 459->438 459->439 463->365 467 2287ad4a686-2287ad4a9ef call 2287ad492ac call 2287ad4aff4 call 2287ad494a0 464->467 468 2287ad4a9f0-2287ad4a9f5 call 2287ad4c6a8 464->468 467->468 468->408
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: ce4bb4e51dd55c8c3a403ba62ab066672b797156608fab510febe25c61d81552
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: FFE1B47A606B40A6FBA0DFA5D84839DBBB0F755F98F600115EE8957BA5CF38E181C700
                                                                          Function 000002287AD4F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: b48d4e2ada66079e7f28355b30074cfa318d4146a15a4faa6432de62adbb7fab
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 7641D42B313A00B1FB96CBE6AC08795AB95F749FE0F2985259D0E87794EE3CE4458310
                                                                          Function 000002287AD4104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 508 2287ad4104c-2287ad410b9 RegQueryInfoKeyW 509 2287ad410bf-2287ad410c9 508->509 510 2287ad411b5-2287ad411d0 508->510 509->510 511 2287ad410cf-2287ad4111f RegEnumValueW 509->511 512 2287ad411a5-2287ad411af 511->512 513 2287ad41125-2287ad4112a 511->513 512->510 512->511 513->512 514 2287ad4112c-2287ad41135 513->514 515 2287ad41147-2287ad4114c 514->515 516 2287ad41137 514->516 517 2287ad4114e-2287ad41193 GetProcessHeap call 2287ad56168 GetProcessHeap HeapFree 515->517 518 2287ad41199-2287ad411a3 515->518 519 2287ad4113b-2287ad4113f 516->519 517->518 518->512 519->512 521 2287ad41141-2287ad41145 519->521 521->515 521->519
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 247594ec2395e5b07854cc9e5e76116d2821bffb54a4ebe2f88cc0d0e991168f
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 5D417437615B84D6E790CFA1E84875EBBA1F384B98F248115EB8907758DF3DD445CB00
                                                                          Function 000002287AD4D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,000002287AD4C7DE,?,?,?,?,?,?,?,?,000002287AD4CF9D,?,?,00000001), ref: 000002287AD4D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,000002287AD4C7DE,?,?,?,?,?,?,?,?,000002287AD4CF9D,?,?,00000001), ref: 000002287AD4D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,000002287AD4C7DE,?,?,?,?,?,?,?,?,000002287AD4CF9D,?,?,00000001), ref: 000002287AD4D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,000002287AD4C7DE,?,?,?,?,?,?,?,?,000002287AD4CF9D,?,?,00000001), ref: 000002287AD4D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,000002287AD4C7DE,?,?,?,?,?,?,?,?,000002287AD4CF9D,?,?,00000001), ref: 000002287AD4D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 2a7fe306970342c8d28199f987a5d1fc91bd79add344bf5eb8fd78575c2624d7
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: 1A11932874724465FEE8A7A59D6E369E9419B49FF0F344324ACB9477EADE3CF4028200
                                                                          Function 000002287AD47510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 548 2287ad47510-2287ad47516 549 2287ad47518-2287ad4751b 548->549 550 2287ad47551-2287ad4755b 548->550 552 2287ad4751d-2287ad47520 549->552 553 2287ad47545-2287ad47584 call 2287ad47bc0 549->553 551 2287ad47678-2287ad4768d 550->551 556 2287ad4769c-2287ad476b6 call 2287ad47a54 551->556 557 2287ad4768f 551->557 554 2287ad47538 __scrt_dllmain_crt_thread_attach 552->554 555 2287ad47522-2287ad47525 552->555 568 2287ad4758a-2287ad4759f call 2287ad47a54 553->568 569 2287ad47652 553->569 564 2287ad4753d-2287ad47544 554->564 560 2287ad47527-2287ad47530 555->560 561 2287ad47531-2287ad47536 call 2287ad47b04 555->561 571 2287ad476ef-2287ad47720 call 2287ad47d90 556->571 572 2287ad476b8-2287ad476ed call 2287ad47b7c call 2287ad47a1c call 2287ad47f18 call 2287ad47d30 call 2287ad47d54 call 2287ad47bac 556->572 562 2287ad47691-2287ad4769b 557->562 561->564 581 2287ad4766a-2287ad47677 call 2287ad47d90 568->581 582 2287ad475a5-2287ad475b6 call 2287ad47ac4 568->582 573 2287ad47654-2287ad47669 569->573 583 2287ad47731-2287ad47737 571->583 584 2287ad47722-2287ad47728 571->584 572->562 581->551 601 2287ad475b8-2287ad475dc call 2287ad47edc call 2287ad47a0c call 2287ad47a38 call 2287ad4b80c 582->601 602 2287ad47607-2287ad47611 call 2287ad47d30 582->602 585 2287ad4777e-2287ad47794 call 2287ad4328c 583->585 586 2287ad47739-2287ad47743 583->586 584->583 590 2287ad4772a-2287ad4772c 584->590 609 2287ad477cc-2287ad477ce 585->609 610 2287ad47796-2287ad47798 585->610 591 2287ad4774f-2287ad4775d call 2287ad56380 586->591 592 2287ad47745-2287ad4774d 586->592 597 2287ad4781f-2287ad4782c 590->597 598 2287ad47763-2287ad47778 call 2287ad47510 591->598 613 2287ad47815-2287ad4781d 591->613 592->598 598->585 598->613 601->602 650 2287ad475de-2287ad475e5 __scrt_dllmain_after_initialize_c 601->650 602->569 621 2287ad47613-2287ad4761f call 2287ad47d80 602->621 611 2287ad477d5-2287ad477ea call 2287ad47510 609->611 612 2287ad477d0-2287ad477d3 609->612 610->609 618 2287ad4779a-2287ad477bc call 2287ad4328c call 2287ad47678 610->618 611->613 630 2287ad477ec-2287ad477f6 611->630 612->611 612->613 613->597 618->609 643 2287ad477be-2287ad477c6 call 2287ad56380 618->643 639 2287ad47645-2287ad47650 621->639 640 2287ad47621-2287ad4762b call 2287ad47c98 621->640 636 2287ad477f8-2287ad477ff 630->636 637 2287ad47801-2287ad47811 call 2287ad56380 630->637 636->613 637->613 639->573 640->639 651 2287ad4762d-2287ad4763b 640->651 643->609 650->602 652 2287ad475e7-2287ad47604 call 2287ad4b7c8 650->652 651->639 652->602
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 1a20a05061dca19b64c9b518e166e6642e95f3179fcebb900232e05332915be4
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 7B81D32CA03741A6FBD0ABE99C4D399EF91A745F80F784415AD0847796DF3CE9458F00
                                                                          Function 000002287AD49DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 655 2287ad49dc4-2287ad49e02 656 2287ad49e08-2287ad49e0b 655->656 657 2287ad49ef3 655->657 658 2287ad49ef5-2287ad49f11 656->658 659 2287ad49e11 656->659 657->658 660 2287ad49e14 659->660 661 2287ad49e1a-2287ad49e29 660->661 662 2287ad49eeb 660->662 663 2287ad49e2b-2287ad49e2e 661->663 664 2287ad49e36-2287ad49e55 LoadLibraryExW 661->664 662->657 665 2287ad49ecd-2287ad49edc call 2287ad56090 663->665 666 2287ad49e34 663->666 667 2287ad49ead-2287ad49ec2 664->667 668 2287ad49e57-2287ad49e60 call 2287ad56080 664->668 665->662 677 2287ad49ede-2287ad49ee9 665->677 672 2287ad49ea1-2287ad49ea8 666->672 667->665 670 2287ad49ec4-2287ad49ec7 FreeLibrary 667->670 675 2287ad49e8f-2287ad49e99 668->675 676 2287ad49e62-2287ad49e77 call 2287ad4c928 668->676 670->665 672->660 675->672 676->675 680 2287ad49e79-2287ad49e8d LoadLibraryExW 676->680 677->658 680->667 680->675
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 584b8c01e0b70e57f26449ff222099f6d06bc89bc709c0222dd7223dd57a1c1d
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: 0A31A32D313A40F1EEA1DBC7AC08B65AA95B748FA0F794935AD2E0B794DF3DE4458300
                                                                          Function 000002287AD53DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 2e77ba979f28693f9f16795037e44967f4cc252b98d81dc257c2ee4cc08d46de
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 6811BF39712B4092E750CB96EC58719FAA4F388FE4F280225EA2A877A4CF7DD8048740
                                                                          Function 000002287AD43790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 4e4daf94a97750f91189a1fe9db1e1a2bef8d6cd53c14ffdbccffd97f3392290
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 9A115E2E70674193EF589BA9E808669EAA0F748FD5F680029DE8907754EF3ED505C704
                                                                          Function 000002287AD45B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: 96f7c51ceef55797b9058ba940676b764a5d8e79acbff97015189cbe06b30fa6
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: 7FD17D7A205B8896DA70DB56E89835ABBA0F7C8F84F200116EECD47BA5DF3CD551CB40
                                                                          Function 000002287AD42F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: dabc0e3c40413ed1b4d1046e800613297d4f47542371bcbad35f5b2cf4000f65
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: E831912A703B51A2EA95CF97ED4872AEFA0FB44F80F5841209F4847B55EF3DE4A18700
                                                                          Function 000002287AD414A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 80memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID: C:\Windows\system32\svchost.exe
                                                                          • API String ID: 3168794593-4180442734
                                                                          • Opcode ID: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction ID: 3fe35f0a50f390c44dd8ae09ee2fceaf017d6a47418d2b562510470748955b70
                                                                          • Opcode Fuzzy Hash: 5f1dcf0d6982f64b78ee420bc41fcee6693c0fdf65c097574d0a291fc3cf39dd
                                                                          • Instruction Fuzzy Hash: 58316FAF90BAC4AAF351CFF59C59669AFA0F795F40F2D8015DB8403647EE3AE4048742
                                                                          Function 000002287AD4CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: 4e5582e0474a076cd751713097a6978cafad305db8cb3186a1b749fb2ad0a9f8
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: 17116D2834728061FAE4A7F19D5D369EA42AB89FF4F340724AC76476EADE3CE4018700
                                                                          Function 000002287AD4199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: b4893b8b22a76008968fd82bc61f32ca1f37494857043076c37b799cc34e7bee
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: 97016929702B8092EB90DB92E84C759ABA1F788FC5FA84035DE4943758DF3DD98AC700
                                                                          Function 000002287AD436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: db9bfe011ad0c8e5d4ba0327c1c1c26d38c8a91e6fa98e1031008cafb478a6bc
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 82012D6D71374092FB649BA5EC0C715ABA4BB45FC6F280424DD4907755EF3DD1188701
                                                                          Function 000002287AD49005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: b1825bd710485f0bba041030fde6b3a9a1e32f3773c7ed219419e3b9f18b126e
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 0851913A603600A6EB94DBA6DC4CF59BB97F344F88F248124EE1643748DF79E841C700
                                                                          Function 000002287AD48FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 3d55c581d8b614482a8c8483e4cd3c223c21377bc6632f8c91a9d0e6a02713a3
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 2E316B3A202640A6E794DFA2EC4CB19BFA6F744F88F258514EE5A07789DF3DE940C705
                                                                          Function 000002287AD41A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: 644405c38f13191ac5d3427aad02c6610619091a1f91e5372ccbd796ba5111e8
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: CDF04426706641A2F760CFE5FC98759AB61F758BC8FA84020DA4946554DF3DD68DCB00
                                                                          Function 000002287AD4BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: 78a982b147a55b1b38349afcad47d7a4510fb19c9bce9aac28a7a62e5f713fa7
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 96F06269213A04A1EB50CBE8EC4C359AB60EB88B61F780619DA6A461E4CF3DD144C700
                                                                          Function 000002287AD43044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 3b4a246aa34b08b7a3dd1872fffa9ea369f5f6f0a08b3959c4e5a8415cf3858a
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: 6BF05828306B80A2FA44CFD6FD18129AA60AB48FD0F2C8120EE4A07B28DE3CD4858700
                                                                          Function 000002287AD450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: 2596987db0924f786fdba8dfac169f38f03951093ef5be0b381d591d0a306ff9
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: B202BD36619B8496E7A0CB95E89435AFBA0F3C5B94F204015EE8E87B68DF7DD854CF00
                                                                          Function 000002287AD45710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: 4c97c994bd2bd881d5bb07df5f7f4e8d790058b1eecd8e0ae59bf96262c6ffed
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: 8A61C03A51AB44D6E7A0CB95E84831ABBA4F384B84F200115FE8E47BA8DF7CD945CF00
                                                                          Function 000002287AD54104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: de8ce369ea6e310e47ffa966fc16399e177ceee15ae43f98ac52f6f5b8765546
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: E41127AEE83E5031F66892E8DC1D7A58C136B783F4F384624A536076D6CE3EE8404202
                                                                          Function 000002287AD4AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 17ef0b28a518a576b9b2106d4f362850be4219ac165f5facea9e2ac532faf5a3
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 3D61B13B606B849AEB50DFA5D84479DBBA1F348F88F244215EF4917BA8DF38E184C700
                                                                          Function 000002287AD4AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: e0e40851127b7a61dbf07d7bf29e134bd5ec1da6b04e91dd569283a5f631de7e
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 9651937A206780AAEBB48F959988359BFA0F354F85F244116EE9947BE5CF3CE450C700
                                                                          Function 000002287AD52058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: dff244be24b00069661c0f7a21ff929da84c2252b97a53a34125e1d4a83c28a0
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 59D10336B16A80A9E711CFB9D84439CBFB1F354B98F244216CE5997B99EE39D40AC340
                                                                          Function 000002287AD52980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: d6bd8fecf8380711298a32fb7ef6d0fb73e2e93f59bea2e542015d71e3c12744
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: 1191D836703650A5F764DFA58C583ADBFA0B715B88F344109DE0A97699EF3ED44AC700
                                                                          Function 000002287AD47960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: 48fa9309331cb3859d48dcc39b02a731aa23bbf8a096e8fe0992499ca9744507
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: 78111C26712B019AEF40CBA0EC593A877A4F719758F540E21EA6D477A8DF7CD1988380
                                                                          Function 000002287AD4253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: 8f96606f629d94357db9f86543fae014b8cc4eda410cac590828ff953256e5ae
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 4971D67A20178166E7A4DFA5DC483AAEF94F389FC4F640016DD0953B89EE3DD545C700
                                                                          Function 000002287AD42330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 95e4a1ddac21b8d21b6efd4a6728b3bd2179ca04cdb9844e0a221d5057f5b55e
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: CD51053A60A381A1E6F4DFA9A85C3BAEF51F395F80F690125DD4D13B49EE3DE5048740
                                                                          Function 000002287AD526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 8dd3ff9a3c28cba6e7fceb608b149d51e4ccedb60315b798c82d5eef4d000739
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: A241E676316A80A6DB20CFA5EC483AABBA0F398B94F644021EE4D87794EF3DD405C740
                                                                          Function 000002287AD494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: cf0cf7a52147803433ce0350d0a75bcd98f0a3eff94c5234becb0b83a7d44b71
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 4B113D36216B8092EB618F55F844359BBE5F788F94F684220EE8C47B58DF3DD551CB00
                                                                          Function 000002287AD41BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: a533c1df0c3641f7d1140dcae3fbc29e250e71a023e2703c72a14d21572f0e92
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 70118F29A03B4491EA44DBA6AC08629BBA1FB89FC0F284124EE4D43765DF3DE482C300
                                                                          Function 000002287AD41268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2638207792.000002287AD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002287AD40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_2287ad40000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 13b30b473d7aa4abd5a4338d40bcb2162bfa758f575faae3169f30695bd86f78
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: BFE03939A0360486EB44CBA2D80876ABAE1EB89B06F1880248A1907751DF7ED499C751

                                                                          Execution Graph

                                                                          Execution Coverage:0.7%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:74
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 15226 1b94da6273c 15228 1b94da6276a 15226->15228 15227 1b94da62858 LoadLibraryA 15227->15228 15228->15227 15229 1b94da628d4 15228->15229 15230 1b94da91abc 15235 1b94da91628 GetProcessHeap 15230->15235 15232 1b94da91ad2 Sleep SleepEx 15233 1b94da91acb 15232->15233 15233->15232 15234 1b94da91598 StrCmpIW StrCmpW 15233->15234 15234->15233 15236 1b94da91648 _invalid_parameter_noinfo 15235->15236 15280 1b94da91268 GetProcessHeap 15236->15280 15238 1b94da91650 15239 1b94da91268 2 API calls 15238->15239 15240 1b94da91661 15239->15240 15241 1b94da91268 2 API calls 15240->15241 15242 1b94da9166a 15241->15242 15243 1b94da91268 2 API calls 15242->15243 15244 1b94da91673 15243->15244 15245 1b94da9168e RegOpenKeyExW 15244->15245 15246 1b94da918a6 15245->15246 15247 1b94da916c0 RegOpenKeyExW 15245->15247 15246->15233 15248 1b94da916e9 15247->15248 15249 1b94da916ff RegOpenKeyExW 15247->15249 15284 1b94da912bc RegQueryInfoKeyW 15248->15284 15251 1b94da91723 15249->15251 15252 1b94da9173a RegOpenKeyExW 15249->15252 15295 1b94da9104c RegQueryInfoKeyW 15251->15295 15255 1b94da91775 RegOpenKeyExW 15252->15255 15256 1b94da9175e 15252->15256 15257 1b94da91799 15255->15257 15258 1b94da917b0 RegOpenKeyExW 15255->15258 15260 1b94da912bc 13 API calls 15256->15260 15262 1b94da912bc 13 API calls 15257->15262 15263 1b94da917d4 15258->15263 15264 1b94da917eb RegOpenKeyExW 15258->15264 15261 1b94da9176b RegCloseKey 15260->15261 15261->15255 15265 1b94da917a6 RegCloseKey 15262->15265 15266 1b94da912bc 13 API calls 15263->15266 15267 1b94da91826 RegOpenKeyExW 15264->15267 15268 1b94da9180f 15264->15268 15265->15258 15269 1b94da917e1 RegCloseKey 15266->15269 15271 1b94da91861 RegOpenKeyExW 15267->15271 15272 1b94da9184a 15267->15272 15270 1b94da9104c 5 API calls 15268->15270 15269->15264 15275 1b94da9181c RegCloseKey 15270->15275 15273 1b94da91885 15271->15273 15274 1b94da9189c RegCloseKey 15271->15274 15276 1b94da9104c 5 API calls 15272->15276 15278 1b94da9104c 5 API calls 15273->15278 15274->15246 15275->15267 15277 1b94da91857 RegCloseKey 15276->15277 15277->15271 15279 1b94da91892 RegCloseKey 15278->15279 15279->15274 15301 1b94daa6168 15280->15301 15282 1b94da91283 GetProcessHeap 15283 1b94da912ae _invalid_parameter_noinfo 15282->15283 15283->15238 15285 1b94da91327 GetProcessHeap 15284->15285 15286 1b94da9148a RegCloseKey 15284->15286 15287 1b94da9133e _invalid_parameter_noinfo 15285->15287 15286->15249 15288 1b94da91352 RegEnumValueW 15287->15288 15289 1b94da91476 GetProcessHeap HeapFree 15287->15289 15291 1b94da913d3 GetProcessHeap 15287->15291 15292 1b94da9141e lstrlenW GetProcessHeap 15287->15292 15293 1b94da913f3 GetProcessHeap HeapFree 15287->15293 15294 1b94da91443 StrCpyW 15287->15294 15303 1b94da9152c 15287->15303 15288->15287 15289->15286 15291->15287 15292->15287 15293->15292 15294->15287 15296 1b94da911b5 RegCloseKey 15295->15296 15299 1b94da910bf _invalid_parameter_noinfo 15295->15299 15296->15252 15297 1b94da910cf RegEnumValueW 15297->15299 15298 1b94da9114e GetProcessHeap 15298->15299 15299->15296 15299->15297 15299->15298 15300 1b94da9116e GetProcessHeap HeapFree 15299->15300 15300->15299 15302 1b94daa6177 15301->15302 15304 1b94da91546 15303->15304 15307 1b94da9157c 15303->15307 15305 1b94da91565 StrCmpW 15304->15305 15306 1b94da9155d StrCmpIW 15304->15306 15304->15307 15305->15304 15306->15304 15307->15287

                                                                          Executed Functions

                                                                          Function 000001B94DA9328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: c96ff13c95401dd77f8de147b55b35d7c48e2cd7a1e1fc34b714a5150cdf1649
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: 9D11803DA1064086FF609B71FB493EA32B4AF54349F568A659B16816B1FF7CCC4F8610
                                                                          Function 000001B94DA91ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 000001B94DA91628: GetProcessHeap.KERNEL32 ref: 000001B94DA91633
                                                                            • Part of subcall function 000001B94DA91628: HeapAlloc.KERNEL32 ref: 000001B94DA91642
                                                                            • Part of subcall function 000001B94DA91628: RegOpenKeyExW.ADVAPI32 ref: 000001B94DA916B2
                                                                            • Part of subcall function 000001B94DA91628: RegOpenKeyExW.ADVAPI32 ref: 000001B94DA916DF
                                                                            • Part of subcall function 000001B94DA91628: RegCloseKey.ADVAPI32 ref: 000001B94DA916F9
                                                                            • Part of subcall function 000001B94DA91628: RegOpenKeyExW.ADVAPI32 ref: 000001B94DA91719
                                                                            • Part of subcall function 000001B94DA91628: RegCloseKey.ADVAPI32 ref: 000001B94DA91734
                                                                            • Part of subcall function 000001B94DA91628: RegOpenKeyExW.ADVAPI32 ref: 000001B94DA91754
                                                                            • Part of subcall function 000001B94DA91628: RegCloseKey.ADVAPI32 ref: 000001B94DA9176F
                                                                            • Part of subcall function 000001B94DA91628: RegOpenKeyExW.ADVAPI32 ref: 000001B94DA9178F
                                                                            • Part of subcall function 000001B94DA91628: RegCloseKey.ADVAPI32 ref: 000001B94DA917AA
                                                                            • Part of subcall function 000001B94DA91628: RegOpenKeyExW.ADVAPI32 ref: 000001B94DA917CA
                                                                          • Sleep.KERNEL32 ref: 000001B94DA91AD7
                                                                          • SleepEx.KERNELBASE ref: 000001B94DA91ADD
                                                                            • Part of subcall function 000001B94DA91628: RegCloseKey.ADVAPI32 ref: 000001B94DA917E5
                                                                            • Part of subcall function 000001B94DA91628: RegOpenKeyExW.ADVAPI32 ref: 000001B94DA91805
                                                                            • Part of subcall function 000001B94DA91628: RegCloseKey.ADVAPI32 ref: 000001B94DA91820
                                                                            • Part of subcall function 000001B94DA91628: RegOpenKeyExW.ADVAPI32 ref: 000001B94DA91840
                                                                            • Part of subcall function 000001B94DA91628: RegCloseKey.ADVAPI32 ref: 000001B94DA9185B
                                                                            • Part of subcall function 000001B94DA91628: RegOpenKeyExW.ADVAPI32 ref: 000001B94DA9187B
                                                                            • Part of subcall function 000001B94DA91628: RegCloseKey.ADVAPI32 ref: 000001B94DA91896
                                                                            • Part of subcall function 000001B94DA91628: RegCloseKey.ADVAPI32 ref: 000001B94DA918A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: bdb395ece79d3cd103683ddfbc51f61e4cc732ce345513d12d96d83408b1be0f
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 8431FDB9200A4182FF54AB26DB493E933E5AF84BD4F0A5C619F09876B5FF24CC5BC210
                                                                          Function 000001B94DA93844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 57 1b94da93844-1b94da9384f 58 1b94da93851-1b94da93864 StrCmpNIW 57->58 59 1b94da93869-1b94da93870 57->59 58->59 60 1b94da93866 58->60 60->59
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: dialer
                                                                          • API String ID: 0-3528709123
                                                                          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction ID: 71f8af887441174848e2e837ea4e684f42409e05527858769fe449d82ed14272
                                                                          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction Fuzzy Hash: 0DD05E7831160586FF149FE789C46A03361AF14748F8E86208A0001270EB588D8F9A10
                                                                          Function 000001B94DA6273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 57795ad3bd89589d76509a4d0e431a774af815a63aa21886f5785d395a7cbf25
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 1961007BB01690C7DB548F2596007ADB3A2FB94BA8F198121CF9907798DB38DC5BC700

                                                                          Non-executed Functions

                                                                          Function 000001B94DA92B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 367 1b94da92b2c-1b94da92ba5 call 1b94dab2ce0 370 1b94da92bab-1b94da92bb1 367->370 371 1b94da92ee0-1b94da92f03 367->371 370->371 372 1b94da92bb7-1b94da92bba 370->372 372->371 373 1b94da92bc0-1b94da92bc3 372->373 373->371 374 1b94da92bc9-1b94da92bd9 GetModuleHandleA 373->374 375 1b94da92bdb-1b94da92beb call 1b94daa6090 374->375 376 1b94da92bed 374->376 378 1b94da92bf0-1b94da92c0e 375->378 376->378 378->371 381 1b94da92c14-1b94da92c33 StrCmpNIW 378->381 381->371 382 1b94da92c39-1b94da92c3d 381->382 382->371 383 1b94da92c43-1b94da92c4d 382->383 383->371 384 1b94da92c53-1b94da92c5a 383->384 384->371 385 1b94da92c60-1b94da92c73 384->385 386 1b94da92c83 385->386 387 1b94da92c75-1b94da92c81 385->387 388 1b94da92c86-1b94da92c8a 386->388 387->388 389 1b94da92c9a 388->389 390 1b94da92c8c-1b94da92c98 388->390 391 1b94da92c9d-1b94da92ca7 389->391 390->391 392 1b94da92d9d-1b94da92da1 391->392 393 1b94da92cad-1b94da92cb0 391->393 394 1b94da92ed2-1b94da92eda 392->394 395 1b94da92da7-1b94da92daa 392->395 396 1b94da92cc2-1b94da92ccc 393->396 397 1b94da92cb2-1b94da92cbf call 1b94da9199c 393->397 394->371 394->385 398 1b94da92dac-1b94da92db8 call 1b94da9199c 395->398 399 1b94da92dbb-1b94da92dc5 395->399 401 1b94da92cce-1b94da92cdb 396->401 402 1b94da92d00-1b94da92d0a 396->402 397->396 398->399 406 1b94da92df5-1b94da92df8 399->406 407 1b94da92dc7-1b94da92dd4 399->407 401->402 409 1b94da92cdd-1b94da92cea 401->409 403 1b94da92d3a-1b94da92d3d 402->403 404 1b94da92d0c-1b94da92d19 402->404 411 1b94da92d4b-1b94da92d58 lstrlenW 403->411 412 1b94da92d3f-1b94da92d49 call 1b94da91bbc 403->412 404->403 410 1b94da92d1b-1b94da92d28 404->410 415 1b94da92e05-1b94da92e12 lstrlenW 406->415 416 1b94da92dfa-1b94da92e03 call 1b94da91bbc 406->416 407->406 414 1b94da92dd6-1b94da92de3 407->414 417 1b94da92ced-1b94da92cf3 409->417 422 1b94da92d2b-1b94da92d31 410->422 424 1b94da92d5a-1b94da92d64 411->424 425 1b94da92d7b-1b94da92d8d call 1b94da93844 411->425 412->411 418 1b94da92d93-1b94da92d98 412->418 426 1b94da92de6-1b94da92dec 414->426 420 1b94da92e14-1b94da92e1e 415->420 421 1b94da92e35-1b94da92e3f call 1b94da93844 415->421 416->415 436 1b94da92e4a-1b94da92e55 416->436 417->418 419 1b94da92cf9-1b94da92cfe 417->419 430 1b94da92e42-1b94da92e44 418->430 419->402 419->417 420->421 431 1b94da92e20-1b94da92e33 call 1b94da9152c 420->431 421->430 422->418 432 1b94da92d33-1b94da92d38 422->432 424->425 435 1b94da92d66-1b94da92d79 call 1b94da9152c 424->435 425->418 425->430 426->436 437 1b94da92dee-1b94da92df3 426->437 430->394 430->436 431->421 431->436 432->403 432->422 435->418 435->425 441 1b94da92e57-1b94da92e5b 436->441 442 1b94da92ecc-1b94da92ed0 436->442 437->406 437->426 445 1b94da92e63-1b94da92e7d call 1b94da985c0 441->445 446 1b94da92e5d-1b94da92e61 441->446 442->394 448 1b94da92e80-1b94da92e83 445->448 446->445 446->448 450 1b94da92ea6-1b94da92ea9 448->450 451 1b94da92e85-1b94da92ea3 call 1b94da985c0 448->451 450->442 454 1b94da92eab-1b94da92ec9 call 1b94da985c0 450->454 451->450 454->442
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: 2b5b56178e1dd60846ff1411c3348c25afdc0c4170f5190034af9a68a1468625
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: 98B19B7A211A9086EF648F25C6807E977A5FF44B88F865856EF09537A4EF34CC8BC740
                                                                          Function 000001B94DA66910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 209 1b94da66910-1b94da66916 210 1b94da66918-1b94da6691b 209->210 211 1b94da66951-1b94da6695b 209->211 213 1b94da6691d-1b94da66920 210->213 214 1b94da66945-1b94da66984 call 1b94da66fc0 210->214 212 1b94da66a78-1b94da66a8d 211->212 218 1b94da66a8f 212->218 219 1b94da66a9c-1b94da66ab6 call 1b94da66e54 212->219 216 1b94da66938 __scrt_dllmain_crt_thread_attach 213->216 217 1b94da66922-1b94da66925 213->217 232 1b94da6698a-1b94da6699f call 1b94da66e54 214->232 233 1b94da66a52 214->233 222 1b94da6693d-1b94da66944 216->222 224 1b94da66927-1b94da66930 217->224 225 1b94da66931-1b94da66936 call 1b94da66f04 217->225 220 1b94da66a91-1b94da66a9b 218->220 230 1b94da66aef-1b94da66b20 call 1b94da67190 219->230 231 1b94da66ab8-1b94da66aed call 1b94da66f7c call 1b94da66e1c call 1b94da67318 call 1b94da67130 call 1b94da67154 call 1b94da66fac 219->231 225->222 241 1b94da66b31-1b94da66b37 230->241 242 1b94da66b22-1b94da66b28 230->242 231->220 244 1b94da66a6a-1b94da66a77 call 1b94da67190 232->244 245 1b94da669a5-1b94da669b6 call 1b94da66ec4 232->245 236 1b94da66a54-1b94da66a69 233->236 247 1b94da66b7e-1b94da66b94 call 1b94da6268c 241->247 248 1b94da66b39-1b94da66b43 241->248 242->241 246 1b94da66b2a-1b94da66b2c 242->246 244->212 259 1b94da66a07-1b94da66a11 call 1b94da67130 245->259 260 1b94da669b8-1b94da669dc call 1b94da672dc call 1b94da66e0c call 1b94da66e38 call 1b94da6ac0c 245->260 253 1b94da66c1f-1b94da66c2c 246->253 266 1b94da66bcc-1b94da66bce 247->266 267 1b94da66b96-1b94da66b98 247->267 254 1b94da66b4f-1b94da66b5d call 1b94da75780 248->254 255 1b94da66b45-1b94da66b4d 248->255 262 1b94da66b63-1b94da66b78 call 1b94da66910 254->262 276 1b94da66c15-1b94da66c1d 254->276 255->262 259->233 280 1b94da66a13-1b94da66a1f call 1b94da67180 259->280 260->259 312 1b94da669de-1b94da669e5 __scrt_dllmain_after_initialize_c 260->312 262->247 262->276 274 1b94da66bd0-1b94da66bd3 266->274 275 1b94da66bd5-1b94da66bea call 1b94da66910 266->275 267->266 273 1b94da66b9a-1b94da66bbc call 1b94da6268c call 1b94da66a78 267->273 273->266 306 1b94da66bbe-1b94da66bc6 call 1b94da75780 273->306 274->275 274->276 275->276 294 1b94da66bec-1b94da66bf6 275->294 276->253 299 1b94da66a45-1b94da66a50 280->299 300 1b94da66a21-1b94da66a2b call 1b94da67098 280->300 296 1b94da66bf8-1b94da66bff 294->296 297 1b94da66c01-1b94da66c11 call 1b94da75780 294->297 296->276 297->276 299->236 300->299 311 1b94da66a2d-1b94da66a3b 300->311 306->266 311->299 312->259 313 1b94da669e7-1b94da66a04 call 1b94da6abc8 312->313 313->259
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 2b7c7a3ff26d452d22de7ec1fd6257963b3f7cd2820866f5c22045ef821cbe87
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 9681EC3A710601CAFB54AB6597413D972E0EF95B80F5E84A5AF89837B6DB38CC4F8700
                                                                          Function 000001B94DA69944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 467 1b94da69944-1b94da699ac call 1b94da6a814 470 1b94da69e13-1b94da69e1b call 1b94da6bb48 467->470 471 1b94da699b2-1b94da699b5 467->471 471->470 472 1b94da699bb-1b94da699c1 471->472 474 1b94da69a90-1b94da69aa2 472->474 475 1b94da699c7-1b94da699cb 472->475 477 1b94da69aa8-1b94da69aac 474->477 478 1b94da69d63-1b94da69d67 474->478 475->474 479 1b94da699d1-1b94da699dc 475->479 477->478 480 1b94da69ab2-1b94da69abd 477->480 482 1b94da69da0-1b94da69daa call 1b94da68a34 478->482 483 1b94da69d69-1b94da69d70 478->483 479->474 481 1b94da699e2-1b94da699e7 479->481 480->478 484 1b94da69ac3-1b94da69aca 480->484 481->474 485 1b94da699ed-1b94da699f7 call 1b94da68a34 481->485 482->470 496 1b94da69dac-1b94da69dcb call 1b94da66d40 482->496 483->470 486 1b94da69d76-1b94da69d9b call 1b94da69e1c 483->486 488 1b94da69ad0-1b94da69b07 call 1b94da68e10 484->488 489 1b94da69c94-1b94da69ca0 484->489 485->496 501 1b94da699fd-1b94da69a28 call 1b94da68a34 * 2 call 1b94da69124 485->501 486->482 488->489 505 1b94da69b0d-1b94da69b15 488->505 489->482 493 1b94da69ca6-1b94da69caa 489->493 498 1b94da69cac-1b94da69cb8 call 1b94da690e4 493->498 499 1b94da69cba-1b94da69cc2 493->499 498->499 511 1b94da69cdb-1b94da69ce3 498->511 499->482 504 1b94da69cc8-1b94da69cd5 call 1b94da68cb4 499->504 536 1b94da69a2a-1b94da69a2e 501->536 537 1b94da69a48-1b94da69a52 call 1b94da68a34 501->537 504->482 504->511 509 1b94da69b19-1b94da69b4b 505->509 513 1b94da69c87-1b94da69c8e 509->513 514 1b94da69b51-1b94da69b5c 509->514 516 1b94da69ce9-1b94da69ced 511->516 517 1b94da69df6-1b94da69e12 call 1b94da68a34 * 2 call 1b94da6baa8 511->517 513->489 513->509 514->513 518 1b94da69b62-1b94da69b7b 514->518 520 1b94da69cef-1b94da69cfe call 1b94da690e4 516->520 521 1b94da69d00 516->521 517->470 522 1b94da69c74-1b94da69c79 518->522 523 1b94da69b81-1b94da69bc6 call 1b94da690f8 * 2 518->523 526 1b94da69d03-1b94da69d0d call 1b94da6a8ac 520->526 521->526 528 1b94da69c84 522->528 548 1b94da69bc8-1b94da69bee call 1b94da690f8 call 1b94da6a038 523->548 549 1b94da69c04-1b94da69c0a 523->549 526->482 546 1b94da69d13-1b94da69d61 call 1b94da68d44 call 1b94da68f50 526->546 528->513 536->537 539 1b94da69a30-1b94da69a3b 536->539 537->474 552 1b94da69a54-1b94da69a74 call 1b94da68a34 * 2 call 1b94da6a8ac 537->552 539->537 545 1b94da69a3d-1b94da69a42 539->545 545->470 545->537 546->482 567 1b94da69bf0-1b94da69c02 548->567 568 1b94da69c15-1b94da69c72 call 1b94da69870 548->568 556 1b94da69c7b 549->556 557 1b94da69c0c-1b94da69c10 549->557 573 1b94da69a8b 552->573 574 1b94da69a76-1b94da69a80 call 1b94da6a99c 552->574 561 1b94da69c80 556->561 557->523 561->528 567->548 567->549 568->561 573->474 577 1b94da69df0-1b94da69df5 call 1b94da6baa8 574->577 578 1b94da69a86-1b94da69def call 1b94da686ac call 1b94da6a3f4 call 1b94da688a0 574->578 577->517 578->577
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 185b045793e0dd5fa6c77c60bc54875c7f67e5de3b2f8cc83a3ebf1dae97a93b
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: 17E19C7A600B80CAEB60DF25D6803DD77A4FB56B88F120515EF8957BA9CB34C99BC701
                                                                          Function 000001B94DA9104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 739 1b94da9104c-1b94da910b9 RegQueryInfoKeyW 740 1b94da911b5-1b94da911d0 739->740 741 1b94da910bf-1b94da910c9 739->741 741->740 742 1b94da910cf-1b94da9111f RegEnumValueW 741->742 743 1b94da911a5-1b94da911af 742->743 744 1b94da91125-1b94da9112a 742->744 743->740 743->742 744->743 745 1b94da9112c-1b94da91135 744->745 746 1b94da91147-1b94da9114c 745->746 747 1b94da91137 745->747 749 1b94da91199-1b94da911a3 746->749 750 1b94da9114e-1b94da91193 GetProcessHeap call 1b94daa6168 GetProcessHeap HeapFree 746->750 748 1b94da9113b-1b94da9113f 747->748 748->743 751 1b94da91141-1b94da91145 748->751 749->743 750->749 751->746 751->748
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 9be938eca48de88435d24c63339287b55dbb0c5e3be7a72195a9d72b9edee393
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 4A418537214B84D6EB50CF21E54439EB7A1F789B98F158219DB8907768EF38C84ACB00
                                                                          Function 000001B94DA9D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001B94DA9C7DE,?,?,?,?,?,?,?,?,000001B94DA9CF9D,?,?,00000001), ref: 000001B94DA9D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001B94DA9C7DE,?,?,?,?,?,?,?,?,000001B94DA9CF9D,?,?,00000001), ref: 000001B94DA9D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001B94DA9C7DE,?,?,?,?,?,?,?,?,000001B94DA9CF9D,?,?,00000001), ref: 000001B94DA9D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001B94DA9C7DE,?,?,?,?,?,?,?,?,000001B94DA9CF9D,?,?,00000001), ref: 000001B94DA9D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001B94DA9C7DE,?,?,?,?,?,?,?,?,000001B94DA9CF9D,?,?,00000001), ref: 000001B94DA9D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 7722da8a1ccd55d912fbac9019d21d5b7ed297ac1f66f6f11e942dae4d4dcc93
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: 5B11513970428441FE68972657553F971815F447F0F6A4BA5AB3A076FAFF28CC8B8200
                                                                          Function 000001B94DA95B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: a6c60449dc8865bce278dc6f819b9f40a7481718748598da645dd4efd33a2a6b
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: 4FD1BA7A205B8882DA70DB06E59539A7BA0F7C8B84F110556EB8D47BB9DF3CC957CB00
                                                                          Function 000001B94DA9CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: 2d6bfc0a446fb61f8f57c17015c17e4651d4d8ac2de9b1a8c40aa7bf73c2aa91
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: 43117F3820178041FE64A73657453F972826F847F0F1A4B65AB36477FAFF288C4B8600
                                                                          Function 000001B94DA99005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 68ec67cfde644317781d1d8da9a4473fc41bc061b0f021cae615b38d02cd20cc
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 3B51063A70160096EF94CF15E648B993795FB4AB88F269960DB16477E8FB35CC4BC700
                                                                          Function 000001B94DA98FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 040db3ddf6ae383136a0280ee84918cffc4b9f6a5ab2333838043ca3e9487e01
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 4831F439200640A6EF54DF11E9487993BA4FB45B88F1A8954EF56037A8EB39CD4BC704
                                                                          Function 000001B94DA93044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: c6ee8d65ae8d00248a338797ddd6fe5fe4ab245aace9c9a271afe987f135a6b0
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: 45F0FE78614B8482FE548B53BA141997661AF48FD0F4E9620EF5647B38EF6CC84B8B10
                                                                          Function 000001B94DA9BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: ba5d19a53f1952751f1f425006cbb8af14798dd4c05e181ec12188a8432f52b7
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 0CF04F79211A0481FF108B24A5443AA7320AF89B65F5907198B6A452F4DF2DC84FC700
                                                                          Function 000001B94DA73504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 79394b6645a282d355233756652c7aa71a169a0ded3c85fa290b7daf37870595
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 4F11C23BA10E1119FEA41528E7523E932916F58374F4B8638ABB6063F6CB68DC4F4200
                                                                          Function 000001B94DA6F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 4e6107d6c3839f932154574a38960d08c3b217ba2c3ef6c6b5bdfac440d1c861
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 7361AD7E600240C2FA699B68E7443EA7AA1EF85780F574427DB8A077F4EB34CD4F8601
                                                                          Function 000001B94DA6A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: c73c8bd4d5f19cd1475b82d459c41824adab66629c4531bbf17af45df03cb3c0
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: AB518E3E100780CAEB748F25964439977A0FB55F88F1A4216DBD987BE5CB38D8ABC701
                                                                          Function 000001B94DA68405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 9c4fe1d770c8cd9973d45c000a20f4ef2b388e4c59b7b5ae355e1f282bd9a290
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 7151DD7A702200CAEB14CB35E644B9837A9FB54B98F568125DB96437E8FB34CC4B8706
                                                                          Function 000001B94DA683E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: ab51dea73786399f692faa31976dc9adaaa15ab25bc9220aef76076779216550
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 6D319F7A201740D6EB14DF21E94879977A8FB44B98F168014EFAA077A8DB38CD4BC706
                                                                          Function 000001B94DAA2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: ad8f01ca3d01d7c2f0612becf703cc44c021a01be82e6742a6b1975bddf1fd59
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 9CD1CD36714A808AF711CFA9D6402EC3BB1EB55798F059316CF5A97BA9DB34C85BC340
                                                                          Function 000001B94DA69E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: a9e0a7520a71c3ea0c8b231138a4074f8da6043908b52c405a53a4f2855a9dbc
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 44617B3BA01B84CAEB20DF65D5403DD77A0FB45B88F064215EF8917BA9DB38D99AC700
                                                                          Function 000001B94DA92330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 6ce11cda4c209c177238ca766998622cb494d33cecf08a336205543b22ebe854
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: A751EA3A20478141EE34DA29A2983EA7751FBC6758F860565DF5A03B79EB3DCD0F8740
                                                                          Function 000001B94DA67356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: b77cba94475364b6056217e751ae9763afee11bf71d23422b04273fc26f68f60
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 22E08671641B44D0EF018F21E9442D873A4DF58B64B4991229A5C46361FB38D5EFC300
                                                                          Function 000001B94DA673B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629149043.000001B94DA60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da60000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 78c33e3442022b6a32376d0c45522c0c9ad1406811c54d920b18383aafb4daaa
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 7AE08C71A41B48C0EF028F21E9802D873A4EB68B64B899122CA4C46361EB38D5EBC300
                                                                          Function 000001B94DA91BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.2629564042.000001B94DA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B94DA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1b94da90000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 01e50fe647656b25202c61eb090f9d8d763cafe54ad3edf3708de273a8057eea
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 64115B39601B4481EA449B66A6082A977E1EB89FC0F1E45649F4D47775EF38C8478300